New iPhone Attack Kills Apps, Reroutes Web Traffic

← Back to Stories (view on slashdot.org)

New iPhone Attack Kills Apps, Reroutes Web Traffic

Posted by kdawson on Tuesday February 2, 2010 @09:11AM from the dead-cert dept.

Trailrunner7 sends in a threatpost.com article on exploiting flaws in the way the iPhone handles digital certificates. "[Several flaws] could lead to an attacker being able to create his own trusted certificate and entice users into downloading malicious files onto their iPhones. The result of the attack is that a remote hacker is able to change some settings on the iPhone and force all of the user's Web traffic to run through any server he chooses, and also to change the root certificate on the phone, enabling him to man-in-the-middle SSL traffic from that phone. ... Charlie Miller, an Apple security researcher at Independent Security Evaluators, said that the attack works, although it would not lead to remote code execution on the iPhone. 'It definitely works. I downloaded the file and ran it and it worked,' Miller said. 'The only thing is that it warns you that the file will change your phone, but it also says that the certificate is from Apple and it's been verified.'"

125 comments

Heh by Pojut · 2010-02-02 09:12 · Score: 4, Funny

::cue "see, Apple isn't perfect" comments::
See? Apple isn't perfect!

--
Living With a Nerd
1. Re:Heh by Locke2005 · 2010-02-02 09:21 · Score: 2, Insightful
  
  "Not perfect"?!? Blasphemy!!! Burn the Blasphemer!
  
  Yes, all software has security flaws, including Linux and MacOS, which is why a many-layered approach to security is necessary to limit the scope of vulnerabilities.
  
  --
  I've abandoned my search for truth; now I'm just looking for some useful delusions.
2. Re:Heh by ijitjuice · 2010-02-02 09:23 · Score: 3, Interesting
  
  If you get apps from the app store how would this get installed? If Im about n about this would just pop up on my screen? I guess Im lost as to how it would get on my phone in the first place?
3. Re:Heh by interkin3tic · 2010-02-02 09:25 · Score: 0, Flamebait
  
  ::cue "see, Apple isn't perfect" comments::
  See? Apple isn't perfect!
  Now cue "It's not a bug / a missing feature / an intentionally and pointlessly broken function / restriction put there by business interests to get you to spend more money for shit you already own, it's a feature" in 3...2...1...
4. Re:Heh by jjoelc · 2010-02-02 09:28 · Score: 5, Funny
  
  Easy, just go to "jailbreaking for dummies dot com" enter you credit card, social security, and bank information. Then download the "MakeYourPhoneCooler.vbs" file to your PC. it will present you with complete directions to download and install the software to your iPhone. FREE WITH EVERY PURCHASE! Banned by Apple! STRIP Poker game!
5. Re:Heh by kybur · 2010-02-02 09:30 · Score: 5, Informative
  
  Certain settings can be changed on an iPhone just based on links/downloads clicked on from within Safari (on the device). That is how iphone os 3.0.x users could enable tethering without jailbreaking their phones. It was just a settings file that could be downloaded. I believe it was unsigned, but now, apparently it would be easy to make it look like an apple signed file.
6. Re:Heh by sopssa · 2010-02-02 09:47 · Score: 0, Flamebait
  
  But everyone on slashdot always tells that Linux and Mac OSX have no vulnerabilities, that it's only on Windows!
7. Re:Heh by Sechr+Nibw · 2010-02-02 09:50 · Score: 4, Insightful
  
  Easy?
  
  As part of the attack, the anonymous researchers obtained a signature certificate from VeriSign for a company named Apple Computer
  You have to fool VeriSign first, just like any other SSL man-in-the-middle attack, so I guess it depends on what you call easy.
8. Re:Heh by Anonymous Coward · 2010-02-02 10:02 · Score: 1, Insightful
  
  "Apple Computer, Inc" is now "Apple, Inc". So obviously any certificate from "Apple Computer" (with or without the "Inc") would be a fake.
9. Re:Heh by Dishevel · 2010-02-02 10:02 · Score: 4, Funny
  
  Oh nos! You have to fool someone? Now it will never work.
  
  --
  Why is it so hard to only have politicians for a few years, then have them go away?
10. Re:Heh by DJRumpy · 2010-02-02 10:15 · Score: 0, Troll
  
  No, they state that they are more secure. I don't think I've ever seen someone claim they are invulnerable. That would be foolish. That said, the issue here seems to be with Verisign issuing a certificate for Apple Computer, not with the phone OS itself. At some point you have to trust your root certificate credentials.
  Why did they hand out a certificate like this?
11. Re:Heh by Anonymous Coward · 2010-02-02 10:22 · Score: 1, Funny
  
  Linux and MacOS are indeed invulnerable.
  See? Now you have.
12. Re:Heh by Oooskar · 2010-02-02 11:04 · Score: 3, Interesting
  
  As part of the attack, the anonymous researchers obtained a signature certificate from VeriSign for a company named Apple Computer
  You have to fool VeriSign first, just like any other SSL man-in-the-middle attack, so I guess it depends on what you call easy.
  Actually, as stated in the original blog post liked from the article, it was a demo signature certificate for a person named "Apple Computer". Such certificates are offered by VeriSign without validation. The problem is that the iPhone trusts such certificates, and that it doesn't make it clear that it isn't a validated organization name it publishes.
13. Re:Heh by AHuxley · 2010-02-02 11:06 · Score: 0, Flamebait
  
  No in the wild easy to find virus for a Mac running OS X at this time.
  As for physical access of self install, have a look at
  http://www.iantivirus.com/threats/
  Nice long list but few are 'I was just surfing the net and ...."
  No chatter in forums, irc, slashdot ect.
  So someone must be keeping Mac hack sites very much as a needs to know or the spooks want people to trust Macs ;)
  
  --
  Domestic spying is now "Benign Information Gathering"
14. Re:Heh by Anonymous Coward · 2010-02-02 11:12 · Score: 0
  
  When I last checked, the iPhone runs neither Linux nor OSX.
15. Re:Heh by nstlgc · 2010-02-02 11:15 · Score: 2, Insightful
  
  If you think this is obvious, you haven't met the horde of users that still believe CNN and Microsoft work together to announce viruses.
  
  --
  I'm Rocco. I'm the +5 Funny man.
16. Re:Heh by Anonymous Coward · 2010-02-02 11:30 · Score: 0
  
  You probably wouldn't even need to make it look like Apple signed it. How many people do you think would tap OK even if it said the file came from "Bubbles O'Rly"?
  Apple supposedly set up a walled garden for apps to prevent people from doing stupid stuff to their phone, and then left in such a simple way to do something stupid to the phone. My reaction to this is somewhere between a sarcastic oops and a complete facepalm.
17. Re:Heh by DarkAxi0m · 2010-02-02 11:34 · Score: 1
  
  Um your link didnt work...
  ive got dads credit card here ready to go..
  !!! I WaNT MY PHoNE TO BE CooLER THaN ALL THE OTHeRS!!! ONE!!! ELEVEN
18. Re:Heh by Sir_Lewk · 2010-02-02 11:42 · Score: 1
  
  You have to fool VeriSign first
  Yeah, that's what we said. Easy.
  
  --
  "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
19. Re:Heh by xch13fx · 2010-02-02 11:44 · Score: 1
  
  from Wikipedia
  
  iPhone OS (known as OS X or OS X iPhone in its early history) is the operating system for the iPhone, iPad and iPod touch from Apple Inc.[3][4]
  
  It was derived from Mac OS X, with which it shares the Darwin foundation
20. Re:Heh by sbeckstead · 2010-02-02 12:07 · Score: 2, Insightful
  
  I'm supposed to believe a site that calls itself "PC tools iAntivirus"?
  
  --
  Why bother
21. Re:Heh by Kitkoan · 2010-02-02 12:10 · Score: 0
  
  Its not who is better then the other, it's which one is the biggest player in the market which will get the most recognition. All software can be hacked, even locked ones. Just have to find the weak link and have an interest to do so
  
  --
  Attention... all grammer nazi"s! Is they're anything; wrong with: my post,
22. Re:Heh by DJRumpy · 2010-02-02 12:15 · Score: 2, Interesting
  
  A site that sells antivirus software claiming there are a lot of dangerous viruses? But wait, there's more! Your PC is infected! Click here for your free virus scan! Act before it's too late! ;)
  A good read of computer history on Wikipedia if anyone is interested: http://en.wikipedia.org/wiki/Computer_virus
23. Re:Heh by Runaway1956 · 2010-02-02 15:11 · Score: 2, Interesting
  
  I think that almost everyone on slashdot also mentions that security is a process, not a product. The process is so much simpler on Linux, that Windows can't be compared.
  Oh - wait - am I feeding one of those Windows shills? Never mind - carry on - act as if I never said anything.
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
24. Re:Heh by DigitalPioneer · 2010-02-02 15:54 · Score: 0, Flamebait
  
  Apple claims Mac is more secure, but that's an outright lie. Even Windows is more secure than Mac, it's just that no-one actually targets Macs because half their userbase is morons who don't have any money anyways. They spent it all on their Mac.
25. Re:Heh by Anonymous Coward · 2010-02-02 16:32 · Score: 0
  
  Prove it. Show us the facts that Mac catches more viruses, trojans, or general malware over a Windows based computer. Show us the 'lie'. It doesn't matter if OS X is completely open and exposed with no protection at all. If it's not being infected, it is by definition, more secure.
  Over 60,000 known viruses for Windows. Approximately 40 for Mac, and 40 for Linux. No active viruses for Mac, just trojans, meaning they can't even spread on their own. Math is fun, no? (Ref: http://www.securityfocus.com/columnists/188)
  Your argument about market majority is also flawed since web servers, arguably much more lucrative targets, are overwhelmingly Linux based yet Windows servers still get more of their fair share of infections.
  As to the rest of your post, it reeks of trolling, flamebait, and doesn't merit a response.
26. Re:Heh by _4rp4n3t · 2010-02-02 17:11 · Score: 2, Interesting
  
  It doesn't matter if OS X is completely open and exposed with no protection at all. If it's not being infected, it is by definition, more secure.
  Sorry, that's a ridiculous thing to say. Analogy: I lock my front door, my next door neighbour doesn't lock theirs. My lock is forced and my house broken into. Next door is not broken into. Therefore it is, by definition, more secure to leave your door unlocked...
27. Re:Heh by L4t3r4lu5 · 2010-02-02 21:30 · Score: 1
  
  which is why a many-layered approach to security is necessary
  So you're saying that I should run my iPhone in an emulator on an OS/X installation running in a Parallels image hosted on a VirtualBox machine running Windows 7, in turn running on a Beowulf cluster of Linux boxen?
  
  I can't imagine it fitting in a jacket pocket.
  
  --
  Finally had enough. Come see us over at https://soylentnews.org/
28. Re:Heh by zhenya00 · 2010-02-03 01:44 · Score: 1
  
  It doesn't matter if OS X is completely open and exposed with no protection at all. If it's not being infected, it is by definition, more secure.
  Sorry, that's a ridiculous thing to say. Analogy: I lock my front door, my next door neighbour doesn't lock theirs. My lock is forced and my house broken into. Next door is not broken into. Therefore it is, by definition, more secure to leave your door unlocked...
  No, you misunderstand the analogy. It's more like you live in Ciudad Juarez, Mexico. You have a gate around your house with alarm system and hired security on site 24/7, while I live in small town VT and don't lock my door and my neighbors all have a key anyhow. Who is more secure?
29. Re:Heh by Swift2001 · 2010-02-04 09:16 · Score: 1
  
  This is actually a well-known attack on the certificate companies. Something to do with a maliciously-crafted certificate application. Can't remember the details.
  Verisign and the rest should be catching this.
  No "malicious software remover" is going to find anything wrong with this certificate at all. Time for Verisign to step up.
  But I know you guys are too obsessed with bashing Apple to actually think straight.
30. Re:Heh by Swift2001 · 2010-02-04 09:18 · Score: 1
  
  The certificate is from Verisign! Are you saying the iPhone shouldn't trust Verisign? Once the certificate is issued, nothing's going to reliably catch it unless Verisign wises up and revokes it.
Thank Ghod I run Windows by Anonymous Coward · 2010-02-02 09:14 · Score: 5, Funny

Oh my! These repeated iPhone & Mac attacks are making me happy I run MS-Windows on my *(@&!)Sw2
***NO CARRIER***
1. Re:Thank Ghod I run Windows by Anonymous Coward · 2010-02-02 10:33 · Score: 0
  
  I have a Moto Q (Win Mobile 6). It does everything I need a phone to do, including retreiving email and information (web pages). It still amazes me how many people who are otherwise intelligent geeks keep on chugging the Apple Koolaid.
2. Re:Thank Ghod I run Windows by svanheulen · 2010-02-02 11:40 · Score: 1
  
  Try a phone with Android or Maemo and you'll realise how incredibly shitty WinMo is.
3. Re:Thank Ghod I run Windows by PixetaledPikachu · 2010-02-02 12:07 · Score: 1
  
  I have a Moto Q (Win Mobile 6). It does everything I need a phone to do, including retreiving email and information (web pages). It still amazes me how many people who are otherwise intelligent geeks keep on chugging the Apple Koolaid.
  any phone except the USD20-30 Nokias can do email and http with opera. The problem lies in user experience. I have seen how my friend uses his Samsung Omnia, requiring him to press that minuscule "windows" button on the top left with his nail, so his finger wouldn't touch anything else in the screen. That windows button then churns out text menu with small fonts, that were packed so close together, causing him having to use his nail again to press one of them. It's annoying.
4. Re:Thank Ghod I run Windows by Hucko · 2010-02-02 12:49 · Score: 1
  
  I've used a Win Mobile (5) and it did everything I wanted a phone to do and more. I've anecdotally found the iphone to be more stable, quicker and easier to use. Why is it koolaid chugging to decide one product does what you want it to better than another?
  
  --
  Semi-automatic amateur armchair Australian philosopher; conjecture ready at any moment...
IMPOSSIBLE by Some.Net(Guy) · 2010-02-02 09:14 · Score: 1, Funny

Cmon, everyone knows that Apple products are impervious to viruses. ....bahahahahaha
1. Re:IMPOSSIBLE by Anonymous Coward · 2010-02-02 09:21 · Score: 3, Informative
  
  Except this isn't a self-replicating binary, so no, it's not a virus. /pedant
2. Re:IMPOSSIBLE by Anonymous Coward · 2010-02-02 09:21 · Score: 0
  
  The iPhone by default will trust configuration files that it receives over the air or while connected to a PC...
  There you have it, it's Microsoft's fault.
  Apple's in the clear.
3. Re:IMPOSSIBLE by Ziwcam · 2010-02-02 09:21 · Score: 0, Troll
  
  Still not a virus Fake edit: Bah, beat by someone who didn't bother to log in.
4. Re:IMPOSSIBLE by Anonymous Coward · 2010-02-02 09:28 · Score: 0
  
  So you don't know the difference between a falsified PKI certificate and a virus...typical for a .Net programmer, I guess, but still disappointingly stupid.
5. Re:IMPOSSIBLE by sopssa · 2010-02-02 09:52 · Score: 1
  
  Viruses are so 90's on all operating systems anyway. Most malware now a days comes via vulnerabilities like exploits, or in this case a vulnerability in certificate system.
6. Re:IMPOSSIBLE by pclminion · 2010-02-02 11:42 · Score: 4, Insightful
  
  A self-replicating binary isn't a virus either. It's a worm. A virus is a piece of code that attaches itself to a host program and depends on the host program's execution to replicate itself. As long as we're being pedantic.
7. Re:IMPOSSIBLE by toadlife · 2010-02-02 12:37 · Score: 1
  
  Most malware now a days comes via vulnerabilities like exploits
  Most malware these days is spread via social engineering. Go to a random AV vendor's site and look the top ten viruses for Windows. At any given time, most of them will be worm/trojan combos that spread via social engineering. Checking McAfee's site right now, it looks like three of the top ten actually spread via exploits.
  
  --
  I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
8. Re:IMPOSSIBLE by Anonymous Coward · 2010-02-02 21:40 · Score: 0
  
  Today's weather forecast: windy, lots of "whoosh" in the air.
  (Cue: all the correction posts. The joke's on the sentence "As long as we're being pedantic.")
yikes! by dropadrop · 2010-02-02 09:17 · Score: 1

"You can make any part of the phone not work. You definitely don't get to run code, but there's lots of nasty things you can do. You can make applications not work, make it so that you can't remove this config file. At the very least, you can make someone's day miserable."
Sounds terrible :)
Seriously though, I've been wondering why there have been so few vulnerabilities on the iphone.
1. Re:yikes! by Voyager529 · 2010-02-02 09:38 · Score: 5, Interesting
  
  My guess is that at least a part of the reason is that many of the exploits are used for jailbreaking and unlocking. With Apple trying feverishly to outwit the iPhone Dev Team, many of the vulnerabilities they use get patched (TIFF Exploit?). I'd imagine that this ultimately helps keep the iPhone a more secure platform.
2. Re:yikes! by interkin3tic · 2010-02-02 09:41 · Score: 1
  
  Seriously though, I've been wondering why there have been so few vulnerabilities on the iphone.
  Me too. I guess my days of carelessly visiting untrustworthy but hott websites on my iphone and then clicking on whatever popups came up without bothering to read it are over.
  It's a fetish, alright? I like clicking on buttons while looking at pictures of goats. Don't judge me.
3. Re:yikes! by 0xdeadbeef · 2010-02-02 10:15 · Score: 1
  
  Which means there have actually been many exploits for the iPhone.
4. Re:yikes! by AHuxley · 2010-02-02 11:10 · Score: 1
  
  But who is using them and why no chatter?
  Most of the time would the tools would be sold, bragged about or just shown to be build on by others to make better tools?
  
  --
  Domestic spying is now "Benign Information Gathering"
5. Re:yikes! by TrancePhreak · 2010-02-02 13:22 · Score: 1
  
  The SMS vulnerability makes up for it in my opinion.
  
  --
  
  -]Phreak Out[-
6. Re:yikes! by BitZtream · 2010-02-02 14:51 · Score: 1
  
  The part you quoted is rather untrue.
  
  You can make applications not work, make it so that you can't remove this config file. At the very least, you can make someone's day miserable.
  Right up until they old down the power and home button for a few seconds and wipe the device. Plug it in to the PC, restore, done.
  This isn't a vulnerability in the phone, it is be design.
  You can argue that its a design flaw, but its a direct result of features requested by users. Everything about this exploit is a direct result of requests from businesses and users. If Apple 'locked it down' to make it safer, we'd end up with everyone bitching about it being closed and under apples control like the AppStore whining.
  
  --
  Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
7. Re:yikes! by Voyager529 · 2010-02-02 14:52 · Score: 2, Interesting
  
  But who is using them and why no chatter?
  
  Apple seems to think that plenty of people are running them. The first gen iPhone was activated by the user at home. After the battle with people who didn't sign up for AT&T service once they got home, they started activating in the store (although admittedly they also started subsidizing them at that point). Every baseband update has also patched whatever the current-gen exploit was at the time; tools were modified to strip out the baseband updates before jailbreaking. Apple "silently" (as in made the front page of Slashdot, but wasn't the subject of an Apple press release) updated the hardware in the 3GS to prevent jailbreaking. If it was a few dozen computer geeks who wanted to tether, Apple wouldn't go to these lengths to actively prevent jailbreaking (which as we've determined, is simply desirable use of an exploit).
  
  Most of the time would the tools would be sold, bragged about or just shown to be build on by others to make better tools?
  Winpwn. Quickpwn. PwnageTool. Redsn0w. Yellowsn0w. Ultrasn0w. Purplera1n. Blackra1n. ZiPhone.
Phishing by goldaryn · 2010-02-02 09:25 · Score: 1

So I guess that if you can route outbound web traffic through any server you like, you can phish login detail and who knows what else?
No danger... by Pedrito · 2010-02-02 09:27 · Score: 1

'It definitely works. I downloaded the file and ran it and it worked,' Miller said. 'The only thing is that it warns you that the file will change your phone, but it also says that the certificate is from Apple and it's been verified.'"

That's it? Who'd be dumb enough to fall for t#1$j213!%
NO CARRIER
1. Re:No danger... by exomondo · 2010-02-02 09:45 · Score: 1
  
  if the average person downloads a file - obviously with the intention of opening it - and is told that the file is verified by apple then i think it's pretty obvious that a LOT of people would be susceptible to this kind of attack.
2. Re:No danger... by dgatwood · 2010-02-02 10:00 · Score: 5, Informative
  
  I don't think there's really any security check that Apple could have performed on an over-the-air configuration profile that would not defeat the purpose of having such a profile. The idea is to make it as painless as possible for users to sign up for custom settings specific to a company where they work or whatever (e.g. adding corporate firewall keys, that sort of thing). As soon as you limit who can sign the profiles, they become useless, and if Apple required everyone to sign up for a signing cert through them, everyone would be jumping up and down screaming that Apple is being too controlling. It's truly a no-win.
  Even if they added an extra check to make sure the signing cert doesn't have /^\s*Apple\s*$/i or /^\s*Apple\s*Computer\s*$/i as the company name, that still doesn't fully solve the problem. Many users would just as quickly tap "OK" for an update that claimed to be from any company they trust---their bank, Google, Yahoo, PayPal, AT&T, etc. And making the warning sterner only helps if people read it and understand it. I'm just not convinced that this problem has a solution short of not trusting incompetent cert providers with a history of issuing certs in the name of other companies.
  The real security flaw here, IMHO, is that Verisign issued this company a signing certificate with the name Apple Computer. And this isn't the first time Verisign has done something stupid like that. They've repeatedly shown themselves completely incapable of doing even basic sanity checking before handing out signing certificates, SSL certificates, etc. Thus, IMHO, their code signing certs are inherently no more trustworthy than a self-signed cert or someone typing the name of a company into a field in a plist file. As far as I'm concerned, they should be dropped from the list of trusted roots. If Safari and Firefox both did this, they would eventually shrivel up and die like the inept hack of a company they are.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
3. Re:No danger... by v1 · 2010-02-02 10:04 · Score: 1
  
  You can't download and run apps on your iphone, you have to get them from the app store, unless you've jailbroken it.
  And if you can't be smart enough to figure out what apps are safe to open, you shouldn't have jailbroken it in the first place.
  
  --
  I work for the Department of Redundancy Department.
4. Re:No danger... by Anonymous Coward · 2010-02-02 10:23 · Score: 0
  
  YES! Oh GOD YES!
5. Re:No danger... by Nerdfest · 2010-02-02 10:46 · Score: 1
  
  everyone would be jumping up and down screaming that Apple is being too controlling. It's truly a no-win.
  Yeah, because nobody would tolerate that.
6. Re:No danger... by exomondo · 2010-02-02 11:04 · Score: 1
  
  i should have worded that differently...rather goes to a website and opens a link.
7. Re:No danger... by nstlgc · 2010-02-02 11:18 · Score: 2, Insightful
  
  Hello, my name is Steve Jobs and I would like to thank you for defending my honour.
  
  --
  I'm Rocco. I'm the +5 Funny man.
8. Re:No danger... by v1 · 2010-02-02 12:00 · Score: 1
  
  does the link cause the iphone to download and launch the downloaded app, or is it a browser-executed thing like an SWF, or is it using an overflow bug in a browser system like the recent TIFF vulnerability, or how does it manage to get into an execution/interpretation chain?
  
  --
  I work for the Department of Redundancy Department.
9. Re:No danger... by exomondo · 2010-02-02 12:48 · Score: 1
  
  It's an OTA configuration file
10. Re:No danger... by Anonymous Coward · 2010-02-02 20:23 · Score: 0
  
  Hello, my name is Steve Jobs
  Do you have a Verisign certificate to prove that?
Can that be used to sign ipcc and enable tethering by darp · 2010-02-02 09:28 · Score: 2, Insightful

Wasn't that the problems with tethering non-jailbroken phones?
Don't worry by CSHARP123 · 2010-02-02 09:35 · Score: 3, Funny

Nortan Anti-Virus software is now available for iPhone too. I was wondering when it will become available. Thanks now my iPhone works the same way as PC with Windows :)
1. Re:Don't worry by Anonymous Coward · 2010-02-02 09:36 · Score: 0, Troll
  
  Norton is a virus.
2. Re:Don't worry by Anonymous Coward · 2010-02-02 09:40 · Score: 1, Insightful
  
  Are you sure that's a good thing?
3. Re:Don't worry by Attherd · 2010-02-02 09:47 · Score: 1
  
  I was under the impression that Norton needed more processing power than the iPhone could provide.
4. Re:Don't worry by Anonymous Coward · 2010-02-02 09:54 · Score: 0
  
  Norton requires processing power in the petaFLOPS, eg HPC or supercomputer. We are unlikely to see viruses that are capable of affecting any system that is actually capable of running Norton.
5. Re:Don't worry by Monkeedude1212 · 2010-02-02 09:54 · Score: 0, Redundant
  
  Norton needs more processing power than any PC could provide.
6. Re:Don't worry by sopssa · 2010-02-02 09:55 · Score: 0, Redundant
  
  Norton needs more processing power than anything could provide.
7. Re:Don't worry by Anonymous Coward · 2010-02-02 09:58 · Score: 1, Funny
  
  Nortan Anti-Virus software is now available for iPhone too.
  Buying knock offs again, eh?
8. Re:Don't worry by bjb_admin · 2010-02-02 10:12 · Score: 1
  
  As long as the virus database has only one entry in it Norton will be fine.
9. Re:Don't worry by greyline · 2010-02-02 10:14 · Score: 1
  
  Sounds like Norton is the Chuck Norris of AV software.
10. Re:Don't worry by silent_artichoke · 2010-02-02 10:31 · Score: 2, Funny
  
  Indeed. Symantec hired Chuck Norris to compile Norton. He glared at the code and it compiled itself out of fear. Chuck Norris can also overflow any buffer.
11. Re:Don't worry by Anonymous Coward · 2010-02-02 10:44 · Score: 0
  
  Nortan Anti-Virus software is now available for iPhone too. I was wondering when it will become available. Thanks now my iPhone works the same way as PC with Windows :)
  Good thing the iPhone doesn't have user multitasking or backgrounding (yet), or the only way to stop it would be to restore the device from scratch!
  Imagine you Android and Palm Pre users with an app you can't kill - you try, and it just restarts itself in the background...
12. Re:Don't worry by CSHARP123 · 2010-02-02 11:22 · Score: 1
  
  Does it really matter?
13. Re:Don't worry by sbeckstead · 2010-02-02 12:00 · Score: 1
  
  Closer to the Ron Popeil!
  
  --
  Why bother
14. Re:Don't worry by Anonymous Coward · 2010-02-02 14:31 · Score: 0
  
  Too bad you can't run multiple apps. That means you can't run your crappy AV at the same time as your crappy browser. YOU CAN ONLY USE YOUR ANTIVIRUS WHEN YOU DO NOT NEED IT.
  That would be effing brilliant.
15. Re:Don't worry by gemada · 2010-02-02 18:38 · Score: 1
  
  Nortan Anti-Virus software is now available for iPhone too. I was wondering when it will become available. Thanks now my iPhone works the same way as PC with Windows :)
  i am not sure if you intentionally or unintentionally spelled Norton wrong. Either way your comment is still funny.
16. Re:Don't worry by L4t3r4lu5 · 2010-02-02 21:40 · Score: 1
  
  If Chuck Norris compiled the bag of excrement that is Norton, it would be a much better piece of software. No false positives, no slowdown, no invasive abuse of network drivers. It would just set the desktop background to a picture of Chuck giving a roundhouse kick to AIDS with the slogan
  
  VIRUSES: GTFO
  
  I mean come on! Let's be sensible about this.
  
  --
  Finally had enough. Come see us over at https://soylentnews.org/
Now that... by Anonymous Coward · 2010-02-02 09:55 · Score: 0

Now that...
Is a killer app.
expand every post...? by Anonymous Coward · 2010-02-02 10:00 · Score: 0

Wow!! every comment modded down to 2 or below except for 2 posts.Both of them modded informative and interesting because they claimed the iphone was safe. Apple fanboies are out in force today.
Thank goodness... by metamatic · 2010-02-02 10:00 · Score: 3, Funny

...the iPhone controls what software you're allowed to run, to keep it secure. Otherwise it would suffer from exploits like this one.

--
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
1. Re:Thank goodness... by Hurricane78 · 2010-02-03 07:51 · Score: 1
  
  The question is: Secure from whom? ^^
  The only one who should not be trusted with controlling the device, according to Apple, seems to be the person who “owns” it! ;)
  And that’s OK, because them still buying it anyway, is proof that they love it.
  Yeah baby! Spank me! Spank me hard with that DRM! Woohooo!!! ;))
  
  --
  Any sufficiently advanced intelligence is indistinguishable from stupidity.
2/2/2010 iPhone Patch by kainewynd2 · 2010-02-02 10:10 · Score: 1

Apple released a security update for the iPhone and iPod Touch today.
Anyone know if this was addressed in that update? There are a few Webkit updates in there (mostly multimedia exploits).

--
I just don't get... eh, ugh... never mind. This post wasn't worth the research I put into it.
1. Re:2/2/2010 iPhone Patch by prockcore · 2010-02-02 11:09 · Score: 1
  
  Son of a... that means another 2.5 gigabyte download to update the SDK. I hope whoever it is at Apple that doesn't believe in binary diffs dies in a fire.
2. Re:2/2/2010 iPhone Patch by Anonymous Coward · 2010-02-02 12:41 · Score: 0
  
  What are you, on dialup or something?
  Click "download" before you go to bed at night, wake up in the morning with the download complete. Sheesh.
3. Re:2/2/2010 iPhone Patch by gyrogeerloose · 2010-02-02 15:51 · Score: 1
  
  Apple released a security update for the iPhone and iPod Touch today.
  Anyone know if this was addressed in that update? There are a few Webkit updates in there (mostly multimedia exploits).
  Nothing about malicious OTP files in there anywhere, I don't think this latest thing has been addressed. It would surprise me of Apple (or any other computer company) could move that fast to fix a vulnerability.
  
  --
  This ain't rocket surgery.
and why not... by Anonymous Coward · 2010-02-02 10:16 · Score: 0

There's an app for THAT??
How is this related to the iPhone? by icydog · 2010-02-02 10:16 · Score: 3, Insightful

The "attack" in TFA doesn't mention anything necessarily specific to the iPhone. The attackers got Verisign to sign a cert with the name "Apple Computer." That is a social engineering problem, not a security implementation flaw of the iPhone.

I bet the headline would get even more pageviews if they claimed this was an iPad flaw instead of iPhone.
1. Re:How is this related to the iPhone? by WraithCube · 2010-02-02 10:55 · Score: 1
  
  The other part of the attack deals with the iphone in that it can change the mobileconfig file and allow the attacker to set the HTTP proxy. Then make is so you cannot remove the new config file.
2. Re:How is this related to the iPhone? by Anonymous Coward · 2010-02-02 11:22 · Score: 0
  
  Just run your phone on a 3G Femtocell that runs all traffic through your _own_ proxy and use that to remove the config file.
3. Re:How is this related to the iPhone? by Anonymous Coward · 2010-02-02 11:30 · Score: 0
  
  Are they not supposed to be able to change their proxy settings?
  Moral of the story is, if you don't think you clicked anything that could change your iPhone, don't accept it.
4. Re:How is this related to the iPhone? by exomondo · 2010-02-02 12:10 · Score: 4, Insightful
  
  The "attack" in TFA doesn't mention anything necessarily specific to the iPhone.
  Yes it does:
  
  The iPhone by default will trust configuration files that it receives over the air or while connected to a PC, as long as the file is signed by a trusted implementation of the iPhone Configuration Utility, a desktop application used to create config files for iPhones. However, the iPhone also will accept a file that is signed by a signature-only certificate
5. Re:How is this related to the iPhone? by WraithCube · 2010-02-02 12:12 · Score: 1
  
  I don't really know what the specifics were, but this is the quote from the end of the article (yeah, I guess I never should have expected slashdot users to read the article)
  
  "You can make any part of the phone not work. You definitely don't get to run code, but there's lots of nasty things you can do. You can make applications not work, make it so that you can't remove this config file,"
  Of course this does all rely on the user being stupid enough to trust the certificate and install the new config file just to get that far.
6. Re:How is this related to the iPhone? by exomondo · 2010-02-02 12:47 · Score: 1
  
  Of course this does all rely on the user being stupid enough to trust the certificate and install the new config file just to get that far.
  So do a hell of a lot of viruses, trojans and malware, and they all perpetuate even without the added assurance of a trusted certificate.
Is this really an SSL attack? by rickb928 · 2010-02-02 10:33 · Score: 2, Interesting

I'm getting a little uneasy with SSL. Nothing is safe.

--
deleting the extra space after periods so i can stay relevant, yeah.
1. Re:Is this really an SSL attack? by Anonymous Coward · 2010-02-02 13:50 · Score: 0
  
  No, this is not an SSL attack. It has nothing to do with any flaws in SSL, other than Verisign handing out a certificate for "Apple Computers" when they arguably shouldn't have.
2. Re:Is this really an SSL attack? by BitZtream · 2010-02-02 14:33 · Score: 1
  
  It has EVERYTHING to do with SSL. It points out the weakness in the system. Root certificate authorities are part of the SSL ecosystem, without root CAs SSL is effectively useless.
  With shitty root authorities, like VeriSign, SSL is effectively worthless.
  Someone needs to wipe them and network solutions off the face of the Earth.
  
  --
  Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Too much sensationalism? by kryptopath · 2010-02-02 10:45 · Score: 2, Interesting

Initial (anonymous) author of TFA here:
Do not blame Verisign for issuing a temporary signature certificate without verification: this is stated clearly in their Level 1 certificate statuses and will sure be found with many other certificate issuers. The issue is completely on Apple for trusting a certificate of that kind for an over-the-air update. That kind of certificate is issued without any verification so you could have it delivered to any name you wanted, including your target's IT department. As mentioned in the article Apple should not use Safari's keychain to check the trust chain.
As mentioned in one of the posts below, this is a chicken-and-egg issue that has no obvious solutions. While making an OTA update process secure is a really hard problem, I do believe that Apple has not really looked into all the consequences of their choices. They have released a newer OTA protocol version with iPhone OS 3 which may be harder to subvert than this one.
1. Re:Too much sensationalism? by sbeckstead · 2010-02-02 11:58 · Score: 1
  
  The issue is completely on Apple for trusting a certificate
  Um sorry but how do you figure this? If Verisign is issuing certs that can be trusted without verification then they are the problem. Don't use Verisign any more.
  Level 1 certificate statuses
  I didn't see exactly what you are talking about here either, but perhaps I mis-interpreted it.
  
  --
  Why bother
2. Re:Too much sensationalism? by exomondo · 2010-02-02 15:48 · Score: 1
  
  Um sorry but how do you figure this? If Verisign is issuing certs that can be trusted without verification then they are the problem. Don't use Verisign any more.
  It's not without verification, there are different levels of verisign certificates and Apple sees no problem with accepting the lowest and least-trustworthy certificate.
3. Re:Too much sensationalism? by kryptopath · 2010-02-02 21:48 · Score: 1
  
  Verisign as any other Certificate Authority delivers various certificate with different trust levels. If you decide to trust somebody coming with a Level 1 temporary certificate issued without any verification you are in trouble. If you trust this same person to change some of your phone settings you are begging for trouble.
4. Re:Too much sensationalism? by Rennt · 2010-02-02 22:38 · Score: 1
  
  I think the point is that you are SUPPOSED to be able to get a temporary unverified cert. They are just not supposed to be trusted by the client.
  The problem is the iPhone accepts unverified certs as verified, which really sounds like Apple's screw up.
You don't need an iPad, iPod, or iPhone. by Anonymous Coward · 2010-02-02 10:46 · Score: 0

Get a PC already.
MITM by amicusNYCL · 2010-02-02 11:44 · Score: 1

enabling him to man-in-the-middle SSL traffic from that phone
So "man-in-the-middle" is a verb now, huh?

--
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Um maybe not Apples problem.... by sbeckstead · 2010-02-02 11:53 · Score: 0, Troll

the anonymous researchers obtained a signature certificate from VeriSign for a company named Apple Computer.
From the article it looks like Verisign is the problem here.

--
Why bother
1. Re:Um maybe not Apples problem.... by mystikkman · 2010-02-02 12:12 · Score: 1
  
  Wrong, the Apple Computer part is to just confuse the user, not to enable the attack. They could've just used Apple 1nc. and some people would still think it's sanctioned by Apple,.
2. Re:Um maybe not Apples problem.... by sbeckstead · 2010-02-02 12:22 · Score: 1
  
  Not the point. Apple Computer is a known entity, easily verified by Verisign. But it somehow wasn't. Odd that.
  
  --
  Why bother
3. Re:Um maybe not Apples problem.... by mystikkman · 2010-02-02 13:39 · Score: 1
  
  Not the point. Apple Computer is a known entity, easily verified by Verisign. But it somehow wasn't. Odd that.
  Wrong.. you're looking at Apple Inc.
Wrong title? by jma05 · 2010-02-02 12:35 · Score: 1, Informative

This is a vulnerability, not an attack that has happened. Vulnerabilities can *potentially* lead to attacks. The title implies that it had already happened. AFAIK, testing vulnerabilities is not termed an attack; only when they are exploited by a malicious third party.
Apple doesn't take certificates seriously by Boltronics · 2010-02-02 14:51 · Score: 1

I've configured our local office WAP with WPA2-Enterprise and PEAP. I have to support this setup on a variety of machines.
Windows machines (depending on the configuration) typically refuse to connect unless the root certificate presented is trusted first. Unfortunately the error is typically quite unhelpful, but at least it operates in a safe way. It's also not too obvious how to import certificates for non-techies.
GNU/Linux machines running NetworkManager such as Ubuntu IMHO do the right thing - warn if the root certificate is not trusted, but allow you to bypass the warning and connect if for whatever reason you want to. You are prompted to upload the root certificate file right on the connection box, so it's very user friendly and encourages secure behavior.
iPod Touch/iPhones don't offer any obvious way to import the certificate! Upon connection they do present you the certificate and ask if you would like to trust it... however when you scroll down to the fingerprint, half of it doesn't fit on the screen and you can't scroll to the right to see the rest of it! The most important thing you need to see and half of it's missing! What were they thinking?
I'm not surprised by this news at all.

--
It's GNU/Linux dammit!
App lockdown and security by physburn · 2010-02-02 16:01 · Score: 1

This goes to show that Apple's policy of lockdown down applications only to come from Apple's own store has down nothing to make its iPhone more secure. Its perphaps unlucky that a white hat researcher found the flaw first, as Apple needs someone to shock it out of its Apple applicances only use Apple allowed code policy.
---
Mobile Phones Feed @ Feed Distiller
1. Re:App lockdown and security by Swift2001 · 2010-02-04 09:28 · Score: 1
  
  Funny, wasn't the open and wonderful Google app store the victim of an app that contained malware in the opening week?
MD5 certs ... by satyamcomments · 2010-02-02 20:28 · Score: 1

Interestingly checked out the link lot of these certs are MD5 http://support.apple.com/kb/HT3580
Why not bigger news? by hysonmb · 2010-02-03 00:01 · Score: 1

So now I guess everyone is going to talk about how secure Windows Mobile is because there aren't so many exploits targeting it? It's simply a matter of marketshare. In the PC space, Windows is #1 so there are more high profile attacks against it. In the mobile space, the iPhone is killing the competition so people are attacking it. The only thing surprising about these types of attacks to me is that they only seem to make headlines in the geek press. An issue like this targeting a desktop (no matter who makes it) would be all over the news since they seem to enjoy spreading FUD. If they broadcast this, they'll have people cancelling data plans and buying Tracphones by the end of the day. But, it's rare to ever hear about mobile vulnerabilities outside of the tech circles even though the mobile market is huge.
So it is true.... by Anonymous Coward · 2010-02-03 02:40 · Score: 0

.... if you can think of it, there's already an iPhone App for it.... hehe
iPad? by commodoresloat · 2010-02-03 11:42 · Score: 1

I bet the headline would get even more pageviews if they claimed this was an iPad flaw instead of iPhone.
what the hell's an iPad? an iPod from Boston?
Proof of escalation by ALeader71 · 2010-02-03 17:40 · Score: 0

In any war, escalation is inevitable. First we had spyware that took over your browser. Next spyware silently monitored your actions. Today spyware removes competing or incompatible spyware prior to installation. We've seen the future and it requires no local code execution.

--
Only the dead have seen the end of War. - Plato
"No Chatter" by Swift2001 · 2010-02-04 09:27 · Score: 1

The chatter about how "insecure" the Mac is, supposedly, is deafening in the pro-Windows and pro-Linux circles. Since 99.99% of Mac, iPhone, etc., users have never experienced this horrible invasion by malware, they think you're nuts.
Security is a huge problem for anyone using the Internet. It seems that Windows, after years of utter nightmare, may be locking things up, though each month, it seems, there's new updates. But the biggest vector this year is expected to be Adobe: Flash and Reader are incredibly vulnerable, apps and plugins, and the company seems to be asleep at the switch about issuing security upgrades.
The fundamental problem here is with Verisign and the other certificate issuers. Any evidence that this kind of hack, resulting in a man in the middle attack and a degradation of the use of certificates in general, is not possible in other OSes?