Slashdot Mirror

← Back to Stories (view on slashdot.org)

The iPhone SMS Hack Explained

Posted by timothy on from the en-percent dept.

GhostX9 writes "Tom's Hardware just interviewed Charlie Miller, the man behind the iPhone remote exploit hack and winner of Pwn2Own 2009. He explains the (now patched) bug in the iPhone which allowed him to remotely exploit the iPhone in detail, explaining how the string concatenation code was flawed. The most surprising thing was that the bug could be traced back to several previous generations of the iPhone OS (he stopped testing at version 2.2). He also talks about the failures of other devices, such as crashing HTC's Touch by sending a SMS with '%n' in the text."

94 comments

  1. Why OSS needs financial backing by BadAnalogyGuy · · Score: 5, Insightful

    Though it hasn't been so directly argued for a while, there is still the belief that OSS is somehow unique and better than closed source software because it engages the lone hacker sitting in his basement writing code in his spare time. What I found interesting was Charlie Miller's take on unpaid effort.

    This SMS stuff is a good example. Between us, Collin and I found one bug in iPhone, Android, and Windows Mobile. Then we stopped testing. We had enough for our talk, what motivation did we have to keep looking? This is really an unpaid hobby for us, so we do the minimum level of work possible to get results good enough for conference presentations.

    Financial incentive is, despite the feeble arguments to the contrary, still the thing that gets code written (and bugs found). Without paying the developers, Linux never would have gotten to the stage it is now. Yes, the source code is open, but it is primarily because there is a team of developers getting paid to write the OS source code that we have such a great system today.

    The hobbyist is still just a user. The real developers do it as their job.

    1. Re:Why OSS needs financial backing by Anonymous Coward · · Score: 0

      I don't have mod points, so here's a +1 insightful in text form.

    2. Re:Why OSS needs financial backing by camcorder · · Score: 4, Insightful

      How is it related with open source at all? A good software need a dedicated coder(s) and in order to motivate them for a long time money is a good tool. What you say is a generic thing, and nobody said since code will be open, people will work for free software like slaves to make applications good enough. Free software concept is much more than good software.

      Your argument is valid for everything, if you need to build something good you need dedication. And this dedication is only possible with a motivation that is what money is used these days. But believe me there are better motivators than money still today.

    3. Re:Why OSS needs financial backing by OzPeter · · Score: 3, Informative

      But believe me there are better motivators than money still today.

      No Money -> No food -> Starve

      Yes there are better motivators than money, but unless your basic needs are met (food, shelter, clothing etc) then all the other motivation in the world won't help you. The only solution in that case is you better hope that the dedication to a cause is more addictive than crack.

      Otherwise eventually there has to be money somewhere

      --
      I am Slashdot. Are you Slashdot as well?
    4. Re:Why OSS needs financial backing by oGMo · · Score: 1

      No, "real developers" do as much as they can to meet a deadline. No more... but often quite a bit less. There is no motivation to go "above and beyond" for "professional" work. Why bother? You've met the specs, and you almost certainly don't have the time.

      On the contrary, with free software, the people who use the software make the software. This is not someone tinkering out of some kind of bored interest. These are people who have a need, and work on code until that need is met. They are out there. They do not have minimum requirements. They do not have deadlines. They will not stop, ever, until the code is done.

      Unlike a "professional" who will stop as soon as possible and get the hell out, because there is no reason for any more, and usually reason for less.

      --

      Don't think of it as a flame---it's more like an argument that does 3d6 fire damage

    5. Re:Why OSS needs financial backing by melanyor · · Score: 1

      Good software can be developped only with good money. Free software run only as a platform, all applied parts can't be free...

      --
      Sincerely yours.
    6. Re:Why OSS needs financial backing by Lord+Bitman · · Score: 3, Insightful

      OSS doesn't mean "nobody gets paid" it means "a product you are free to modify is superior to a product which is locked-down. Modifications which can be freely shared or incorporated back into the upstream are superior to modifications which are constantly repeated"

      With "proprietary" software, the person who does the initial development is often the same as with OSS. But OSS can get those people and whoever else wants to scratch an itch.

      It annoys the crap out of me that I can't, for example, write improvements to the software on my set-top box. People essentially turning away free labor because hardware manufacturers can't decide what it is they're selling.

      --
      -- 'The' Lord and Master Bitman On High, Master Of All
    7. Re:Why OSS needs financial backing by Stele · · Score: 5, Insightful

      No, "real developers" do as much as they can to meet a deadline. No more... but often quite a bit less. ...
      Unlike a "professional" who will stop as soon as possible and get the hell out, because there is no reason for any more, and usually reason for less.

      Bullshit.

      I don't know what cube farm you met these "real developers" of yours at but in my business "professionals" do what it takes to make the customer happy.

      Having shipped dozens of commercial products in somewhat niche markets I can tell you that if you want to eat you do a great job and keep doing it, working directly with key customers if necessary to craft tools that will help them do their jobs better/faster/easier.

      And being part of a small company means my income is directly based on those of my users, and in this economy it means working my ass off on as many projects as possible to keep the fridge full and shoes on my kids' feet, and each and every one of them has to be near-perfect at V1.0. There is no "fix these known things in a patch after we release."

      I've seen more than my share of open source projects where your "non-real programmers" got tired and stopped at the horribly designed config file, or documentation, or at the "well it works good enough for me" part and people should be *glad* to sift through the code to figure out how it works.

      *Professional* programmers have to go that extra 20% at the end, which usually takes 90% of the time, to make the software into a polished, finished, product, and we have to do it in such a way to minimize idiot user questions, which *will* happen, so we don't waste all our money dealing with tech support. Your open-source guys can just say "read the source" if you don't understand something.

      How's that for generalizations?

    8. Re:Why OSS needs financial backing by Anonymous Coward · · Score: 0

      You obviously are not a developer and never were.......Professional, Open Source or Paid for hire, work until the job is done RIGHT. The problem you are describing has nothing to do with professionalism and more to do with resources. Resources are what dictates a successful projects completion and dependability. If an open source project lacks the proper leadership and resources, it will fail period. If the proper CVS systems arent in place or arent implemented correctly the project will fail. If the open source project does not have enough (qualified) QA testers the project will fail.

      Which, if you think about it, are all the same reasons why a 'Closed Source' project will fail. The difference with Open source, as you put, is that the coders/users/administrators tend to be more interested in the final solution. But that zeal does not make them better at tit out of the box. It takes work, commitment , dedication and resources.

      Lets stop idolizing and martyring open source developers, they are just like the 'professional' developers, (as you put it!). Some of them suck just as much as 'Professional' developers.

    9. Re:Why OSS needs financial backing by Demonantis · · Score: 1

      Open Source Software != Free software. This concept you adamantly describe is not about what you get paid. Its that when you purchase/acquire a program you get the whole program source code and all. This allows you to build on that software or ensure the software is safe from security holes. If the developer wants money then that is his choice and can be enforced, look at redhat. The GNU, for instance, makes specific references to ensure that it is possible.

    10. Re:Why OSS needs financial backing by Stele · · Score: 1

      I may be an arrogant bastard enough to claim that I'm a pretty competent "professional" programmer, yeah.

      But not enough of one to comment any more on what some AC asshole posts.

    11. Re:Why OSS needs financial backing by DJRumpy · · Score: 4, Insightful

      Risking Karma here, but I have to agree. OSS as a rule simply doesn't have the polish that P2P software typically does (yes this is a generalization). It might run better, lighter, smaller footprint, etc, but as a whole product/pkg, it typically just doesn't have that sparkle that lets it compete with P2P.

      Take Gimp for example. It mimics almost everything in Photoshop and it does a great job generally, but there are many things that are just downright glitchy. Things that would never fly in a pay product, but I suspect for OSS, they were categorized as 'good enough' and lowered in priority for other bug fixes. Things like having to sometimes click on a tool 2 or 3 times before it registers or you end up applying the wrong tool. I haven't been using gimp for oh..say more than 2 years give or take, but the problem still exists. Don't get me wrong. I love OSS. Without it I think the quality of P2P software would be poor at best. OSS keeps them on their toes in a way that other P2P software can't. Get it right, or lose out. It doesn't take much to push someone away from a product when you combine cost and poor quality.

      OO.o tends to follow in MS's footsteps (scary thought). Although it might excel in some areas like ODF, it simply plays catch-up for the larger product. I think another part of the problem is we the user. I've caught myself far too many times saying "hey, it's free..why complain?".

    12. Re:Why OSS needs financial backing by TheLink · · Score: 2

      I daresay there aren't as many open source software that are really polished compared to commercial software.

      Most OSS developers are happy enough to get things to the point of "mostly works" or more infamously: "WorksForMe".

      Of course, the extra polishing or effort rarely goes to security, since real security rarely sells, you can get away with just _claiming_ bullshit like "Unbreakable" (like Oracle did).

      But really, with commercial software, you're more likely (though still not common) to have some annoying noncoder that the programmer HAS to listen to, who's standing there and saying, "Nope that's not good enough for the users, it's got to be better than that". Yes, this is not that common, but it's still more likely than for OSS.

      Because with most OSS the programmer doesn't have to listen to mere noncoders or anybody - they can just say - "Not good enough for you? Go fork yourself!". Heck lots of Slashdotters say that sort of thing when people complain about OSS - "Download the source, and fix it yourself".

      --
    13. Re:Why OSS needs financial backing by Sancho · · Score: 1

      It's important to note that a lot of OSS projects start out as ways to fill an unfilled (or poorly filled) gap in functionality. They're often labors of love started by one (maybe two) people with no real project management. There are, of course, high-profile exceptions, but they are indeed the exceptions.

      Furthermore, I suspect that there's very little in the way of usability testing with most OSS. Many users of lower-profile OSS are enthusiasts. They don't mind adapting to the computer. Commercial software manufacturers have learned that to get more people using your products, you need to adapt to those people. Microsoft and Apple take very different approaches in this regard, but ultimately they still try to make their software more accessible and usable. If this is a goal of most OSS projects, it doesn't show. Of course, usability testing takes time and money, and isn't nearly as fun as coding.

    14. Re:Why OSS needs financial backing by Anonymous Coward · · Score: 0

      Sup, republican. Every time one of your foul-mouthed bigots spouts false statements he's going to be countered with full force! Hahahahaha!

    15. Re:Why OSS needs financial backing by AceofSpades19 · · Score: 1

      Take Gimp for example. It mimics almost everything in Photoshop and it does a great job generally, but there are many things that are just downright glitchy. Things that would never fly in a pay product, but I suspect for OSS, they were categorized as 'good enough' and lowered in priority for other bug fixes. Things like having to sometimes click on a tool 2 or 3 times before it registers or you end up applying the wrong tool. I haven't been using gimp for oh..say more than 2 years give or take, but the problem still exists.

      Really? I've been using GIMP for over 2 years and I've never had that problem and I don't really understand how you know the bug still exists when you haven't used it for 2 years

    16. Re:Why OSS needs financial backing by DJRumpy · · Score: 1

      Actually I said I haven't been using it for MORE than two years. Kindly pay attention to what you're reading before you start flaming.

      Just because you may not experience the bug doesn't mean it does not exist. I have seen it on Windows XP, Vista, and Mac 10.5.x across multiple machines on both platforms.

    17. Re:Why OSS needs financial backing by orev · · Score: 1

      It is unique because while one guy might act this way (finding a bug and stopping), there are potentially millions of others still looking for bugs. For commercial software, the few guys who might be looking for bugs will find them, get busy fixing them, then have to move on with adding features or something to keep the commercial product viable.

      .

      So actually, the point that you are implying (commercial software is better than OSS) is pretty far off the mark.

    18. Re:Why OSS needs financial backing by clone53421 · · Score: 1

      You said "I haven't been using GIMP for more than 2 years". That's fairly ambiguous:

      It's been over 2 years since I've used GIMP.
          vs.
      I've been using it for less than 2 years.

      --
      Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
    19. Re:Why OSS needs financial backing by AceofSpades19 · · Score: 1

      I just tried Gimp 2.6 on windows XP SP3 and it worked perfectly fine, so I would be hard-pressed to believe that it still exists. If you can find a bug report or something similar that documents that behavior, then that would be different.

    20. Re:Why OSS needs financial backing by Carnildo · · Score: 1

      Just because you may not experience the bug doesn't mean it does not exist. I have seen it on Windows XP, Vista, and Mac 10.5.x across multiple machines on both platforms.

      That's what's causing the bug. The Gimp is designed for a "focus-follows-mouse" environment, so in a "click-to-focus" environment, you need to click twice to select a tool: the first click brings the toolbox to the front, and the second click activates a tool. Three clicks is probably caused by clicking too fast: the first two are interpreted by the OS as a double-click, which brings the toolbox to the front but doesn't select a tool.

      --
      "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
    21. Re:Why OSS needs financial backing by Anonymous Coward · · Score: 0

      Because with most OSS the programmer doesn't have to listen to mere noncoders or anybody - they can just say - "Not good enough for you? Go fork yourself!". Heck lots of Slashdotters say that sort of thing when people complain about OSS - "Download the source, and fix it yourself".

      Admittedly, this should be the retort of last resort. OSS should strive to do better. It should deliver a polished interface that just works.

      But... Having the source code means that you can (or you can pay someone) fix problems. Try that with Microsoft, or Adobe, or...

    22. Re:Why OSS needs financial backing by clone53421 · · Score: 1

      Just tested on XP (with GIMP 2.6.0) and this does not happen. The first click activates the tool even when the toolbox was not selected or topmost.

      --
      Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
    23. Re:Why OSS needs financial backing by mftb · · Score: 1

      There are plenty of examples of free software that gets money for the devs. RHEL, Ubuntu, Firefox- most big FOSS efforts, in fact.

    24. Re:Why OSS needs financial backing by mattack2 · · Score: 1

      Did you write up a bug with steps about how to reproduce it (even sporadically)?

    25. Re:Why OSS needs financial backing by aaaaaaargh! · · Score: 1

      The problem is not OSS versus closed software, the problem is that inherently unsafe programming languages are still in use and that developers don't know enough or don't care enough about rigid input validation. I guess it's a bit unpopular to say this, but the world would be a better and safer place if the use of C and C++ was prohibited by law and halfway sound languages like Ada, Eiffel, Scheme, or Haskell were used instead.

    26. Re:Why OSS needs financial backing by ratboy666 · · Score: 2, Insightful

      Your take on this is... interesting.

      Charlie and Collin look for these bugs AS A HOBBY. Not as a job. The reward they get is the response from the talk they deliver at the next conference.

      At three bugs (one per platform) they had enough for the conference.

      Why did they find these bugs? Because the "professional" developers and QA people either hadn't found them, or the products (ALL of them) were released with known bugs.

      All this tells me is that vendors are releasing buggy products. And that there are at least two hobbyists who find it interesting to look for the defects. Why do they do that? I don't know; that's their itch to scratch. Why do the vendors not apply more quality? That would be money.

      All of which makes your final comment

      "The hobbyist is still just a user. The real developers do it as their job."

      rather laughable.

      --
      Just another "Cubible(sic) Joe" 2 17 3061
    27. Re:Why OSS needs financial backing by Anonymous Coward · · Score: 0

      The discussion on the current poll suggests your kids may be better off without shoes.

    28. Re:Why OSS needs financial backing by TheRaven64 · · Score: 1

      That bug sounds like the issue with click-to-focus window managers like the one in Apple's X11 which don't properly track palettes. On these systems, the first click on the button gives the palette focus, the second click is delivered to the button. This is a bug with the window manager, not the GIMP, and the only place I've seen it in a widely-used window manager is OS X (where the WM is developed by a for-profit company).

      --
      I am TheRaven on Soylent News
    29. Re:Why OSS needs financial backing by sbeckstead · · Score: 1

      I find that death threats still work as a motivator. But they have to be very credible.

      --
      Why bother
    30. Re:Why OSS needs financial backing by sbeckstead · · Score: 1

      Actually I tinker out of some kind of bored interest. My need seemed to be that I wanted something to tinker with when I got bored. I stop whenever I feel like it. I use and make the software. You obviously don't know that much about what motivates OSS programmers.

      --
      Why bother
    31. Re:Why OSS needs financial backing by mjwx · · Score: 2, Insightful

      Financial incentive is, despite the feeble arguments to the contrary, still the thing that gets code written (and bugs found).

      Flaw was found in Windows Mobile, Iphone and Android.

      Android was fixed within days, WinMo shortly after that and the flaw is still present in the Iphone. This is why it's refered to as the "iphone" SMS bug, not just the SMS bug.

      You were saying.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    32. Re:Why OSS needs financial backing by mgblst · · Score: 1

      Photoshop is glitchy as hell. In CS3, when you saved a web image it would wash out the colours due to using the wrong colour profile. This was a joke for such a major program. Fixed in CS4. CS4 crashes on me at least once a week, so much that now I expect it to crash anytime, and keep all my stuff saved.

      I hate photoshop, it has its problems as well.

    33. Re:Why OSS needs financial backing by Anonymous Coward · · Score: 0

      It doesn't matter what's caused the bug, what matters is there's a user interface element that works in a counter-intuitive manner within certain environments.

    34. Re:Why OSS needs financial backing by cripeon · · Score: 1

      Good software can be developped only with good money.
      [Emphasis mine]

      wuh-wait... there's a bad kind of money?! Say it ain't so!

    35. Re:Why OSS needs financial backing by Anonymous Coward · · Score: 0

      This is true. I use GIMP on OS X occasionally. You have to click on the tool palette once to give it focus, than once more to select a tool, then once more on your canvas to select it again, and then you can start using the tool. That's three clicks to do what any other program would do in one. This is exactly the asinine UI behavior that commercial apps can't get away with on OS X, but OSS apps seem to think is perfectly fine. It's also why OSS gets branded as garbage. Most users won't put up with this level of frustration for long before they're dragging GIMP to the trash and pulling out their credit cards to drop $60 on Pixelmator.

    36. Re:Why OSS needs financial backing by mikiN · · Score: 1

      You're forgetting that there are (still) some people and communities out there that do without money just fine. They grow their own food and/or barter for stuff they can't make or do. There's bound to be a few programmers there, too.

      --
      The Hacker's Guide To The Kernel: Don't panic()!
  2. Jailbreak by SnakeEater251 · · Score: 5, Interesting

    Makes you wonder how many iPhone owners who have jailbreaked (-broken?) their devices are still vulnerable to this hack. It isn't exactly fun to have to jailbreak every time an update gets released.

    --
    -FB
    1. Re:Jailbreak by TiberiusMonkey · · Score: 1

      I believe there was no need to wait for the update to be jailbroken and it went right on using the normal jailbreak tools.

    2. Re:Jailbreak by celery+stalk · · Score: 1

      This last update wasn't an issue, considering you can update then re-patch using the same software as teh previous version used, using a copy of the previous firmware to pull relevant files. I'm new to the iPhone scene, so have yet to see how bad the update/jailbreak process really feels.

      --
      aaaand...whee!
    3. Re:Jailbreak by Enzo1977 · · Score: 1

      This is strictly my opinion, but jailbreaking the 3.0.x iteration of the firmware on the 2G and 3G has been the easiest to jailbreak yet. A heck of a lot easier than trying to jailbreak firmware from the 1.0.x days.

      --
      I hate all sigs, even this one.
    4. Re:Jailbreak by Anonymous Coward · · Score: 2, Insightful

      Ever since the release of the iPhone, I've been quite astounded at what people think of the jailbreak process. Yes, it's great that people can do stuff with their phone that Apple didn't intend. But... The existence of this means that your phone has a security hole.

      I seem to recall that the original jailbreak technique was a specially-crafted TIFF image that caused remote code execution. So you'd just go to a website in Safari that had the image, and it would essentially root your phone.

      And iPhone users were fine with this! Yeah, my cool iPhone, Apple can do no wrong! When you ask these same people about Apple's security track record, they'll often say it's great. They don't draw the connection between their cool unapproved apps and Apple's laziness and bad engineering.

      Maybe the situation has gotten better since this was the case. But it's a pretty clear example of the junction of fanboyism and technical ignorance.

  3. %n by RMH101 · · Score: 5, Funny

    Take that, HTC-fanboys!

    1. Re:%n by webreaper · · Score: 2, Interesting

      We've tested this with a mate's HTC Touch, and the crash doesn't happen....

    2. Re:%n by dunkelfalke · · Score: 1

      and even when it happens, better a crash than a remote exploit.

      --
      "It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
    3. Re:%n by Tom9729 · · Score: 4, Informative

      Crashes usually turn into remote exploits.

    4. Re:%n by characterZer0 · · Score: 1

      Only if you categorize DOS attacks as exploits.

      --
      Go green: turn off your refrigerator.
    5. Re:%n by Anonymous Coward · · Score: 0

      Nothing happens at all on my HTC Touch Pro2 :)

    6. Re:%n by Anonymous Coward · · Score: 5, Informative

      No, that's not what he means. If you're causing memory corruption because of unsanitised inputs, it's only a matter of time before a method is discovered to inject something malicious into that memory space.

    7. Re:%n by Anonymous Coward · · Score: 0

      Confirm lack of crash here as well.

    8. Re:%n by tomz16 · · Score: 1

      Just tried this on my CDMA HTC touch with the following string sent from google voice %n \%n "%n" '%n' %n . As claimed in the article it did indeed crash TouchFlo! The phone needed a reboot!

    9. Re:%n by Anonymous Coward · · Score: 0

      Try rebooting it, it's Windows after all.

    10. Re:%n by TheRaven64 · · Score: 2, Insightful
      To quote the OpenBSD team:

      The difference between a bug and a vulnerability is the intelligence of the attacker.

      --
      I am TheRaven on Soylent News
    11. Re:%n by n2rjt · · Score: 1

      Nothing? It should display the received SMS message, after all. Even my lowly HTC Wizard does that much.

    12. Re:%n by cbhacking · · Score: 1

      Out of curiosity, do you know what the bug is? It's pretty obvious - %n is a printf format symbol that says "treat the next parameter as int*, and write the number of characters printed thus far to that location." Because of the way most C libraries work, this will work even if there *is* no next parameter. The next thing on the stack (or in the next argument register, depending on platform and calling convention) might be something highly valuable, like the function's stored return address. Even if it's nothing at all - a NULL, for example - this is still exploitable. Simply put a %d in the SMS before your %n, and you'll skip over that parameter until you get to a juicier one.

      Depending upon the implementation, you can even use this to overwrite a single byte of memory, rather than a full word. SMS has a character limit, but if it's really parsing printf symbols, you can take advantage of that to cause the program to print a fairly arbitrary number of characters - certainly far above the 256 needed to write any value into a memory location. With that kind of control and a little assembly knowledge, you probably write directly into the program's memory space. Exploiting that is trivial.

      Yes, I've done this. Not with SMS and not maliciously, but as a university project where we were given a shellcode and a program that contained a printf where the user could influence the format string. It was the work of maybe 3 hours to override a couple of key bytes in memory and trigger execution of the shellcode. If you want to use printf with a user-supplied string, the format string must always be "%s" and the user-supplied string should be the next parameter. Parsing user input *as* the format string will just get you exploited.

      That said, MS disables the %n format code by default - if you want to use it legitimately in their C compiler, there's an option you need to set.

      --
      There's no place I could be, since I've found Serenity...
    13. Re:%n by cbhacking · · Score: 1

      Try some other printf tokens, like %d or %s. If they're really passing the SMS text to printf as the format string, these should produce interesting output.

      --
      There's no place I could be, since I've found Serenity...
  4. Let me guess...the code was in C, right? by master_p · · Score: 0, Flamebait

    There are numerous problems reported in Slashdot the last few years, and most, if not all of them, are in the C programming language. When some people say "it's time to move on from C, problems from using it have cost billion of dollars so far", some people insist that it's not the language but the programmers that are at fault. I would like to see for how long they would support that view, since the flow of problems coming from C pointers and arrays seems never ending...

    1. Re:Let me guess...the code was in C, right? by lhunath · · Score: 3, Insightful

      Almost as never ending as the flow of programmers that don't bother to learn the intricacies of their language.

      --
      ``OK, so ten out of ten for style, but minus several million for good thinking, yeah?''
    2. Re:Let me guess...the code was in C, right? by Shin-LaC · · Score: 4, Informative

      The HTC bug, however, looks like it's caused by improper use of string formatting. That sort of problem can occur with any language, as seen with the host of sites (most of them written in high-level languages) that have had SQL injection vulnerabilities in the past.
      It's true that some languages and constructs are more dangerous than others, but at some level, programmers just have to bear in mind what they're doing and how they're using their data.

    3. Re:Let me guess...the code was in C, right? by Anonymous Coward · · Score: 1, Informative

      and how you would implement a garbage collected language? somewhere between the language and the hardware, there will be some pointer juggling.

      also don't pretend that parsing problems don't happen on managed platform:

      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333

    4. Re:Let me guess...the code was in C, right? by jmac_the_man · · Score: 2, Interesting

      Look at COBOL. It's essentially a dead language, but look at how much live COBOL code is still out there. There's a hell of a lot more C out there than COBOL. If you wanted to replace all the C code that's out there, it would be many more billions than the total caused by bugs in C. And nobody is going to want to make that investment.

    5. Re:Let me guess...the code was in C, right? by cabjf · · Score: 1

      Look at COBOL. It's essentially a dead language

      COBOL is pretty much anything but dead. There are still new versions of the language being released and still developers being paid to work with legacy systems running it. COBOL may be a language many developers wish was dead, but so long as companies use it, other companies like Micro Focus and IBM will work on new standards and tool sets.

      And when it comes to the grandparent's comments about C, how many other low level languages are there out there that would even be considered as a suitable substitute without any of the same issues? We can't just abstract away from the hardware without that abstraction layer being written in something.

    6. Re:Let me guess...the code was in C, right? by Anonymous Coward · · Score: 1

      Since the flow of problems coming from C pointers and arrays seems never ending...

      Translation: I don't understand these things, so they must be problematic.

      What this really says is how crappy some programmers are. A good programmer knows that he can't pass arbitrary user-generated strings right into printf. And validating user input isn't limited to C.. What about a java app that interfaces with SQL, or a web app that has to generate HTML based on a user form? They would have to have some degree of care about where there strings come from too.

      Maybe the HTC thing has something to do with the fact that HTC is a Taiwanese company. In my experience a lot of these fly-by-night Asian companies don't give a shit about security, they just want to code something up quick that's cool. Could say the same thing about Apple, also, actually -- they don't have the best security track record, and it's probably a result of their priorities.

    7. Re:Let me guess...the code was in C, right? by Bakkster · · Score: 1

      and how you would implement a garbage collected language? somewhere between the language and the hardware, there will be some pointer juggling.

      Exactly. Someone, somewhere will be responsible for preventing this kind of stuff. Of course, with using JAVA or other similar language, you then must trust that the language developers do not have this kind of bug, that you then don't have the ability to patch out.

      --
      Write your representatives! Repeal the 2nd Law of Thermodynamics!
    8. Re:Let me guess...the code was in C, right? by moon3 · · Score: 1

      Are you the guy who pushes the system drivers be written in Python?

    9. Re:Let me guess...the code was in C, right? by DissociativeBehavior · · Score: 0

      It has nothing to do with C. It's just a stupid bug that could occur with any other language. Mobile phones don't have the paranoid mentality of the PC world. Input checking is less strict in order to reduce code size and optimize performance. Conformance and endurance tests are more important than strange corner-cases imagined by a hacker in his basement.

    10. Re:Let me guess...the code was in C, right? by TheRaven64 · · Score: 1
      Not exactly. This is a problem in some languages, but a trivial one. The problem comes from the way variadic functions work in C. Consider something like:

      printf(unsafe);

      Here unsafe is an unvalidated string. The printf() function is variadic which means that it will use some macros which walk up the stack reading the next n bytes as some variable of a type specified by the callee. There is no validation performed anywhere that this is not just walking into the next function's locals. If unsafe is "%s" then the function will read a word from beyond the call arguments as being a pointer. It will then dereference this and read from there until it encounters a NULL byte.

      Compare this to something like Erlang, Lisp, Haskell, Smalltalk, Java, and so on, which do not support variadic functions in this way. In these languages, the equivalent would be a function that takes a string and an array or list as arguments. The equivalent in Erlang, for example, would be:

      io:format(Unsafe, []).

      If Unsafe contains escape sequences, you get a run-time exception caused by trying to access the first element in an empty list. The same is true of any language which has either bounds-checked arrays or lists as a core data type. In both cases, the correct thing to do is usually something like:

      printf("%s", unsafe);

      Only the C case accesses memory at a random address if you do it wrong though.

      --
      I am TheRaven on Soylent News
    11. Re:Let me guess...the code was in C, right? by TheRaven64 · · Score: 1

      Unless, of course, you use a real computer.

      --
      I am TheRaven on Soylent News
    12. Re:Let me guess...the code was in C, right? by master_p · · Score: 1

      The problem is very few programmers can master C. And the masters can occasionally make an error that may cost millions in the process. Why not move to another programming language that is safer?

    13. Re:Let me guess...the code was in C, right? by cbhacking · · Score: 1

      Yes and no. The way you work around string formatting bugs (aside from not passing a user-supplied string to the format parameter of printf, which is simply a bonehead mistake) is to verify the number of parameters before outputting anything. You can actually do this in C, but most C libraries don't seem to bother - they assume that however many parameters the format string calls for are there, and will happily work their way down the stack until the format string ends or they try to read/write somewhere impossible and get a memory violation. Most higher-level languages do in fact check for this, and will throw an exception if the format string and number of parameters don't match.

      You can also take the MS libc approach, and disable %n (the only extremely dangerous, and coincidentally very rarely used, format token) by default. If you want to use it, there's a compiler option to re-enable it, but by default you're... less unsafe than, for example, glibc.

      --
      There's no place I could be, since I've found Serenity...
  5. more interesting hack hinted at in last paragraph by circletimessquare · · Score: 3, Interesting

    DoS or gain root to a celltower?:

    Alan: What about the claim that a jailbroken iPhone could crash cell phone towers--has anyone ever looked at the security of the software running cell phone towers?

    Charlie: This is complete BS. You can diff a jailbroken kernel with a standard iPhone kernel and there are very few places that are changed. In particular, it doesn't mess with anything that has to do with the communication with the carrier. Even if it did do something crazy, which it doesn't, I would hope that the towers are robust enough to handle it. Just as the software in the iPhone should be able to handle any type of input it receives, the cell towers should too. I hope the carriers adequately test their equipment. If not, they can always give me a call, I'd be happy to help. In other words, if all it takes for a terrorist to take down cellular communication in this country is have a jailbroken iPhone, we're in trouble.

    As an aside, that was another reason I liked the injection method of testing SMS messages locally. I think if I fuzzed the phone using the carrier network, I probably would have crashed something. Even though it would be unintended, I could see them throwing me in jail for that, and that's one place I don't want to visit!

    "Just as the software in the iPhone should be able to handle any type of input it receives, the cell towers should too."

    except Charlie just proved this to be false

    "I think if I fuzzed the phone using the carrier network, I probably would have crashed something. Even though it would be unintended, I could see them throwing me in jail for that, and that's one place I don't want to visit!"

    The carrier should be paying you six figures for revealing the hack to them benignly, rather than with malintention

    look, carriers: if there is a hack out there, someone will exploit it one day. your choices are:

    1. have no idea who is doing what until something awful happens to your network and your customers and you need to pay big bucks to fix it, not to mention the financial hit from the hit to your reputation

    2. offer up front a cash reward to anyone who discovers a bug (scaled to severity), and you will paying great rewards and still be paying 1/10th or 1/100th of what you would pay if you found the hack out the hard way

    and instead, people like Charlie are under threat of jail for doing what they do in good faith, to your benefit

    talk about shortsighted

    you catch more flies with honey than with vinegar

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  6. Professionalism in TFA? by OzPeter · · Score: 1, Interesting

    From the end of TFA where they are talking about jail broken phones crashing cell toweres

    Charlie: This is complete BS. You can diff a jailbroken kernel with a standard iPhone kernel and there are very few places that are changed. In particular, it doesn't mess with anything that has to do with the communication with the carrier. Even if it did do something crazy, which it doesn't, I would hope that the towers are robust enough to handle it. Just as the software in the iPhone should be able to handle any type of input it receives, the cell towers should too. I hope the carriers adequately test their equipment. If not, they can always give me a call, I'd be happy to help. In other words, if all it takes for a terrorist to take down cellular communication in this country is have a jailbroken iPhone, we're in trouble.

    He starts of by asserting that it is BS, but then goes on to invoke an awful lot of belief in unicorns and pixie dust to support his statement. And even applies the same logic to the iPhone, even though the entire FA is all about how the real world isn't so magical.

    It sort of leaves me wondering about the quality of his off-the-cuff statements about things that he hasn't tested (which I suppose is a bit ad-hominem-ish, but it does come across as wishful thinking)

    --
    I am Slashdot. Are you Slashdot as well?
    1. Re:Professionalism in TFA? by Watson+Ladd · · Score: 1

      It's not pixie dust. It's noting that a group wishing to take down the cell network probably could make a transmitter to do it rather then use a jailbroken cellphone.

      --
      Inventions have long since reached their limit, and I see no hope for further development.-- Frontinus, 1st cent. AD
  7. Re:more interesting hack hinted at in last paragra by Anonymous Coward · · Score: 0

    you catch more flies with honey than with vinegar

    Depends. Fruit flies love vinegar.

  8. I think he misunderstood Apple's comment by yabos · · Score: 2, Insightful

    I think Charlie and the interviewer(Alan) misunderstood Apple's comments on jailbreaking. The point they were making is that jailbreaking could allow people to crash the cell towers by installing malicious software on the phones, not that jailbreaking itself would cause problems. And technically this could be true depending on how crappy the cell tower software is.

  9. Re:more interesting hack hinted at in last paragra by ChienAndalu · · Score: 3, Interesting

    He didn't prove anything, he was just guessing that sending 500 malformed SMS messages *could* affect the towers negatively and the carriers probably wouldn't like that.

  10. Re:more interesting hack hinted at in last paragra by Anonymous Coward · · Score: 0

    you catch more flies with honey than with vinegar

    No, you don't

  11. Re:more interesting hack hinted at in last paragra by ArcCoyote · · Score: 2, Insightful

    Miller mentions using AT commands to the GSM modem to send all the bogus SMS messages. That's nice. Did you know you could do that with any Motorola phone and a serial cable long before the iPhone was a clever idea in someone's head? You can even buy bare GSM modem modules for control and security systems, telemetry, etc... insert your SIM and go.

    Could you cause cell network mayhem and/or go to jail for what you're able to do with AT commands? Probably. Look at all the phreaky fun you could (can still?) have with the POTS network and a modem. But it has nothing to do with the iPhone or jailbreaking in particular. Jailbreaking is just opening up the iPhone's OS to user code. Once you've done that, you could get into the other parts of the phone, such as the baseband processor. That's where you unlock the phone or... well, I suppose if you were clever enough to load custom firmware into the baseband, you could do really nasty stuff at the RF packet level to the towers. But again, every model of phone has a baseband, and they're all reprogrammable (that's how carriers lock phones in the first place)

  12. No problems with Treo by hesaigo999ca · · Score: 1

    I am uncertain of any problems with the Treo (SMS) does anyone have any insight with the Treo as to what kind of vulnerabilities it might have, I am curious.

  13. Re:more interesting hack hinted at in last paragra by Tony+Hoyle · · Score: 2, Interesting

    Pretty much all USB 3G dongles work like this. They present a USB interface that takes AT commands.. exactly the same ones that Apple are so scared will being down civilisation as we know it.

  14. Re:more interesting hack hinted at in last paragra by Watson+Ladd · · Score: 1

    How much does a cellphone cost? Now ask how much it would take to get an RF transmitter capable of speaking cellphone well enough to hack a tower. Getting access to transmitters is not a major barrier. I want to know why towers are not running heavily validated code given their importance as communications systems.

    --
    Inventions have long since reached their limit, and I see no hope for further development.-- Frontinus, 1st cent. AD
  15. Re:more interesting hack hinted at in last paragra by Anarchduke · · Score: 2, Funny

    hmmm....dongle.

    that is a really funny word.

    dongle
    dongle
    dongle
    dongle


    Sorry, going a couple days without sleep makes you kind of screwy. but still...



    Dongle.

    --
    who prays for Satan? Who in 18 centuries has had the humanity to pray for the 1 sinner that needed it most? ~Mark Twain
  16. Re:more interesting hack hinted at in last paragra by Anonymous Coward · · Score: 0

    you catch more flies with honey than with vinegar

    That may be true, but you can catch the most with dead squirrels
    -Woody Boyd

  17. Re:more interesting hack hinted at in last paragra by Anonymous Coward · · Score: 0

    This is true, one of the best way to catch them too...small container with apple cider vinegar with a lid on top. Poke a bunch of small holes and they will climb in and get trapped :)

  18. Re:more interesting hack hinted at in last paragra by Anonymous Coward · · Score: 0

    Seeing as this is AT&T it's pretty unlikely that their towers would be affected by 500 bad messages. They were pretty heavily tested by American Idol after all.

  19. Thanks for the idea! by Anonymous Coward · · Score: 0

    Now I'm going to text everyone I know that has a HTC Touch.

  20. His Pwn2Own interview is interesting, too by Anonymous Coward · · Score: 0

    He states that Macs are LESS SECURE than Windows

    1. Re:His Pwn2Own interview is interesting, too by RyuuzakiTetsuya · · Score: 1

      is that you, APK?

      Did you read what was written in that article? Macs do not fully support ASLR, therefore they're less secure, which is a ridiculous statement.

      Besides, Snow Leopard *will* support ASLR.

      --
      Non impediti ratione cogitationus.
    2. Re:His Pwn2Own interview is interesting, too by Anonymous Coward · · Score: 0

      I don't know how a direct comparison between hardware and software security would work.

    3. Re:His Pwn2Own interview is interesting, too by Anonymous Coward · · Score: 0

      ASLR... that would be Age, Sex, Location ... Randiness? Riceboy? Roommate?

  21. Favorite Answer by Fnord666 · · Score: 1

    Alan: Apple and AT&T have claimed that "Jailbreaking" could cause problems with the ECID? Based upon your knowledge of the iPhone, do you believe this to be true?
    Charlie: No, this is AT&T trying to make sure they make as much money as possible. Absolute FUD.

    --
    'The tyrant will always find pretext for his tyranny.' - Aesop's Fables