Forgot your password?
typodupeerror
Cellphones Security Apple

New iPhone Attack Kills Apps, Reroutes Web Traffic 125

Posted by kdawson
from the dead-cert dept.
Trailrunner7 sends in a threatpost.com article on exploiting flaws in the way the iPhone handles digital certificates. "[Several flaws] could lead to an attacker being able to create his own trusted certificate and entice users into downloading malicious files onto their iPhones. The result of the attack is that a remote hacker is able to change some settings on the iPhone and force all of the user's Web traffic to run through any server he chooses, and also to change the root certificate on the phone, enabling him to man-in-the-middle SSL traffic from that phone. ... Charlie Miller, an Apple security researcher at Independent Security Evaluators, said that the attack works, although it would not lead to remote code execution on the iPhone. 'It definitely works. I downloaded the file and ran it and it worked,' Miller said. 'The only thing is that it warns you that the file will change your phone, but it also says that the certificate is from Apple and it's been verified.'"
This discussion has been archived. No new comments can be posted.

New iPhone Attack Kills Apps, Reroutes Web Traffic

Comments Filter:
  • Heh (Score:5, Funny)

    by Pojut (1027544) on Tuesday February 02, 2010 @05:12PM (#31001240) Homepage

    ::cue "see, Apple isn't perfect" comments::

    See? Apple isn't perfect!

    • Re: (Score:3, Insightful)

      by Locke2005 (849178)
      "Not perfect"?!? Blasphemy!!! Burn the Blasphemer!

      Yes, all software has security flaws, including Linux and MacOS, which is why a many-layered approach to security is necessary to limit the scope of vulnerabilities.
      • which is why a many-layered approach to security is necessary

        So you're saying that I should run my iPhone in an emulator on an OS/X installation running in a Parallels image hosted on a VirtualBox machine running Windows 7, in turn running on a Beowulf cluster of Linux boxen?

        I can't imagine it fitting in a jacket pocket.

    • Re: (Score:3, Interesting)

      by ijitjuice (666161)
      If you get apps from the app store how would this get installed? If Im about n about this would just pop up on my screen? I guess Im lost as to how it would get on my phone in the first place?
      • Re:Heh (Score:5, Funny)

        by jjoelc (1589361) on Tuesday February 02, 2010 @05:28PM (#31001468)

        Easy, just go to "jailbreaking for dummies dot com" enter you credit card, social security, and bank information. Then download the "MakeYourPhoneCooler.vbs" file to your PC. it will present you with complete directions to download and install the software to your iPhone. FREE WITH EVERY PURCHASE! Banned by Apple! STRIP Poker game!

        • by DarkAxi0m (928088)

          Um your link didnt work...

          ive got dads credit card here ready to go..

          !!! I WaNT MY PHoNE TO BE CooLER THaN ALL THE OTHeRS!!! ONE!!! ELEVEN

      • Re:Heh (Score:5, Informative)

        by kybur (1002682) on Tuesday February 02, 2010 @05:30PM (#31001480)
        Certain settings can be changed on an iPhone just based on links/downloads clicked on from within Safari (on the device). That is how iphone os 3.0.x users could enable tethering without jailbreaking their phones. It was just a settings file that could be downloaded. I believe it was unsigned, but now, apparently it would be easy to make it look like an apple signed file.
        • Re:Heh (Score:4, Insightful)

          by Sechr Nibw (1278786) on Tuesday February 02, 2010 @05:50PM (#31001664)
          Easy?

          As part of the attack, the anonymous researchers obtained a signature certificate from VeriSign for a company named Apple Computer

          You have to fool VeriSign first, just like any other SSL man-in-the-middle attack, so I guess it depends on what you call easy.

          • Re: (Score:1, Insightful)

            by Anonymous Coward

            "Apple Computer, Inc" is now "Apple, Inc". So obviously any certificate from "Apple Computer" (with or without the "Inc") would be a fake.

            • Re: (Score:3, Insightful)

              by nstlgc (945418)
              If you think this is obvious, you haven't met the horde of users that still believe CNN and Microsoft work together to announce viruses.
          • Re:Heh (Score:5, Funny)

            by Dishevel (1105119) * on Tuesday February 02, 2010 @06:02PM (#31001816)
            Oh nos! You have to fool someone? Now it will never work.
            • by Swift2001 (874553)

              This is actually a well-known attack on the certificate companies. Something to do with a maliciously-crafted certificate application. Can't remember the details.

              Verisign and the rest should be catching this.

              No "malicious software remover" is going to find anything wrong with this certificate at all. Time for Verisign to step up.

              But I know you guys are too obsessed with bashing Apple to actually think straight.

          • Re: (Score:3, Interesting)

            by Oooskar (806935)

            As part of the attack, the anonymous researchers obtained a signature certificate from VeriSign for a company named Apple Computer

            You have to fool VeriSign first, just like any other SSL man-in-the-middle attack, so I guess it depends on what you call easy.

            Actually, as stated in the original blog post liked from the article, it was a demo signature certificate for a person named "Apple Computer". Such certificates are offered by VeriSign without validation. The problem is that the iPhone trusts such certificates, and that it doesn't make it clear that it isn't a validated organization name it publishes.

            • by Swift2001 (874553)

              The certificate is from Verisign! Are you saying the iPhone shouldn't trust Verisign? Once the certificate is issued, nothing's going to reliably catch it unless Verisign wises up and revokes it.

          • by Sir_Lewk (967686)

            You have to fool VeriSign first

            Yeah, that's what we said. Easy.

  • by Anonymous Coward on Tuesday February 02, 2010 @05:14PM (#31001266)

    Oh my! These repeated iPhone & Mac attacks are making me happy I run MS-Windows on my *(@&!)Sw2
    ***NO CARRIER***

  • Cmon, everyone knows that Apple products are impervious to viruses. ....bahahahahaha
    • Re: (Score:3, Informative)

      by Anonymous Coward
      Except this isn't a self-replicating binary, so no, it's not a virus. /pedant
      • by sopssa (1498795) *

        Viruses are so 90's on all operating systems anyway. Most malware now a days comes via vulnerabilities like exploits, or in this case a vulnerability in certificate system.

        • by toadlife (301863)

          Most malware now a days comes via vulnerabilities like exploits

          Most malware these days is spread via social engineering. Go to a random AV vendor's site and look the top ten viruses for Windows. At any given time, most of them will be worm/trojan combos that spread via social engineering. Checking McAfee's site [mcafee.com] right now, it looks like three of the top ten actually spread via exploits.

      • Re:IMPOSSIBLE (Score:5, Insightful)

        by pclminion (145572) on Tuesday February 02, 2010 @07:42PM (#31002864)
        A self-replicating binary isn't a virus either. It's a worm. A virus is a piece of code that attaches itself to a host program and depends on the host program's execution to replicate itself. As long as we're being pedantic.
    • Re: (Score:1, Troll)

      by Ziwcam (766621)
      Still not a virus Fake edit: Bah, beat by someone who didn't bother to log in.
  • "You can make any part of the phone not work. You definitely don't get to run code, but there's lots of nasty things you can do. You can make applications not work, make it so that you can't remove this config file. At the very least, you can make someone's day miserable."

    Sounds terrible :)

    Seriously though, I've been wondering why there have been so few vulnerabilities on the iphone.

    • Re:yikes! (Score:5, Interesting)

      by Voyager529 (1363959) <voyager529@@@yahoo...com> on Tuesday February 02, 2010 @05:38PM (#31001546)

      My guess is that at least a part of the reason is that many of the exploits are used for jailbreaking and unlocking. With Apple trying feverishly to outwit the iPhone Dev Team, many of the vulnerabilities they use get patched (TIFF Exploit?). I'd imagine that this ultimately helps keep the iPhone a more secure platform.

      • by 0xdeadbeef (28836)

        Which means there have actually been many exploits for the iPhone.

        • by AHuxley (892839)
          But who is using them and why no chatter?
          Most of the time would the tools would be sold, bragged about or just shown to be build on by others to make better tools?
          • Re: (Score:3, Interesting)

            by Voyager529 (1363959)

            But who is using them and why no chatter?

            Apple seems to think that plenty of people are running them. The first gen iPhone was activated by the user at home. After the battle with people who didn't sign up for AT&T service once they got home, they started activating in the store (although admittedly they also started subsidizing them at that point). Every baseband update has also patched whatever the current-gen exploit was at the time; tools were modified to strip out the baseband updates before jailbreaking. Apple "silently" (as in made the

    • Seriously though, I've been wondering why there have been so few vulnerabilities on the iphone.

      Me too. I guess my days of carelessly visiting untrustworthy but hott websites on my iphone and then clicking on whatever popups came up without bothering to read it are over.

      It's a fetish, alright? I like clicking on buttons while looking at pictures of goats. Don't judge me.

    • The SMS vulnerability makes up for it in my opinion.
    • by BitZtream (692029)

      The part you quoted is rather untrue.

      You can make applications not work, make it so that you can't remove this config file. At the very least, you can make someone's day miserable.

      Right up until they old down the power and home button for a few seconds and wipe the device. Plug it in to the PC, restore, done.

      This isn't a vulnerability in the phone, it is be design.

      You can argue that its a design flaw, but its a direct result of features requested by users. Everything about this exploit is a direct result

  • So I guess that if you can route outbound web traffic through any server you like, you can phish login detail and who knows what else?
  • 'It definitely works. I downloaded the file and ran it and it worked,' Miller said. 'The only thing is that it warns you that the file will change your phone, but it also says that the certificate is from Apple and it's been verified.'"

    That's it? Who'd be dumb enough to fall for t#1$j213!%
    NO CARRIER
    • by exomondo (1725132)
      if the average person downloads a file - obviously with the intention of opening it - and is told that the file is verified by apple then i think it's pretty obvious that a LOT of people would be susceptible to this kind of attack.
      • by v1 (525388)

        You can't download and run apps on your iphone, you have to get them from the app store, unless you've jailbroken it.

        And if you can't be smart enough to figure out what apps are safe to open, you shouldn't have jailbroken it in the first place.

        • by exomondo (1725132)
          i should have worded that differently...rather goes to a website and opens a link.
          • by v1 (525388)

            does the link cause the iphone to download and launch the downloaded app, or is it a browser-executed thing like an SWF, or is it using an overflow bug in a browser system like the recent TIFF vulnerability, or how does it manage to get into an execution/interpretation chain?

    • Re:No danger... (Score:5, Informative)

      by dgatwood (11270) on Tuesday February 02, 2010 @06:00PM (#31001784) Journal

      I don't think there's really any security check that Apple could have performed on an over-the-air configuration profile that would not defeat the purpose of having such a profile. The idea is to make it as painless as possible for users to sign up for custom settings specific to a company where they work or whatever (e.g. adding corporate firewall keys, that sort of thing). As soon as you limit who can sign the profiles, they become useless, and if Apple required everyone to sign up for a signing cert through them, everyone would be jumping up and down screaming that Apple is being too controlling. It's truly a no-win.

      Even if they added an extra check to make sure the signing cert doesn't have /^\s*Apple\s*$/i or /^\s*Apple\s*Computer\s*$/i as the company name, that still doesn't fully solve the problem. Many users would just as quickly tap "OK" for an update that claimed to be from any company they trust---their bank, Google, Yahoo, PayPal, AT&T, etc. And making the warning sterner only helps if people read it and understand it. I'm just not convinced that this problem has a solution short of not trusting incompetent cert providers with a history of issuing certs in the name of other companies.

      The real security flaw here, IMHO, is that Verisign issued this company a signing certificate with the name Apple Computer. And this isn't the first time Verisign has done something stupid like that [amug.org]. They've repeatedly shown themselves completely incapable of doing even basic sanity checking before handing out signing certificates, SSL certificates, etc. Thus, IMHO, their code signing certs are inherently no more trustworthy than a self-signed cert or someone typing the name of a company into a field in a plist file. As far as I'm concerned, they should be dropped from the list of trusted roots. If Safari and Firefox both did this, they would eventually shrivel up and die like the inept hack of a company they are.

      • by Nerdfest (867930)

        everyone would be jumping up and down screaming that Apple is being too controlling. It's truly a no-win.

        Yeah, because nobody would tolerate that.

      • Re: (Score:3, Insightful)

        by nstlgc (945418)
        Hello, my name is Steve Jobs and I would like to thank you for defending my honour.
  • Wasn't that the problems with tethering non-jailbroken phones?

  • Don't worry (Score:4, Funny)

    by CSHARP123 (904951) on Tuesday February 02, 2010 @05:35PM (#31001514)
    Nortan Anti-Virus software is now available for iPhone too. I was wondering when it will become available. Thanks now my iPhone works the same way as PC with Windows :)
    • Re: (Score:1, Insightful)

      by Anonymous Coward

      Are you sure that's a good thing?

    • by Attherd (1389213)
      I was under the impression that Norton needed more processing power than the iPhone could provide.
      • Re: (Score:1, Redundant)

        Norton needs more processing power than any PC could provide.

      • Re: (Score:1, Redundant)

        by sopssa (1498795) *

        Norton needs more processing power than anything could provide.

      • As long as the virus database has only one entry in it Norton will be fine.
      • by greyline (1052440)
        Sounds like Norton is the Chuck Norris of AV software.
        • Re: (Score:3, Funny)

          Indeed. Symantec hired Chuck Norris to compile Norton. He glared at the code and it compiled itself out of fear. Chuck Norris can also overflow any buffer.
          • If Chuck Norris compiled the bag of excrement that is Norton, it would be a much better piece of software. No false positives, no slowdown, no invasive abuse of network drivers. It would just set the desktop background to a picture of Chuck giving a roundhouse kick to AIDS with the slogan

            VIRUSES: GTFO

            I mean come on! Let's be sensible about this.
        • Closer to the Ron Popeil!
    • Re: (Score:1, Funny)

      by Anonymous Coward

      Nortan Anti-Virus software is now available for iPhone too.

      Buying knock offs again, eh?

    • by gemada (974357)

      Nortan Anti-Virus software is now available for iPhone too. I was wondering when it will become available. Thanks now my iPhone works the same way as PC with Windows :)

      i am not sure if you intentionally or unintentionally spelled Norton wrong. Either way your comment is still funny.

  • by metamatic (202216) on Tuesday February 02, 2010 @06:00PM (#31001790) Homepage Journal

    ...the iPhone controls what software you're allowed to run, to keep it secure. Otherwise it would suffer from exploits like this one.

    • The question is: Secure from whom? ^^

      The only one who should not be trusted with controlling the device, according to Apple, seems to be the person who “owns” it! ;)
      And that’s OK, because them still buying it anyway, is proof that they love it.

      Yeah baby! Spank me! Spank me hard with that DRM! Woohooo!!! ;))

  • Apple released a security update for the iPhone and iPod Touch [apple.com] today.

    Anyone know if this was addressed in that update? There are a few Webkit updates in there (mostly multimedia exploits).

    • by prockcore (543967)

      Son of a... that means another 2.5 gigabyte download to update the SDK. I hope whoever it is at Apple that doesn't believe in binary diffs dies in a fire.

    • Apple released a security update for the iPhone and iPod Touch [apple.com] today.

      Anyone know if this was addressed in that update? There are a few Webkit updates in there (mostly multimedia exploits).

      Nothing about malicious OTP files in there anywhere, I don't think this latest thing has been addressed. It would surprise me of Apple (or any other computer company) could move that fast to fix a vulnerability.

  • by icydog (923695) on Tuesday February 02, 2010 @06:16PM (#31001968) Homepage
    The "attack" in TFA doesn't mention anything necessarily specific to the iPhone. The attackers got Verisign to sign a cert with the name "Apple Computer." That is a social engineering problem, not a security implementation flaw of the iPhone.

    I bet the headline would get even more pageviews if they claimed this was an iPad flaw instead of iPhone.
    • The other part of the attack deals with the iphone in that it can change the mobileconfig file and allow the attacker to set the HTTP proxy. Then make is so you cannot remove the new config file.

    • by exomondo (1725132) on Tuesday February 02, 2010 @08:10PM (#31003200)

      The "attack" in TFA doesn't mention anything necessarily specific to the iPhone.

      Yes it does:

      The iPhone by default will trust configuration files that it receives over the air or while connected to a PC, as long as the file is signed by a trusted implementation of the iPhone Configuration Utility, a desktop application used to create config files for iPhones. However, the iPhone also will accept a file that is signed by a signature-only certificate

    • I bet the headline would get even more pageviews if they claimed this was an iPad flaw instead of iPhone.

      what the hell's an iPad? an iPod from Boston?

  • by rickb928 (945187) on Tuesday February 02, 2010 @06:33PM (#31002174) Homepage Journal

    I'm getting a little uneasy with SSL. Nothing is safe.

  • Initial (anonymous) author of TFA here:

    Do not blame Verisign for issuing a temporary signature certificate without verification: this is stated clearly in their Level 1 certificate statuses and will sure be found with many other certificate issuers. The issue is completely on Apple for trusting a certificate of that kind for an over-the-air update. That kind of certificate is issued without any verification so you could have it delivered to any name you wanted, including your target's IT department. As me

    • The issue is completely on Apple for trusting a certificate
      Um sorry but how do you figure this? If Verisign is issuing certs that can be trusted without verification then they are the problem. Don't use Verisign any more.
      Level 1 certificate statuses
      I didn't see exactly what you are talking about here either, but perhaps I mis-interpreted it.
      • by exomondo (1725132)

        Um sorry but how do you figure this? If Verisign is issuing certs that can be trusted without verification then they are the problem. Don't use Verisign any more.

        It's not without verification, there are different levels of verisign certificates and Apple sees no problem with accepting the lowest and least-trustworthy certificate.

        • Verisign as any other Certificate Authority delivers various certificate with different trust levels. If you decide to trust somebody coming with a Level 1 temporary certificate issued without any verification you are in trouble. If you trust this same person to change some of your phone settings you are begging for trouble.

      • by Rennt (582550)

        I think the point is that you are SUPPOSED to be able to get a temporary unverified cert. They are just not supposed to be trusted by the client.

        The problem is the iPhone accepts unverified certs as verified, which really sounds like Apple's screw up.

  • enabling him to man-in-the-middle SSL traffic from that phone

    So "man-in-the-middle" is a verb now, huh?

  • the anonymous researchers obtained a signature certificate from VeriSign for a company named Apple Computer.
    From the article it looks like Verisign is the problem here.
    • Wrong, the Apple Computer part is to just confuse the user, not to enable the attack. They could've just used Apple 1nc. and some people would still think it's sanctioned by Apple,.

      • Not the point. Apple Computer is a known entity, easily verified by Verisign. But it somehow wasn't. Odd that.
        • Not the point. Apple Computer is a known entity, easily verified by Verisign. But it somehow wasn't. Odd that.

          Wrong.. you're looking at Apple Inc.

  • Wrong title? (Score:2, Informative)

    by jma05 (897351)
    This is a vulnerability, not an attack that has happened. Vulnerabilities can *potentially* lead to attacks. The title implies that it had already happened. AFAIK, testing vulnerabilities is not termed an attack; only when they are exploited by a malicious third party.
  • I've configured our local office WAP with WPA2-Enterprise and PEAP. I have to support this setup on a variety of machines.

    Windows machines (depending on the configuration) typically refuse to connect unless the root certificate presented is trusted first. Unfortunately the error is typically quite unhelpful, but at least it operates in a safe way. It's also not too obvious how to import certificates for non-techies.

    GNU/Linux machines running NetworkManager such as Ubuntu IMHO do the right thing - warn if t

  • This goes to show that Apple's policy of lockdown down applications only to come from Apple's own store has down nothing to make its iPhone more secure. Its perphaps unlucky that a white hat researcher found the flaw first, as Apple needs someone to shock it out of its Apple applicances only use Apple allowed code policy.

    ---

    Mobile Phones [feeddistiller.com] Feed @ Feed Distiller [feeddistiller.com]

    • by Swift2001 (874553)

      Funny, wasn't the open and wonderful Google app store the victim of an app that contained malware in the opening week?

  • Interestingly checked out the link lot of these certs are MD5 http://support.apple.com/kb/HT3580 [apple.com]
  • So now I guess everyone is going to talk about how secure Windows Mobile is because there aren't so many exploits targeting it? It's simply a matter of marketshare. In the PC space, Windows is #1 so there are more high profile attacks against it. In the mobile space, the iPhone is killing the competition so people are attacking it. The only thing surprising about these types of attacks to me is that they only seem to make headlines in the geek press. An issue like this targeting a desktop (no matter who mak
  • The chatter about how "insecure" the Mac is, supposedly, is deafening in the pro-Windows and pro-Linux circles. Since 99.99% of Mac, iPhone, etc., users have never experienced this horrible invasion by malware, they think you're nuts.

    Security is a huge problem for anyone using the Internet. It seems that Windows, after years of utter nightmare, may be locking things up, though each month, it seems, there's new updates. But the biggest vector this year is expected to be Adobe: Flash and Reader are incredibly

After an instrument has been assembled, extra components will be found on the bench.

Working...