Slashdot Mirror

← Back to Stories (view on slashdot.org)

New iPhone Attack Kills Apps, Reroutes Web Traffic

Posted by kdawson on from the dead-cert dept.

Trailrunner7 sends in a threatpost.com article on exploiting flaws in the way the iPhone handles digital certificates. "[Several flaws] could lead to an attacker being able to create his own trusted certificate and entice users into downloading malicious files onto their iPhones. The result of the attack is that a remote hacker is able to change some settings on the iPhone and force all of the user's Web traffic to run through any server he chooses, and also to change the root certificate on the phone, enabling him to man-in-the-middle SSL traffic from that phone. ... Charlie Miller, an Apple security researcher at Independent Security Evaluators, said that the attack works, although it would not lead to remote code execution on the iPhone. 'It definitely works. I downloaded the file and ran it and it worked,' Miller said. 'The only thing is that it warns you that the file will change your phone, but it also says that the certificate is from Apple and it's been verified.'"

10 of 125 comments (clear)

  1. Heh by Pojut · · Score: 4, Funny

    ::cue "see, Apple isn't perfect" comments::

    See? Apple isn't perfect!

    --
    Living With a Nerd
    1. Re:Heh by jjoelc · · Score: 5, Funny

      Easy, just go to "jailbreaking for dummies dot com" enter you credit card, social security, and bank information. Then download the "MakeYourPhoneCooler.vbs" file to your PC. it will present you with complete directions to download and install the software to your iPhone. FREE WITH EVERY PURCHASE! Banned by Apple! STRIP Poker game!

    2. Re:Heh by kybur · · Score: 5, Informative

      Certain settings can be changed on an iPhone just based on links/downloads clicked on from within Safari (on the device). That is how iphone os 3.0.x users could enable tethering without jailbreaking their phones. It was just a settings file that could be downloaded. I believe it was unsigned, but now, apparently it would be easy to make it look like an apple signed file.

    3. Re:Heh by Sechr+Nibw · · Score: 4, Insightful
      Easy?

      As part of the attack, the anonymous researchers obtained a signature certificate from VeriSign for a company named Apple Computer

      You have to fool VeriSign first, just like any other SSL man-in-the-middle attack, so I guess it depends on what you call easy.

    4. Re:Heh by Dishevel · · Score: 4, Funny

      Oh nos! You have to fool someone? Now it will never work.

      --
      Why is it so hard to only have politicians for a few years, then have them go away?
  2. Thank Ghod I run Windows by Anonymous Coward · · Score: 5, Funny

    Oh my! These repeated iPhone & Mac attacks are making me happy I run MS-Windows on my *(@&!)Sw2
    ***NO CARRIER***

  3. Re:yikes! by Voyager529 · · Score: 5, Interesting

    My guess is that at least a part of the reason is that many of the exploits are used for jailbreaking and unlocking. With Apple trying feverishly to outwit the iPhone Dev Team, many of the vulnerabilities they use get patched (TIFF Exploit?). I'd imagine that this ultimately helps keep the iPhone a more secure platform.

  4. Re:No danger... by dgatwood · · Score: 5, Informative

    I don't think there's really any security check that Apple could have performed on an over-the-air configuration profile that would not defeat the purpose of having such a profile. The idea is to make it as painless as possible for users to sign up for custom settings specific to a company where they work or whatever (e.g. adding corporate firewall keys, that sort of thing). As soon as you limit who can sign the profiles, they become useless, and if Apple required everyone to sign up for a signing cert through them, everyone would be jumping up and down screaming that Apple is being too controlling. It's truly a no-win.

    Even if they added an extra check to make sure the signing cert doesn't have /^\s*Apple\s*$/i or /^\s*Apple\s*Computer\s*$/i as the company name, that still doesn't fully solve the problem. Many users would just as quickly tap "OK" for an update that claimed to be from any company they trust---their bank, Google, Yahoo, PayPal, AT&T, etc. And making the warning sterner only helps if people read it and understand it. I'm just not convinced that this problem has a solution short of not trusting incompetent cert providers with a history of issuing certs in the name of other companies.

    The real security flaw here, IMHO, is that Verisign issued this company a signing certificate with the name Apple Computer. And this isn't the first time Verisign has done something stupid like that. They've repeatedly shown themselves completely incapable of doing even basic sanity checking before handing out signing certificates, SSL certificates, etc. Thus, IMHO, their code signing certs are inherently no more trustworthy than a self-signed cert or someone typing the name of a company into a field in a plist file. As far as I'm concerned, they should be dropped from the list of trusted roots. If Safari and Firefox both did this, they would eventually shrivel up and die like the inept hack of a company they are.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  5. Re:IMPOSSIBLE by pclminion · · Score: 4, Insightful

    A self-replicating binary isn't a virus either. It's a worm. A virus is a piece of code that attaches itself to a host program and depends on the host program's execution to replicate itself. As long as we're being pedantic.

  6. Re:How is this related to the iPhone? by exomondo · · Score: 4, Insightful

    The "attack" in TFA doesn't mention anything necessarily specific to the iPhone.

    Yes it does:

    The iPhone by default will trust configuration files that it receives over the air or while connected to a PC, as long as the file is signed by a trusted implementation of the iPhone Configuration Utility, a desktop application used to create config files for iPhones. However, the iPhone also will accept a file that is signed by a signature-only certificate