New iPhone Attack Kills Apps, Reroutes Web Traffic 125
Trailrunner7 sends in a threatpost.com article on exploiting flaws in the way the iPhone handles digital certificates. "[Several flaws] could lead to an attacker being able to create his own trusted certificate and entice users into downloading malicious files onto their iPhones. The result of the attack is that a remote hacker is able to change some settings on the iPhone and force all of the user's Web traffic to run through any server he chooses, and also to change the root certificate on the phone, enabling him to man-in-the-middle SSL traffic from that phone. ... Charlie Miller, an Apple security researcher at Independent Security Evaluators, said that the attack works, although it would not lead to remote code execution on the iPhone. 'It definitely works. I downloaded the file and ran it and it worked,' Miller said. 'The only thing is that it warns you that the file will change your phone, but it also says that the certificate is from Apple and it's been verified.'"
Heh (Score:5, Funny)
::cue "see, Apple isn't perfect" comments::
See? Apple isn't perfect!
Re: (Score:3, Insightful)
Yes, all software has security flaws, including Linux and MacOS, which is why a many-layered approach to security is necessary to limit the scope of vulnerabilities.
Re: (Score:2)
which is why a many-layered approach to security is necessary
So you're saying that I should run my iPhone in an emulator on an OS/X installation running in a Parallels image hosted on a VirtualBox machine running Windows 7, in turn running on a Beowulf cluster of Linux boxen?
I can't imagine it fitting in a jacket pocket.
Re: (Score:1, Troll)
No, they state that they are more secure. I don't think I've ever seen someone claim they are invulnerable. That would be foolish. That said, the issue here seems to be with Verisign issuing a certificate for Apple Computer, not with the phone OS itself. At some point you have to trust your root certificate credentials.
Why did they hand out a certificate like this?
Re: (Score:1, Funny)
Linux and MacOS are indeed invulnerable.
See? Now you have.
Re: (Score:2, Interesting)
It doesn't matter if OS X is completely open and exposed with no protection at all. If it's not being infected, it is by definition, more secure.
Sorry, that's a ridiculous thing to say. Analogy: I lock my front door, my next door neighbour doesn't lock theirs. My lock is forced and my house broken into. Next door is not broken into. Therefore it is, by definition, more secure to leave your door unlocked...
Re: (Score:1)
It doesn't matter if OS X is completely open and exposed with no protection at all. If it's not being infected, it is by definition, more secure.
Sorry, that's a ridiculous thing to say. Analogy: I lock my front door, my next door neighbour doesn't lock theirs. My lock is forced and my house broken into. Next door is not broken into. Therefore it is, by definition, more secure to leave your door unlocked...
No, you misunderstand the analogy. It's more like you live in Ciudad Juarez, Mexico. You have a gate around your house with alarm system and hired security on site 24/7, while I live in small town VT and don't lock my door and my neighbors all have a key anyhow. Who is more secure?
Re: (Score:1, Flamebait)
As for physical access of self install, have a look at
http://www.iantivirus.com/threats/ [iantivirus.com]
Nice long list but few are 'I was just surfing the net and
No chatter in forums, irc, slashdot ect.
So someone must be keeping Mac hack sites very much as a needs to know or the spooks want people to trust Macs
Re: (Score:3, Insightful)
Re: (Score:3, Interesting)
A site that sells antivirus software claiming there are a lot of dangerous viruses? But wait, there's more! Your PC is infected! Click here [cknow.com] for your free virus scan! Act before it's too late! ;)
A good read of computer history on Wikipedia if anyone is interested: http://en.wikipedia.org/wiki/Computer_virus [wikipedia.org]
Re: (Score:3, Interesting)
I think that almost everyone on slashdot also mentions that security is a process, not a product. The process is so much simpler on Linux, that Windows can't be compared.
Oh - wait - am I feeding one of those Windows shills? Never mind - carry on - act as if I never said anything.
Re: (Score:1)
iPhone OS (known as OS X or OS X iPhone in its early history) is the operating system for the iPhone, iPad and iPod touch from Apple Inc.[3][4]
It was derived from Mac OS X, with which it shares the Darwin foundation
Re: (Score:3, Interesting)
Re:Heh (Score:5, Funny)
Easy, just go to "jailbreaking for dummies dot com" enter you credit card, social security, and bank information. Then download the "MakeYourPhoneCooler.vbs" file to your PC. it will present you with complete directions to download and install the software to your iPhone. FREE WITH EVERY PURCHASE! Banned by Apple! STRIP Poker game!
Re: (Score:1)
Um your link didnt work...
ive got dads credit card here ready to go..
!!! I WaNT MY PHoNE TO BE CooLER THaN ALL THE OTHeRS!!! ONE!!! ELEVEN
Re:Heh (Score:5, Informative)
Re:Heh (Score:4, Insightful)
As part of the attack, the anonymous researchers obtained a signature certificate from VeriSign for a company named Apple Computer
You have to fool VeriSign first, just like any other SSL man-in-the-middle attack, so I guess it depends on what you call easy.
Re: (Score:1, Insightful)
"Apple Computer, Inc" is now "Apple, Inc". So obviously any certificate from "Apple Computer" (with or without the "Inc") would be a fake.
Re: (Score:3, Insightful)
Re:Heh (Score:5, Funny)
Re: (Score:2)
This is actually a well-known attack on the certificate companies. Something to do with a maliciously-crafted certificate application. Can't remember the details.
Verisign and the rest should be catching this.
No "malicious software remover" is going to find anything wrong with this certificate at all. Time for Verisign to step up.
But I know you guys are too obsessed with bashing Apple to actually think straight.
Re: (Score:3, Interesting)
As part of the attack, the anonymous researchers obtained a signature certificate from VeriSign for a company named Apple Computer
You have to fool VeriSign first, just like any other SSL man-in-the-middle attack, so I guess it depends on what you call easy.
Actually, as stated in the original blog post liked from the article, it was a demo signature certificate for a person named "Apple Computer". Such certificates are offered by VeriSign without validation. The problem is that the iPhone trusts such certificates, and that it doesn't make it clear that it isn't a validated organization name it publishes.
Re: (Score:2)
The certificate is from Verisign! Are you saying the iPhone shouldn't trust Verisign? Once the certificate is issued, nothing's going to reliably catch it unless Verisign wises up and revokes it.
Re: (Score:2)
Yeah, that's what we said. Easy.
Thank Ghod I run Windows (Score:5, Funny)
Oh my! These repeated iPhone & Mac attacks are making me happy I run MS-Windows on my *(@&!)Sw2
***NO CARRIER***
Re: (Score:1)
Re: (Score:1)
I have a Moto Q (Win Mobile 6). It does everything I need a phone to do, including retreiving email and information (web pages). It still amazes me how many people who are otherwise intelligent geeks keep on chugging the Apple Koolaid.
any phone except the USD20-30 Nokias can do email and http with opera. The problem lies in user experience. I have seen how my friend uses his Samsung Omnia, requiring him to press that minuscule "windows" button on the top left with his nail, so his finger wouldn't touch anything else in the screen. That windows button then churns out text menu with small fonts, that were packed so close together, causing him having to use his nail again to press one of them. It's annoying.
Re: (Score:2)
I've used a Win Mobile (5) and it did everything I wanted a phone to do and more. I've anecdotally found the iphone to be more stable, quicker and easier to use. Why is it koolaid chugging to decide one product does what you want it to better than another?
IMPOSSIBLE (Score:1, Funny)
Re: (Score:3, Informative)
Re: (Score:2)
Viruses are so 90's on all operating systems anyway. Most malware now a days comes via vulnerabilities like exploits, or in this case a vulnerability in certificate system.
Re: (Score:2)
Re:IMPOSSIBLE (Score:5, Insightful)
Re: (Score:1, Troll)
yikes! (Score:2)
"You can make any part of the phone not work. You definitely don't get to run code, but there's lots of nasty things you can do. You can make applications not work, make it so that you can't remove this config file. At the very least, you can make someone's day miserable."
Sounds terrible :)
Seriously though, I've been wondering why there have been so few vulnerabilities on the iphone.
Re:yikes! (Score:5, Interesting)
My guess is that at least a part of the reason is that many of the exploits are used for jailbreaking and unlocking. With Apple trying feverishly to outwit the iPhone Dev Team, many of the vulnerabilities they use get patched (TIFF Exploit?). I'd imagine that this ultimately helps keep the iPhone a more secure platform.
Re: (Score:2)
Which means there have actually been many exploits for the iPhone.
Re: (Score:2)
Most of the time would the tools would be sold, bragged about or just shown to be build on by others to make better tools?
Re: (Score:3, Interesting)
But who is using them and why no chatter?
Apple seems to think that plenty of people are running them. The first gen iPhone was activated by the user at home. After the battle with people who didn't sign up for AT&T service once they got home, they started activating in the store (although admittedly they also started subsidizing them at that point). Every baseband update has also patched whatever the current-gen exploit was at the time; tools were modified to strip out the baseband updates before jailbreaking. Apple "silently" (as in made the
Re: (Score:2)
Seriously though, I've been wondering why there have been so few vulnerabilities on the iphone.
Me too. I guess my days of carelessly visiting untrustworthy but hott websites on my iphone and then clicking on whatever popups came up without bothering to read it are over.
It's a fetish, alright? I like clicking on buttons while looking at pictures of goats. Don't judge me.
Re: (Score:2)
Re: (Score:2)
The part you quoted is rather untrue.
Right up until they old down the power and home button for a few seconds and wipe the device. Plug it in to the PC, restore, done.
This isn't a vulnerability in the phone, it is be design.
You can argue that its a design flaw, but its a direct result of features requested by users. Everything about this exploit is a direct result
Phishing (Score:2)
No danger... (Score:2)
That's it? Who'd be dumb enough to fall for t#1$j213!%
NO CARRIER
Re: (Score:1)
Re: (Score:2)
You can't download and run apps on your iphone, you have to get them from the app store, unless you've jailbroken it.
And if you can't be smart enough to figure out what apps are safe to open, you shouldn't have jailbroken it in the first place.
Re: (Score:1)
Re: (Score:2)
does the link cause the iphone to download and launch the downloaded app, or is it a browser-executed thing like an SWF, or is it using an overflow bug in a browser system like the recent TIFF vulnerability, or how does it manage to get into an execution/interpretation chain?
Re: (Score:1)
Re:No danger... (Score:5, Informative)
I don't think there's really any security check that Apple could have performed on an over-the-air configuration profile that would not defeat the purpose of having such a profile. The idea is to make it as painless as possible for users to sign up for custom settings specific to a company where they work or whatever (e.g. adding corporate firewall keys, that sort of thing). As soon as you limit who can sign the profiles, they become useless, and if Apple required everyone to sign up for a signing cert through them, everyone would be jumping up and down screaming that Apple is being too controlling. It's truly a no-win.
Even if they added an extra check to make sure the signing cert doesn't have /^\s*Apple\s*$/i or /^\s*Apple\s*Computer\s*$/i as the company name, that still doesn't fully solve the problem. Many users would just as quickly tap "OK" for an update that claimed to be from any company they trust---their bank, Google, Yahoo, PayPal, AT&T, etc. And making the warning sterner only helps if people read it and understand it. I'm just not convinced that this problem has a solution short of not trusting incompetent cert providers with a history of issuing certs in the name of other companies.
The real security flaw here, IMHO, is that Verisign issued this company a signing certificate with the name Apple Computer. And this isn't the first time Verisign has done something stupid like that [amug.org]. They've repeatedly shown themselves completely incapable of doing even basic sanity checking before handing out signing certificates, SSL certificates, etc. Thus, IMHO, their code signing certs are inherently no more trustworthy than a self-signed cert or someone typing the name of a company into a field in a plist file. As far as I'm concerned, they should be dropped from the list of trusted roots. If Safari and Firefox both did this, they would eventually shrivel up and die like the inept hack of a company they are.
Re: (Score:2)
everyone would be jumping up and down screaming that Apple is being too controlling. It's truly a no-win.
Yeah, because nobody would tolerate that.
Re: (Score:3, Insightful)
Can that be used to sign ipcc and enable tethering (Score:2, Insightful)
Wasn't that the problems with tethering non-jailbroken phones?
Don't worry (Score:4, Funny)
Re: (Score:1, Insightful)
Are you sure that's a good thing?
Re: (Score:1)
Re: (Score:1, Redundant)
Norton needs more processing power than any PC could provide.
Re: (Score:1, Redundant)
Norton needs more processing power than anything could provide.
Re: (Score:1)
Re: (Score:1)
Re: (Score:3, Funny)
Re: (Score:2)
VIRUSES: GTFO
I mean come on! Let's be sensible about this.
Re: (Score:2)
Re: (Score:1, Funny)
Nortan Anti-Virus software is now available for iPhone too.
Buying knock offs again, eh?
Re: (Score:2)
Re: (Score:1)
Nortan Anti-Virus software is now available for iPhone too. I was wondering when it will become available. Thanks now my iPhone works the same way as PC with Windows :)
i am not sure if you intentionally or unintentionally spelled Norton wrong. Either way your comment is still funny.
Thank goodness... (Score:4, Funny)
...the iPhone controls what software you're allowed to run, to keep it secure. Otherwise it would suffer from exploits like this one.
Re: (Score:2)
The question is: Secure from whom? ^^
The only one who should not be trusted with controlling the device, according to Apple, seems to be the person who “owns” it! ;)
And that’s OK, because them still buying it anyway, is proof that they love it.
Yeah baby! Spank me! Spank me hard with that DRM! Woohooo!!! ;))
2/2/2010 iPhone Patch (Score:1)
Apple released a security update for the iPhone and iPod Touch [apple.com] today.
Anyone know if this was addressed in that update? There are a few Webkit updates in there (mostly multimedia exploits).
Re: (Score:2)
Son of a... that means another 2.5 gigabyte download to update the SDK. I hope whoever it is at Apple that doesn't believe in binary diffs dies in a fire.
Re: (Score:2)
Apple released a security update for the iPhone and iPod Touch [apple.com] today.
Anyone know if this was addressed in that update? There are a few Webkit updates in there (mostly multimedia exploits).
Nothing about malicious OTP files in there anywhere, I don't think this latest thing has been addressed. It would surprise me of Apple (or any other computer company) could move that fast to fix a vulnerability.
How is this related to the iPhone? (Score:4, Insightful)
I bet the headline would get even more pageviews if they claimed this was an iPad flaw instead of iPhone.
Re: (Score:1)
The other part of the attack deals with the iphone in that it can change the mobileconfig file and allow the attacker to set the HTTP proxy. Then make is so you cannot remove the new config file.
Re: (Score:1)
I don't really know what the specifics were, but this is the quote from the end of the article (yeah, I guess I never should have expected slashdot users to read the article)
"You can make any part of the phone not work. You definitely don't get to run code, but there's lots of nasty things you can do. You can make applications not work, make it so that you can't remove this config file,"
Of course this does all rely on the user being stupid enough to trust the certificate and install the new config file just to get that far.
Re: (Score:1)
Of course this does all rely on the user being stupid enough to trust the certificate and install the new config file just to get that far.
So do a hell of a lot of viruses, trojans and malware, and they all perpetuate even without the added assurance of a trusted certificate.
Re:How is this related to the iPhone? (Score:4, Insightful)
The "attack" in TFA doesn't mention anything necessarily specific to the iPhone.
Yes it does:
The iPhone by default will trust configuration files that it receives over the air or while connected to a PC, as long as the file is signed by a trusted implementation of the iPhone Configuration Utility, a desktop application used to create config files for iPhones. However, the iPhone also will accept a file that is signed by a signature-only certificate
iPad? (Score:2)
I bet the headline would get even more pageviews if they claimed this was an iPad flaw instead of iPhone.
what the hell's an iPad? an iPod from Boston?
Is this really an SSL attack? (Score:3, Interesting)
I'm getting a little uneasy with SSL. Nothing is safe.
Re: (Score:2)
It has EVERYTHING to do with SSL. It points out the weakness in the system. Root certificate authorities are part of the SSL ecosystem, without root CAs SSL is effectively useless.
With shitty root authorities, like VeriSign, SSL is effectively worthless.
Someone needs to wipe them and network solutions off the face of the Earth.
Too much sensationalism? (Score:2, Interesting)
Do not blame Verisign for issuing a temporary signature certificate without verification: this is stated clearly in their Level 1 certificate statuses and will sure be found with many other certificate issuers. The issue is completely on Apple for trusting a certificate of that kind for an over-the-air update. That kind of certificate is issued without any verification so you could have it delivered to any name you wanted, including your target's IT department. As me
Re: (Score:2)
Um sorry but how do you figure this? If Verisign is issuing certs that can be trusted without verification then they are the problem. Don't use Verisign any more.
Level 1 certificate statuses
I didn't see exactly what you are talking about here either, but perhaps I mis-interpreted it.
Re: (Score:1)
Um sorry but how do you figure this? If Verisign is issuing certs that can be trusted without verification then they are the problem. Don't use Verisign any more.
It's not without verification, there are different levels of verisign certificates and Apple sees no problem with accepting the lowest and least-trustworthy certificate.
Re: (Score:1)
Verisign as any other Certificate Authority delivers various certificate with different trust levels. If you decide to trust somebody coming with a Level 1 temporary certificate issued without any verification you are in trouble. If you trust this same person to change some of your phone settings you are begging for trouble.
Re: (Score:2)
I think the point is that you are SUPPOSED to be able to get a temporary unverified cert. They are just not supposed to be trusted by the client.
The problem is the iPhone accepts unverified certs as verified, which really sounds like Apple's screw up.
MITM (Score:2)
enabling him to man-in-the-middle SSL traffic from that phone
So "man-in-the-middle" is a verb now, huh?
Um maybe not Apples problem.... (Score:1, Troll)
From the article it looks like Verisign is the problem here.
Re: (Score:1)
Wrong, the Apple Computer part is to just confuse the user, not to enable the attack. They could've just used Apple 1nc. and some people would still think it's sanctioned by Apple,.
Re: (Score:2)
Re: (Score:1)
Not the point. Apple Computer is a known entity, easily verified by Verisign. But it somehow wasn't. Odd that.
Wrong.. you're looking at Apple Inc.
Wrong title? (Score:2, Informative)
Apple doesn't take certificates seriously (Score:1)
I've configured our local office WAP with WPA2-Enterprise and PEAP. I have to support this setup on a variety of machines.
Windows machines (depending on the configuration) typically refuse to connect unless the root certificate presented is trusted first. Unfortunately the error is typically quite unhelpful, but at least it operates in a safe way. It's also not too obvious how to import certificates for non-techies.
GNU/Linux machines running NetworkManager such as Ubuntu IMHO do the right thing - warn if t
App lockdown and security (Score:2)
---
Mobile Phones [feeddistiller.com] Feed @ Feed Distiller [feeddistiller.com]
Re: (Score:2)
Funny, wasn't the open and wonderful Google app store the victim of an app that contained malware in the opening week?
MD5 certs ... (Score:1)
Why not bigger news? (Score:1)
"No Chatter" (Score:2)
The chatter about how "insecure" the Mac is, supposedly, is deafening in the pro-Windows and pro-Linux circles. Since 99.99% of Mac, iPhone, etc., users have never experienced this horrible invasion by malware, they think you're nuts.
Security is a huge problem for anyone using the Internet. It seems that Windows, after years of utter nightmare, may be locking things up, though each month, it seems, there's new updates. But the biggest vector this year is expected to be Adobe: Flash and Reader are incredibly