Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Flaw Found That Allows Control of iPhone

Posted by Zonk on from the there's-always-a-catch dept.

i_like_spam writes "The NYTimes is running a story about an iPhone flaw that has been found and documented by researchers from Independent Security Evaluators. Attackers were able to gain full control of the iPhone either through WiFi or by visiting a website with malicious code. The exploit will be demonstrated at BlackHat on Aug. 2nd at 4:45pm. Until then, 'details on the vulnerability, but not a step-by-step guide to hacking the phone, can be found at www.exploitingiphone.com, which the researchers said would be unveiled today.'"

43 of 176 comments (clear)

  1. Excellent! by TheRaven64 · · Score: 5, Funny
    Now users of the iPhone can control their own device!

    Of course, the down side is that so can everyone else...

    --
    I am TheRaven on Soylent News
    1. Re:Excellent! by thedeadswiss · · Score: 5, Funny

      Perhaps they should rename it yourPhone.

    2. Re:Excellent! by Don_dumb · · Score: 5, Funny

      I prefer the iPwn.

      --
      If this were really happening, what would you think?
    3. Re:Excellent! by kai.chan · · Score: 4, Funny

      Or better yet: iPhwn.

    4. Re:Excellent! by Zackbass · · Score: 3, Funny

      It has finally happened! The time has come to plug this old graphic:

      http://donkeykong.mit.edu/wiki/images/0/09/Ipwned. png (NSFW for poorly drawn penis)

      --
      You gotta find first gear in your giant robot car
    5. Re:Excellent! by Firehawke · · Score: 2, Informative

      That's how they broke the PSP's protection, by finding holes in already signed code.

    6. Re:Excellent! by mr_matticus · · Score: 3, Insightful

      "Large userbase" of approximately one or two million iPhones? In a market with hundreds of millions of handsets (billions if you count the whole world)? Two million iPhones compared to 30 million Macs in the US? Compared to tens of millions of Unix machines?

      Userbase isn't what makes a target "big." It's potential media exposure. The iPhone hype makes it a key target. The closed nature of the iPhone means lots of talented people are trying to break in. The iPhone, moreover, probably isn't as secure as a desktop computer. It's not designed to be open and from what I understand about this particular hack, it builds on previous "doors" which can easily be closed. It's not surprising that once you've gained access to a device, you'll be able to manipulate it (particularly when they're all configured with the same username and password).

      There's plenty of media attention given to every half-assed attempt to break OS X. So far, nothing worth losing sleep over. You don't think that the media attention for OS X would be worth the payoff? Linux might have some protection because it's somewhat obscure and not mainstream--but while it might not show up on CNN, people here certainly would take note, and so would large corporations using Linux servers.

  2. Rut roh... by EveryNickIsTaken · · Score: 5, Funny

    Sounds like someone's going to be getting Apple Fanboy death threats tonight....

    1. Re:Rut roh... by Ash+Vince · · Score: 2, Funny

      Nah, it is the illegitimate love child of Henry Rollins and J K Rowling

      --
      I dont read /. to RTFA, I read /. to offend people in ignorance.
    2. Re:Rut roh... by Odin's+Raven · · Score: 5, Funny

      Sounds like someone's going to be getting Apple Fanboy death threats tonight....

      I can see the commercials now...

      Mac and PC walk in from opposite sides of the screen. Mac is dressed as a ninja - custom-tailored silks, authentic-looking swords, the works. PC wears his typical clothes, but in a disheveled fashion reminiscent of Michael Douglas in "Falling Down", complete with briefcase in one hand and machine gun in the other. (Although it's painfully obvious that PC's "gun" is a cheesy plastic model acquired from the local toy store.)

      • Mac: Hi, I'm a Mac Fanboy death threat.
      • PC: And I'm a PC Fanboy death threat.
      • Mac: The other day someone claimed an Apple product was less than perfect.
      • PC: Every day people say I'm no good. Every...damn...day.
      • Mac: I hear ya, PC. In my case, I've assembled a multimedia production based around video clips taken while discretely stalking the person responsible, as text seamlessly scrolls past detailing the inherent superiority of the product in question and Mozart's "Dies Irae" from his "Requiem in D minor" plays in the background. (Pulls out iPhone and shows to PC - we catch glimpses of the movie and hear a snippet of music.)
      • PC: I have a powerpoint slide I send the offending party. (Opens briefcase and pulls out a tattered piece of paper, hands to Mac).
      • Mac: (Reading paper) Hmmmm, "U r a lozer and yu is teh suckz. Im gona hurtz u 4 ur makking fun of me. Micrsfort rulez!" Yes, that should certainly make an impression. Nice use of the WingDings font for the dagger.
      • PC: Thank you. Some people think I'm limited to boring text, but I do have access to some pretty snazzy graphics.
      • Mac: Yes, I've never seen anything quite like it. Oh well, I'm off to infiltrate the home of the person who offended me, silently scaling the outside wall, entering through an open skylight, and performing a triple-backflip as I drop to the floor, where I'll leave my threat nestled in a bouquet of lotus flowers.
      • PC: (Rolls eyes, clearly unimpressed.) Whatever. I'm going to catch the midtown bus, and nail my threat to the person's front door. And if they give me any lip, I've got this!
      • (PC brandishes toy gun, pulls trigger. Gun plays a few seconds of 80s-era laser sounds, which trail off as the batteries die.)
      • PC: Darn, why does this always happen? Now I've got to get a new weapon.
      • Mac: Do you want to call a few places, see what's in stock? (Offers iPhone to PC)
      • PC: Thanks, I ... (starts to reach for iPhone, changes mind.) Ummm, no, actually I'm good. Everything's just fine. Okay, gotta go.
      • (PC shuffles dejectedly offscreen. Mac watches PC leave, then does a backflip out of frame.)
      --
      A marriage is always made up of two people who are prepared to swear that only the other one snores.
  3. The technical paper is the article by nmoog · · Score: 4, Informative

    Have a read of the technical paper from the article - Quite interesting. They used fuzzing to find a heap overflow vulnerability. They go on to talk of "Blackbox Exploitation", which I later realise has nothing to do with the cinematic genre.

    1. Re:The technical paper is the article by iluvcapra · · Score: 4, Interesting

      Most interesting pieces of information from the article:

      Additionally, no address randomization was used in by the operating system.

      the filesystem accessible to iTunes is chroot'ed such that only a small set of the filesystem is visible over this [USB] connection.

      it is possible to modify the iPhone in such a way that the applications will dump core files when they crash. This is accomplished by adding the file /etc/lauchd.conf containing the line limit core unlimited to the iPhone using iPhoneInterface. Core files can be retrieved off the iPhone from the /cores directory, again using iPhoneInterface.

      Under their suggestions:

      Install applications such that they run as an unprivileged user. This would result in a successful attacker only gaining the rights of this unprivileged user.

      I don't see how that'd help on a single-user computer., tho (another of their suggestions) chrooting all the running apps would be a step in the right direction. The researchers are politicians, too:

      This limited access to the filesystem doesn't particu- larly serve a security role from the perspec- tive of a remote attacker. Instead, this serves as an example of design intended to protect the exclusivity of the iPhone to AT&T. If more thought had gone into protecting the applica- tions from remote attack and less on prevent- ing the unlocking of the device, the overall security of the device might have improved.

      Translation: Running iTunes in a chroot jail makes the iPhone insecure, because my unicorn says anything done for the sake of AT&T is insecure.

      --
      Don't blame me, I voted for Baltar.
    2. Re:The technical paper is the article by ThosLives · · Score: 3, Insightful

      *sigh* I hate this argument.

      Why not just disallow anyone not capable of not programming a buffer overflow from ever programming a device? It's not a language issue. I'm sure that unqualified folks will figure out how to cause all sorts of new vulnerabilities in "safe" languages. (Hint: there is no such thing as a "safe" language.)

      I guess maybe I'm just in the "old school" camp that thinks that unqualified people shouldn't be allowed to do things. There's a reason why, for instance, amateur carpenters aren't allowed to construct public buildings.

      Maybe we should actually require people to be licensed programmers...while that would weed out some of the problem, though, we all know that professional engineering licenses or whatever don't guarantee competence...

      </rant>

      --
      "There are a dozen opinions on a matter until you know the truth. Then there is only one." - CS Lewis (paraprhase)
    3. Re:The technical paper is the article by SatanicPuppy · · Score: 3, Insightful

      You can't just say, "Only super-leet programmers should be allowed to program C, because we never make mistakes."

      First off, it's not true. Even experienced programmers make mistakes, and I've had issues where the API I was writing to was incomplete, and my implementation and the other guys implementation were just different enough that, in the right circumstance, you could have a problem. That stuff happens. It's always going to happen.

      Second, in my experience, no C programmer ever thinks that they make these mistakes, it's always crappy programmers from somewhere else. At some point, you have to own up to the fact that it's a problem of the language and that, as long as you use the language, you're going to have the problem.

      Now, if we could find something that ran with the performance curve of well programmed and tuned C, but without C's baggage of errors, leaks, and overflows, this would be a no-brainer. Unfortunately, that language does not exist, and hardware hasn't gotten to a level yet to make language performance irrelevant for consumer applications.

      So we have to put up with C's issues. But if a new language is developed, or if processors keep increasing, the day will come when C will join Fortran as one of those languages that really only academics need to know, and it's because of crap like this.

      --
      ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
    4. Re:The technical paper is the article by GooberToo · · Score: 2, Insightful

      These failings are generally not a core issue with the programming language. Lazy or inexperienced programmers, lack of budget, and wide spread ignorance seem to lead the way with these types of issues. Then there are the problems caused by arbitrary release dates (get it done, we'll fix it later) and the total indifference of those which make the release decisions. Changing the language, at best, is attempting to hide the root cause.

    5. Re:The technical paper is the article by VGPowerlord · · Score: 2

      Here's a tip: Your rant would be easier to follow if you failed to not use less negatives.

      --
      GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
    6. Re:The technical paper is the article by VGPowerlord · · Score: 2, Informative

      For example: "Why not just disallow anyone not capable of not programming a buffer overflow from ever programming a device?"

      would be easier to read as
      "Why not just disallow anyone who has a history of programming buffer overflows from ever programming a device?"
      although that changes the meaning slightly.

      --
      GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
    7. Re:The technical paper is the article by Bill_the_Engineer · · Score: 3, Insightful

      Your post highlighted all the dangers of ad-hoc programming.

      Personally, I've seen a lot of "experienced" C programmers but only met a few good C programmers. I don't blame the language, instead I blame the programmer who gives into temptation and think they could just quickly code an application on-the-fly without any planning. A decent analogy would be that while a large number of people are familiar with the english language, only a small percentage of them can write a decent novel.

      I am a C/C++ programmer, and I believe that I am capable of making even the dumbest mistakes when coding (especially during an exceptionally long programming session). This is why I test! I make my unit tests with the intent of making sure my procedures error out correctly, as well as verifying that it works correctly. I put special effort in data objects that are prone to buffer allocation errors.

      I also design the overall program ahead of time, define the interfaces between modules, and go over expected application behavior with the test engineer.

      I go through this because (1) the only true way to make quality software is to put forth the effort to design, test, and maintain the code from the beginning, and (2) I never expect any language to handle errors correctly.

      Number 2 is important, since even if a higher language does handle out-of-bounds conditions, does it handle it in a way that doesn't cause a problem somewhere else in the data chain?

      For (off-the-top of my head) example, if I had a string buffer that automatically grew to 518 bytes to handle an erroneous data entry and it stored it in a database record that only held 512 bytes, does it truncate the data or does it posts a warning. Remember this error wasn't caught by the programmer, so are we to assume that the programmer would check for this error when it came time to place it in the database? Or what if the application simply threw an out-of-bounds exception? If it wasn't tested for this in production, then this means it could happen in the field. In my line of business, it must be caught in production.

      The reason *I* use C and C++ is because I need the speed that comes from not having the language doing all my thinking for me. If *you* think C has issues then maybe *you* need to use another language more appropriate for your requirements and your skill set. BTW, my colleagues would have issues about your Fortran comment too!

      I am not saying C/C++ is the best language for every situation. I am just saying that I use C/C++ because of performance and space requirements. I am also saying that no high level language is a good substitution for good programming practices.

      The issues related to this story require even more effort in testing. We are not trying to catch simple runtime errors, we are trying to prevent someone who has the intent to break the security of a program. This falls outside of the realm of high level languages even with the issue that caused this particular "breach."

      For (another off-the top of my head) example, even the best programs can fall victim to a compromised configuration file. So effort must be made to give an application the minimum amount of security privileges necessary to do its task *and* make sure that the configuration files are not modifiable without higher privileges.

      --
      These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
    8. Re:The technical paper is the article by Teckla · · Score: 2, Insightful

      Why not just disallow anyone not capable of not programming a buffer overflow from ever programming a device?

      Because that's not realistic.

      It's not a language issue. I'm sure that unqualified folks will figure out how to cause all sorts of new vulnerabilities in "safe" languages.

      If you were to group bugs into two categories, "buffer overflow bugs" and "other bugs", the C programming language makes it possible for developers to code both kinds of bugs. If, by using a safer programming language, you can at least eliminate "buffer overflow bugs", why wouldn't you want to do that?

      (Hint: there is no such thing as a "safe" language.)

      (Hint: I never said there was such a thing as a "safe" language. I said "safer".)

      I guess maybe I'm just in the "old school" camp that thinks that unqualified people shouldn't be allowed to do things. There's a reason why, for instance, amateur carpenters aren't allowed to construct public buildings.

      Yeah, right. That'll happen, right after every little girl on the planet gets her very own pony, and we all slide down rainbows to work, instead of commuting.

      As an experienced C programmer, I'm not just sitting around bashing C for fun. I'm just recognizing the fact that as our world becomes increasingly networked, security becomes increasingly important. If we can use alternative languages that minimize whole categories of severe bugs such as buffer overflows, we need to consider using them.

    9. Re:The technical paper is the article by myowntrueself · · Score: 3, Insightful

      Very methodical and commendable programming practice you have there.

      Now, not trying to be snarky or anything, honestly, but how often do you find that you run out of time on projects? Do you ever find that being so careful in your coding means that you get hounded for being late or behind schedule?

      --
      In the free world the media isn't government run; the government is media run.
  4. Dear Author of Malicious Code by chuckymonkey · · Score: 4, Funny

    As a loyal Mac user and iPhone user I have to kill you.

    Signed,
    Mac Zealot

    My life for Aiur!....errr Steve Jobs!

    --
    "Some books contain the machinery required to create and sustain universes."-Tycho
    1. Re:Dear Author of Malicious Code by elrous0 · · Score: 2, Funny

      [as I dowse myself with gasoline] It's all for you, Steve! IT'S ALL FOR YOU!!!

      --
      SJW: Someone who has run out of real oppression, and has to fake it.
  5. Update Deployment by da_matta · · Score: 4, Interesting

    It's interesting to see what the response to this will be and how long it will take to for Apple to to release and deploy a patch. Mobile phones don't typically the "fast background patching"-systems like PC's (mobile data typically costs so you can't keep checking for updates). And everyone remembers from "pre sp2"-XP what it means if it's up to the user to check and deploy patches (e.g. iTunes).

    1. Re:Update Deployment by jrumney · · Score: 5, Informative

      iPhone patches will be delivered automatically through iTunes, the same way iPod ones are. So while you won't get them OTA, it is still better than most cellphones which require you to go out and find patch installers, and in some cases these can only be obtained from official servicing agents, not over the web.

  6. no wonder they don't allow programming the thing by oohshiny · · Score: 3, Insightful

    Systems like Symbian have mobile security built in from the ground up; for example, the system asks before any new application can access phone data or the network (similar to capabilities-based UNIX security).

    Evidently (and, I suppose, not surprisingly), an OS X-based phone lacks these safeguard. I guess that's the real reason Apple has been refusing to permit third party phone apps on the iPhone, even though they don't cause problems on other phones: the iPhone software architecture just doesn't seem designed for it.

  7. The Difference is Responsibility... by iMouse · · Score: 5, Interesting

    Apple iPhone users should be content with the finding of an exploit by responsible security researchers. Unlike InfoSec Sellout (who is likely blowing smoke up his as*), Charles Miller and the rest of the Independent Security Evaluators team should be applauded for their work. They responsibly reported the vulnerability (and a potential fix) to Apple for investigation.

    The Apple community should not in any way, shape or form, harass this group like they harassed InfoSec Sellout. I.S.E. are the good guys and as a 15-year Apple veteran, I give my best to those who are out to help Apple keep security at its tightest on their products and services.

    1. Re:The Difference is Responsibility... by tgatliff · · Score: 2

      Here is a better question... Why didnt then limit the Safari user account that it was running under... Please tell me that they were not running the browser on a root enabled account... Alla M$ Windows style.... (Excluding version 7 of course)

  8. Neat - the interesting thing will be the response by jht · · Score: 4, Interesting

    Now let's see how long until the first iPhone patch comes out, and if any of the other glitches will be fixed at the same time or if it's strictly for security. Obviously Apple's already been working on iPhone patch #1 and is probably just about ready to push it out after a month.

    One functionality change that _should_ come out of this, though - I would turn off the default behavior of scanning for open networks and asking to join them. It wastes battery power, and the pop-ups for new networks are intrusive. In its place I'd put the AirPort icon in the display full-time (instead of just replacing the EDGE "E" when you are on a WiFi network) and allow quick access from there. I think, altogether, iPhone will be a pretty secure device after the initial flushing out of bugs, but this is a little different from traditional devices. iPhone has a classic desktop OS stripped down into a cellphone, whereas mainstream other devices (Palm, Windows CE, and Symbian) were designed more as cellphone systems (or PDA systems) and scaled up.

    (not replacing my iPhone with a Razr anytime soon!)

    --
    -- Josh Turiel
    "2. Do not eat iPod Shuffle."
  9. Re:Stop waving that damn thing around by riffzifnab · · Score: 5, Funny

    Should we be getting off your lawn now or is it almost time for your nap? d:

  10. Re:Duke University by kannibal_klown · · Score: 2, Funny

    They already admitted that the problem wasn't with the iPhone, but Cisco's routers. I found the whole thing kind of funny.:

    Dan: Our network is flaking out then crashing. We need to find the problem before the Spring semester kicks in and we're really in trouble.
    George: Hmm, the iPhone just came out the other day. I doubt that's a coincidence, it must be a faulty product.
    Dan: Are you sure? I haven't heard about any of these issues on other campuses or companies. I think we should look into this further.
    George: Nah, it's not our problem, it's Apple's. Let them figure it out.

  11. Re:no wonder they don't allow programming the thin by brilwing · · Score: 4, Interesting

    I don't know the newer Symbian versions 8 and 9, but till version 7 there was no security in Symbian at all. Every program could do everything. I have programmed an installation program that opened a GPRS connection, downloaded a SIS file and installed it on the Symbian phone without user interaction!!!
    This was a bit tricky but it worked fine on Nokia Series 60 phones an on Sony Ericsson P800 and P900.

    I don't think that Symbian managed it in version 8 and 9 to build in a ground up security, because the SDK is huge with thousands of classes.

  12. Duke WAS NOT Apple's fault by LKM · · Score: 4, Informative

    Yeah, I can see how you're confused, because all the news outlets reporting about how the iPhone destroyed Duke's network did not bother to report that it was all made-up crap.

    Last week:

    "I don't believe it's a Cisco problem in any way, shape or form."

    This week:

    Cisco worked closely with Duke and Apple to identify the source of this problem, which was caused by a Cisco-based network issue. Cisco has provided a fix that has been applied to Duke's network and there have been no recurrences of the problem since.

    Maybe at least /. could bother to retract the story?

    Nah, who cares, it's just your usualy weekly Apple bashing.

    1. Re:Duke WAS NOT Apple's fault by jeffasselin · · Score: 4, Informative

      You mean like posting an updated story?

      http://hardware.slashdot.org/article.pl?sid=07/07/ 21/1212217

      --
      If he explores all forms and substances Straight homeward to their symbol-essences; He shall not die.
    2. Re:Duke WAS NOT Apple's fault by LKM · · Score: 2, Interesting

      I stand corrected :-)

    3. Re:Duke WAS NOT Apple's fault by scribblej · · Score: 2, Funny

      Parent is modded "+ Interesting" because it's someone admitting he was wrong on Slashdot... should be modded "+ LastChanceToSee"...

  13. Kind of ugly though by gelfling · · Score: 2, Informative

    Isn't this the same Safari exploit that's been known for a while?

  14. iPhone owner is not surprised by goodmanj · · Score: 4, Informative
    From TFA:

    [Fuzzing] involves sending malformed data to the device in an effort to cause a fault and make it crash. The vulnerability we discovered and exploited was found in MobileSafari using fuzzing. Since MobileSafari crashes every ten minutes or so for me with *well*-formed data, I'm not surprised to hear that this is possible. Apple *seriously* needs to push out a Safari bugfix asap, not just for security, but for usability.
  15. Don't be silly! by hotsauce · · Score: 3, Insightful

    Apple's problem is that it's inherited a lot of bad legacy technologies from NeXT.

    Java did not exist when NeXT chose Objective C as their development language. Objective C was arguably the technically most superior language for applications development. It was (is!) cleaner and more object-oriented than C++.

    C-like languages may increasing have less merit for appsdev today, but they certainly still have their place. You and I know little about the iPhone. It may indeed be the case that running a JVM on it for all apps is a poor choice.

    --
    Lies about crimes
  16. An iPatch? by Anonymous Coward · · Score: 5, Funny

    If Apple releases an iPatch, does that mean they support piracy? Arrrrrr, avast ye LAN-lubbers!

  17. Good job there's no SDK, eh? by metamatic · · Score: 3, Insightful

    It's a good job there's no SDK for the iPhone, otherwise there might be security problems with the device, eh Steve?

    --
    GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
  18. Re:no wonder they don't allow programming the thin by PolarIced · · Score: 5, Funny

    Here are some more examples of Symbian security (apparently their first priority):

    1. The phone randomly locks up and/or turns off - this fools 3v1L hackers.
    2. Won't connect to most Bluetooth devices - keeps hackers out. Very clever!
    3. When syncing contacts, it mixes up all the fields so that an 3l33t hacker won't be able to make sense of them. You won't either, but at least you're safe.
    4. Apparently has a built-in function to slow all operations to a C...R...A...W...L... - this prevents hackers from using high speed automated systems to hack your phone. Ingeneous!

    Signed,
    A proud owner of a Cingular Nokia (Swedish for moose dung) phone.

    PS - Hack my phone. I dare you! Whoops . . . wait a minute. Let me reset it first.

  19. this is backwards by Jeremy_Bee · · Score: 2, Insightful

    ... (iPhone) is a little different from traditional devices. (It) has a classic desktop OS stripped down into a cellphone, whereas mainstream other devices (Palm, Windows CE, and Symbian) were designed more as cellphone systems ... and scaled up. No offense, but this analysis seems quite backwards to me.

    The main differentiating feature of the iPhone software is that it is a brand new GUI designed specifically for a portable communicator. It is specifically and closely tailored to the physical attributes of the device and the applications it contains, and merges the software functionality with the physical functionality into a seamless whole. It's very success is tied to this integration and the fact that it does *not* simulate a desktop environment.

    The main differentiating feature of WinCE/Windows Mobile (and it's most touted feature on release), is that it *was* built as a clone of the Windows Desktop complete with start button and task bar. It failures as a mobile OS are directly proportionate to the degree in which it tries to emulate a Windows desktop. It even forces users to manipulate the tiny screen of the mobile in the same way as they would a desktop, (albeit a very small one), by necessitating the use of a tiny "pick" (stylus) to emulate the mouse on the reduced scale of the mobile desktop.
  20. Re:Full Control? by Richthofen80 · · Score: 2, Informative

    Not unless Verizon can secretly shove a CDMA antenna into your iPhone without you noticing.

    the iPhone , when unlocked, will only ever work with GSM networks (T-Mobile and AT&T). Any changes that move the phone to Verizon would require solder and hot-glue.

    --
    Reason, free market capitalism, and individualism