New iPhone Attack Kills Apps, Reroutes Web Traffic 125
Trailrunner7 sends in a threatpost.com article on exploiting flaws in the way the iPhone handles digital certificates. "[Several flaws] could lead to an attacker being able to create his own trusted certificate and entice users into downloading malicious files onto their iPhones. The result of the attack is that a remote hacker is able to change some settings on the iPhone and force all of the user's Web traffic to run through any server he chooses, and also to change the root certificate on the phone, enabling him to man-in-the-middle SSL traffic from that phone. ... Charlie Miller, an Apple security researcher at Independent Security Evaluators, said that the attack works, although it would not lead to remote code execution on the iPhone. 'It definitely works. I downloaded the file and ran it and it worked,' Miller said. 'The only thing is that it warns you that the file will change your phone, but it also says that the certificate is from Apple and it's been verified.'"
Re:Heh (Score:3, Interesting)
Re:yikes! (Score:5, Interesting)
My guess is that at least a part of the reason is that many of the exploits are used for jailbreaking and unlocking. With Apple trying feverishly to outwit the iPhone Dev Team, many of the vulnerabilities they use get patched (TIFF Exploit?). I'd imagine that this ultimately helps keep the iPhone a more secure platform.
Is this really an SSL attack? (Score:3, Interesting)
I'm getting a little uneasy with SSL. Nothing is safe.
Too much sensationalism? (Score:2, Interesting)
Do not blame Verisign for issuing a temporary signature certificate without verification: this is stated clearly in their Level 1 certificate statuses and will sure be found with many other certificate issuers. The issue is completely on Apple for trusting a certificate of that kind for an over-the-air update. That kind of certificate is issued without any verification so you could have it delivered to any name you wanted, including your target's IT department. As mentioned in the article Apple should not use Safari's keychain to check the trust chain.
As mentioned in one of the posts below, this is a chicken-and-egg issue that has no obvious solutions. While making an OTA update process secure is a really hard problem, I do believe that Apple has not really looked into all the consequences of their choices. They have released a newer OTA protocol version with iPhone OS 3 which may be harder to subvert than this one.
Re:Heh (Score:3, Interesting)
As part of the attack, the anonymous researchers obtained a signature certificate from VeriSign for a company named Apple Computer
You have to fool VeriSign first, just like any other SSL man-in-the-middle attack, so I guess it depends on what you call easy.
Actually, as stated in the original blog post liked from the article, it was a demo signature certificate for a person named "Apple Computer". Such certificates are offered by VeriSign without validation. The problem is that the iPhone trusts such certificates, and that it doesn't make it clear that it isn't a validated organization name it publishes.
Re:Heh (Score:3, Interesting)
A site that sells antivirus software claiming there are a lot of dangerous viruses? But wait, there's more! Your PC is infected! Click here [cknow.com] for your free virus scan! Act before it's too late! ;)
A good read of computer history on Wikipedia if anyone is interested: http://en.wikipedia.org/wiki/Computer_virus [wikipedia.org]
Re:yikes! (Score:3, Interesting)
But who is using them and why no chatter?
Apple seems to think that plenty of people are running them. The first gen iPhone was activated by the user at home. After the battle with people who didn't sign up for AT&T service once they got home, they started activating in the store (although admittedly they also started subsidizing them at that point). Every baseband update has also patched whatever the current-gen exploit was at the time; tools were modified to strip out the baseband updates before jailbreaking. Apple "silently" (as in made the front page of Slashdot, but wasn't the subject of an Apple press release) updated the hardware in the 3GS to prevent jailbreaking. If it was a few dozen computer geeks who wanted to tether, Apple wouldn't go to these lengths to actively prevent jailbreaking (which as we've determined, is simply desirable use of an exploit).
Most of the time would the tools would be sold, bragged about or just shown to be build on by others to make better tools?
Winpwn. Quickpwn. PwnageTool. Redsn0w. Yellowsn0w. Ultrasn0w. Purplera1n. Blackra1n. ZiPhone.
Re:Heh (Score:3, Interesting)
I think that almost everyone on slashdot also mentions that security is a process, not a product. The process is so much simpler on Linux, that Windows can't be compared.
Oh - wait - am I feeding one of those Windows shills? Never mind - carry on - act as if I never said anything.
Re:Heh (Score:2, Interesting)
It doesn't matter if OS X is completely open and exposed with no protection at all. If it's not being infected, it is by definition, more secure.
Sorry, that's a ridiculous thing to say. Analogy: I lock my front door, my next door neighbour doesn't lock theirs. My lock is forced and my house broken into. Next door is not broken into. Therefore it is, by definition, more secure to leave your door unlocked...