Security Flaw Found That Allows Control of iPhone

i_like_spam writes "The NYTimes is running a story about an iPhone flaw that has been found and documented by researchers from Independent Security Evaluators. Attackers were able to gain full control of the iPhone either through WiFi or by visiting a website with malicious code. The exploit will be demonstrated at BlackHat on Aug. 2nd at 4:45pm. Until then, 'details on the vulnerability, but not a step-by-step guide to hacking the phone, can be found at www.exploitingiphone.com, which the researchers said would be unveiled today.'"

Update Deployment

[da_matta]

It's interesting to see what the response to this will be and how long it will take to for Apple to to release and deploy a patch. Mobile phones don't typically the "fast background patching"-systems like PC's (mobile data typically costs so you can't keep checking for updates). And everyone remembers from "pre sp2"-XP what it means if it's up to the user to check and deploy patches (e.g. iTunes).

The Difference is Responsibility...

[iMouse]

Apple iPhone users should be content with the finding of an exploit by responsible security researchers. Unlike InfoSec Sellout (who is likely blowing smoke up his as*), Charles Miller and the rest of the Independent Security Evaluators team should be applauded for their work. They responsibly reported the vulnerability (and a potential fix) to Apple for investigation.

The Apple community should not in any way, shape or form, harass this group like they harassed InfoSec Sellout. I.S.E. are the good guys and as a 15-year Apple veteran, I give my best to those who are out to help Apple keep security at its tightest on their products and services.

Re:The technical paper is the article

[iluvcapra]

Most interesting pieces of information from the article:

Additionally, no address randomization was used in by the operating system.

the filesystem accessible to iTunes is chroot'ed such that only a small set of the filesystem is visible over this [USB] connection.

it is possible to modify the iPhone in such a way that the applications will dump core files when they crash. This is accomplished by adding the file /etc/lauchd.conf containing the line limit core unlimited to the iPhone using iPhoneInterface. Core files can be retrieved off the iPhone from the /cores directory, again using iPhoneInterface.

Under their suggestions:

Install applications such that they run as an unprivileged user. This would result in a successful attacker only gaining the rights of this unprivileged user.

I don't see how that'd help on a single-user computer., tho (another of their suggestions) chrooting all the running apps would be a step in the right direction. The researchers are politicians, too:

This limited access to the filesystem doesn't particu- larly serve a security role from the perspec- tive of a remote attacker. Instead, this serves as an example of design intended to protect the exclusivity of the iPhone to AT&T. If more thought had gone into protecting the applica- tions from remote attack and less on prevent- ing the unlocking of the device, the overall security of the device might have improved.

Translation: Running iTunes in a chroot jail makes the iPhone insecure, because my unicorn says anything done for the sake of AT&T is insecure.

Neat - the interesting thing will be the response

[jht]

Now let's see how long until the first iPhone patch comes out, and if any of the other glitches will be fixed at the same time or if it's strictly for security. Obviously Apple's already been working on iPhone patch #1 and is probably just about ready to push it out after a month.

One functionality change that _should_ come out of this, though - I would turn off the default behavior of scanning for open networks and asking to join them. It wastes battery power, and the pop-ups for new networks are intrusive. In its place I'd put the AirPort icon in the display full-time (instead of just replacing the EDGE "E" when you are on a WiFi network) and allow quick access from there. I think, altogether, iPhone will be a pretty secure device after the initial flushing out of bugs, but this is a little different from traditional devices. iPhone has a classic desktop OS stripped down into a cellphone, whereas mainstream other devices (Palm, Windows CE, and Symbian) were designed more as cellphone systems (or PDA systems) and scaled up.

(not replacing my iPhone with a Razr anytime soon!)

Re:no wonder they don't allow programming the thin

[brilwing]

I don't know the newer Symbian versions 8 and 9, but till version 7 there was no security in Symbian at all. Every program could do everything. I have programmed an installation program that opened a GPRS connection, downloaded a SIS file and installed it on the Symbian phone without user interaction!!!
This was a bit tricky but it worked fine on Nokia Series 60 phones an on Sony Ericsson P800 and P900.

I don't think that Symbian managed it in version 8 and 9 to build in a ground up security, because the SDK is huge with thousands of classes.

Re:Duke WAS NOT Apple's fault

[LKM]

I stand corrected :-)