New iPhone Attack Kills Apps, Reroutes Web Traffic

Trailrunner7 sends in a threatpost.com article on exploiting flaws in the way the iPhone handles digital certificates. "[Several flaws] could lead to an attacker being able to create his own trusted certificate and entice users into downloading malicious files onto their iPhones. The result of the attack is that a remote hacker is able to change some settings on the iPhone and force all of the user's Web traffic to run through any server he chooses, and also to change the root certificate on the phone, enabling him to man-in-the-middle SSL traffic from that phone. ... Charlie Miller, an Apple security researcher at Independent Security Evaluators, said that the attack works, although it would not lead to remote code execution on the iPhone. 'It definitely works. I downloaded the file and ran it and it worked,' Miller said. 'The only thing is that it warns you that the file will change your phone, but it also says that the certificate is from Apple and it's been verified.'"

Re:Heh

[Locke2005]

"Not perfect"?!? Blasphemy!!! Burn the Blasphemer!

Yes, all software has security flaws, including Linux and MacOS, which is why a many-layered approach to security is necessary to limit the scope of vulnerabilities.

Can that be used to sign ipcc and enable tethering

[darp]

Wasn't that the problems with tethering non-jailbroken phones?

Re:Don't worry

Are you sure that's a good thing?

Re:Heh

[Sechr+Nibw]

Easy?

As part of the attack, the anonymous researchers obtained a signature certificate from VeriSign for a company named Apple Computer

You have to fool VeriSign first, just like any other SSL man-in-the-middle attack, so I guess it depends on what you call easy.

Re:Heh

"Apple Computer, Inc" is now "Apple, Inc". So obviously any certificate from "Apple Computer" (with or without the "Inc") would be a fake.

How is this related to the iPhone?

[icydog]

The "attack" in TFA doesn't mention anything necessarily specific to the iPhone. The attackers got Verisign to sign a cert with the name "Apple Computer." That is a social engineering problem, not a security implementation flaw of the iPhone.

I bet the headline would get even more pageviews if they claimed this was an iPad flaw instead of iPhone.

Re:How is this related to the iPhone?

[exomondo]

The "attack" in TFA doesn't mention anything necessarily specific to the iPhone.

Yes it does:

The iPhone by default will trust configuration files that it receives over the air or while connected to a PC, as long as the file is signed by a trusted implementation of the iPhone Configuration Utility, a desktop application used to create config files for iPhones. However, the iPhone also will accept a file that is signed by a signature-only certificate

Re:Heh

[nstlgc]

If you think this is obvious, you haven't met the horde of users that still believe CNN and Microsoft work together to announce viruses.

Re:No danger...

[nstlgc]

Hello, my name is Steve Jobs and I would like to thank you for defending my honour.

Re:IMPOSSIBLE

[pclminion]

A self-replicating binary isn't a virus either. It's a worm. A virus is a piece of code that attaches itself to a host program and depends on the host program's execution to replicate itself. As long as we're being pedantic.

Re:Heh

[sbeckstead]

I'm supposed to believe a site that calls itself "PC tools iAntivirus"?