New iPhone Attack Kills Apps, Reroutes Web Traffic

← Back to Stories (view on slashdot.org)

New iPhone Attack Kills Apps, Reroutes Web Traffic

Posted by kdawson on Tuesday February 2, 2010 @09:11AM from the dead-cert dept.

Trailrunner7 sends in a threatpost.com article on exploiting flaws in the way the iPhone handles digital certificates. "[Several flaws] could lead to an attacker being able to create his own trusted certificate and entice users into downloading malicious files onto their iPhones. The result of the attack is that a remote hacker is able to change some settings on the iPhone and force all of the user's Web traffic to run through any server he chooses, and also to change the root certificate on the phone, enabling him to man-in-the-middle SSL traffic from that phone. ... Charlie Miller, an Apple security researcher at Independent Security Evaluators, said that the attack works, although it would not lead to remote code execution on the iPhone. 'It definitely works. I downloaded the file and ran it and it worked,' Miller said. 'The only thing is that it warns you that the file will change your phone, but it also says that the certificate is from Apple and it's been verified.'"

28 of 125 comments (clear)

Heh by Pojut · 2010-02-02 09:12 · Score: 4, Funny

::cue "see, Apple isn't perfect" comments::
See? Apple isn't perfect!

--
Living With a Nerd
1. Re:Heh by Locke2005 · 2010-02-02 09:21 · Score: 2, Insightful
  
  "Not perfect"?!? Blasphemy!!! Burn the Blasphemer!
  
  Yes, all software has security flaws, including Linux and MacOS, which is why a many-layered approach to security is necessary to limit the scope of vulnerabilities.
  
  --
  I've abandoned my search for truth; now I'm just looking for some useful delusions.
2. Re:Heh by ijitjuice · 2010-02-02 09:23 · Score: 3, Interesting
  
  If you get apps from the app store how would this get installed? If Im about n about this would just pop up on my screen? I guess Im lost as to how it would get on my phone in the first place?
3. Re:Heh by jjoelc · 2010-02-02 09:28 · Score: 5, Funny
  
  Easy, just go to "jailbreaking for dummies dot com" enter you credit card, social security, and bank information. Then download the "MakeYourPhoneCooler.vbs" file to your PC. it will present you with complete directions to download and install the software to your iPhone. FREE WITH EVERY PURCHASE! Banned by Apple! STRIP Poker game!
4. Re:Heh by kybur · 2010-02-02 09:30 · Score: 5, Informative
  
  Certain settings can be changed on an iPhone just based on links/downloads clicked on from within Safari (on the device). That is how iphone os 3.0.x users could enable tethering without jailbreaking their phones. It was just a settings file that could be downloaded. I believe it was unsigned, but now, apparently it would be easy to make it look like an apple signed file.
5. Re:Heh by Sechr+Nibw · 2010-02-02 09:50 · Score: 4, Insightful
  
  Easy?
  
  As part of the attack, the anonymous researchers obtained a signature certificate from VeriSign for a company named Apple Computer
  You have to fool VeriSign first, just like any other SSL man-in-the-middle attack, so I guess it depends on what you call easy.
6. Re:Heh by Dishevel · 2010-02-02 10:02 · Score: 4, Funny
  
  Oh nos! You have to fool someone? Now it will never work.
  
  --
  Why is it so hard to only have politicians for a few years, then have them go away?
7. Re:Heh by Oooskar · 2010-02-02 11:04 · Score: 3, Interesting
  
  As part of the attack, the anonymous researchers obtained a signature certificate from VeriSign for a company named Apple Computer
  You have to fool VeriSign first, just like any other SSL man-in-the-middle attack, so I guess it depends on what you call easy.
  Actually, as stated in the original blog post liked from the article, it was a demo signature certificate for a person named "Apple Computer". Such certificates are offered by VeriSign without validation. The problem is that the iPhone trusts such certificates, and that it doesn't make it clear that it isn't a validated organization name it publishes.
8. Re:Heh by nstlgc · 2010-02-02 11:15 · Score: 2, Insightful
  
  If you think this is obvious, you haven't met the horde of users that still believe CNN and Microsoft work together to announce viruses.
  
  --
  I'm Rocco. I'm the +5 Funny man.
9. Re:Heh by sbeckstead · 2010-02-02 12:07 · Score: 2, Insightful
  
  I'm supposed to believe a site that calls itself "PC tools iAntivirus"?
  
  --
  Why bother
10. Re:Heh by DJRumpy · 2010-02-02 12:15 · Score: 2, Interesting
  
  A site that sells antivirus software claiming there are a lot of dangerous viruses? But wait, there's more! Your PC is infected! Click here for your free virus scan! Act before it's too late! ;)
  A good read of computer history on Wikipedia if anyone is interested: http://en.wikipedia.org/wiki/Computer_virus
11. Re:Heh by Runaway1956 · 2010-02-02 15:11 · Score: 2, Interesting
  
  I think that almost everyone on slashdot also mentions that security is a process, not a product. The process is so much simpler on Linux, that Windows can't be compared.
  Oh - wait - am I feeding one of those Windows shills? Never mind - carry on - act as if I never said anything.
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
12. Re:Heh by _4rp4n3t · 2010-02-02 17:11 · Score: 2, Interesting
  
  It doesn't matter if OS X is completely open and exposed with no protection at all. If it's not being infected, it is by definition, more secure.
  Sorry, that's a ridiculous thing to say. Analogy: I lock my front door, my next door neighbour doesn't lock theirs. My lock is forced and my house broken into. Next door is not broken into. Therefore it is, by definition, more secure to leave your door unlocked...
Thank Ghod I run Windows by Anonymous Coward · 2010-02-02 09:14 · Score: 5, Funny

Oh my! These repeated iPhone & Mac attacks are making me happy I run MS-Windows on my *(@&!)Sw2
***NO CARRIER***
Re:IMPOSSIBLE by Anonymous Coward · 2010-02-02 09:21 · Score: 3, Informative

Except this isn't a self-replicating binary, so no, it's not a virus. /pedant
Can that be used to sign ipcc and enable tethering by darp · 2010-02-02 09:28 · Score: 2, Insightful

Wasn't that the problems with tethering non-jailbroken phones?
Don't worry by CSHARP123 · 2010-02-02 09:35 · Score: 3, Funny

Nortan Anti-Virus software is now available for iPhone too. I was wondering when it will become available. Thanks now my iPhone works the same way as PC with Windows :)
1. Re:Don't worry by silent_artichoke · 2010-02-02 10:31 · Score: 2, Funny
  
  Indeed. Symantec hired Chuck Norris to compile Norton. He glared at the code and it compiled itself out of fear. Chuck Norris can also overflow any buffer.
Re:yikes! by Voyager529 · 2010-02-02 09:38 · Score: 5, Interesting

My guess is that at least a part of the reason is that many of the exploits are used for jailbreaking and unlocking. With Apple trying feverishly to outwit the iPhone Dev Team, many of the vulnerabilities they use get patched (TIFF Exploit?). I'd imagine that this ultimately helps keep the iPhone a more secure platform.
Re:No danger... by dgatwood · 2010-02-02 10:00 · Score: 5, Informative

I don't think there's really any security check that Apple could have performed on an over-the-air configuration profile that would not defeat the purpose of having such a profile. The idea is to make it as painless as possible for users to sign up for custom settings specific to a company where they work or whatever (e.g. adding corporate firewall keys, that sort of thing). As soon as you limit who can sign the profiles, they become useless, and if Apple required everyone to sign up for a signing cert through them, everyone would be jumping up and down screaming that Apple is being too controlling. It's truly a no-win.
Even if they added an extra check to make sure the signing cert doesn't have /^\s*Apple\s*$/i or /^\s*Apple\s*Computer\s*$/i as the company name, that still doesn't fully solve the problem. Many users would just as quickly tap "OK" for an update that claimed to be from any company they trust---their bank, Google, Yahoo, PayPal, AT&T, etc. And making the warning sterner only helps if people read it and understand it. I'm just not convinced that this problem has a solution short of not trusting incompetent cert providers with a history of issuing certs in the name of other companies.
The real security flaw here, IMHO, is that Verisign issued this company a signing certificate with the name Apple Computer. And this isn't the first time Verisign has done something stupid like that. They've repeatedly shown themselves completely incapable of doing even basic sanity checking before handing out signing certificates, SSL certificates, etc. Thus, IMHO, their code signing certs are inherently no more trustworthy than a self-signed cert or someone typing the name of a company into a field in a plist file. As far as I'm concerned, they should be dropped from the list of trusted roots. If Safari and Firefox both did this, they would eventually shrivel up and die like the inept hack of a company they are.

--
Check out my sci-fi/humor trilogy at PatriotsBooks.
Thank goodness... by metamatic · 2010-02-02 10:00 · Score: 3, Funny

...the iPhone controls what software you're allowed to run, to keep it secure. Otherwise it would suffer from exploits like this one.

--
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
How is this related to the iPhone? by icydog · 2010-02-02 10:16 · Score: 3, Insightful

The "attack" in TFA doesn't mention anything necessarily specific to the iPhone. The attackers got Verisign to sign a cert with the name "Apple Computer." That is a social engineering problem, not a security implementation flaw of the iPhone.

I bet the headline would get even more pageviews if they claimed this was an iPad flaw instead of iPhone.
1. Re:How is this related to the iPhone? by exomondo · 2010-02-02 12:10 · Score: 4, Insightful
  
  The "attack" in TFA doesn't mention anything necessarily specific to the iPhone.
  Yes it does:
  
  The iPhone by default will trust configuration files that it receives over the air or while connected to a PC, as long as the file is signed by a trusted implementation of the iPhone Configuration Utility, a desktop application used to create config files for iPhones. However, the iPhone also will accept a file that is signed by a signature-only certificate
Is this really an SSL attack? by rickb928 · 2010-02-02 10:33 · Score: 2, Interesting

I'm getting a little uneasy with SSL. Nothing is safe.

--
deleting the extra space after periods so i can stay relevant, yeah.
Too much sensationalism? by kryptopath · 2010-02-02 10:45 · Score: 2, Interesting

Initial (anonymous) author of TFA here:
Do not blame Verisign for issuing a temporary signature certificate without verification: this is stated clearly in their Level 1 certificate statuses and will sure be found with many other certificate issuers. The issue is completely on Apple for trusting a certificate of that kind for an over-the-air update. That kind of certificate is issued without any verification so you could have it delivered to any name you wanted, including your target's IT department. As mentioned in the article Apple should not use Safari's keychain to check the trust chain.
As mentioned in one of the posts below, this is a chicken-and-egg issue that has no obvious solutions. While making an OTA update process secure is a really hard problem, I do believe that Apple has not really looked into all the consequences of their choices. They have released a newer OTA protocol version with iPhone OS 3 which may be harder to subvert than this one.
Re:No danger... by nstlgc · 2010-02-02 11:18 · Score: 2, Insightful

Hello, my name is Steve Jobs and I would like to thank you for defending my honour.

--
I'm Rocco. I'm the +5 Funny man.
Re:IMPOSSIBLE by pclminion · 2010-02-02 11:42 · Score: 4, Insightful

A self-replicating binary isn't a virus either. It's a worm. A virus is a piece of code that attaches itself to a host program and depends on the host program's execution to replicate itself. As long as we're being pedantic.
Re:yikes! by Voyager529 · 2010-02-02 14:52 · Score: 2, Interesting

But who is using them and why no chatter?

Apple seems to think that plenty of people are running them. The first gen iPhone was activated by the user at home. After the battle with people who didn't sign up for AT&T service once they got home, they started activating in the store (although admittedly they also started subsidizing them at that point). Every baseband update has also patched whatever the current-gen exploit was at the time; tools were modified to strip out the baseband updates before jailbreaking. Apple "silently" (as in made the front page of Slashdot, but wasn't the subject of an Apple press release) updated the hardware in the 3GS to prevent jailbreaking. If it was a few dozen computer geeks who wanted to tether, Apple wouldn't go to these lengths to actively prevent jailbreaking (which as we've determined, is simply desirable use of an exploit).

Most of the time would the tools would be sold, bragged about or just shown to be build on by others to make better tools?
Winpwn. Quickpwn. PwnageTool. Redsn0w. Yellowsn0w. Ultrasn0w. Purplera1n. Blackra1n. ZiPhone.