Network News

X My Profile
View More Activity

iPhone Exploits Revealed

Black Hat

LAS VEGAS -- Two methods that could allow criminals to break into and steal data from Apple's iPhone were demonstrated Thursday here at the Black Hat hacker conference.

Charlie Miller, a researcher with Independent Security Evaluators, had warned Apple more than two weeks ago that he would present his findings at the annual security conference. In an unusually quick turnaround, Apple responded Tuesday with updates to plug both security holes.

In his talk, however, Miller emphasized that there appears to be an abundance of other ways to compromise the iPhone, due to the fact that the iPhone's Safari Web browser was designed in part with the help of open source computer code that contains well-documented security flaws discovered more than a year ago.

While that still-vulnerable component can be fixed, Miller said there are fundamental design flaws with the iPhone that could well lead to further trouble for Apple in the months ahead.

For example, one of the key elements of securing computer code involves a process known as "randomization." In executing attacks against software, virus writers typically seek to exploit software vulnerabilities that then write the malicious code to very specific portions of a computer's memory. By randomizing or dynamically shifting memory address spaces each time the system boots up, software makers can significantly hamper the ability of viruses and worms to successfully hit their intended target. (Address space randomization was touted as one of the key security defense mechanisms that Microsoft built into Windows Vista.)

But Miller said the iPhone does not employ such techniques, which he said potentially provides hackers with a predictable and reliable roadmap to compromising the device.

While Miller's exploits were designed to run on the iPhone, the same vulnerabilities are present in unpatched Safari for Mac OS X systems and the beta version of Safari for Windows (these also were patched in the massive security update shipped by Apple earlier this week.)

Miller said he plans to publish the details of his research on his Web site later today.

By Brian Krebs  |  August 3, 2007; 1:39 PM ET
Categories:  Latest Warnings , New Patches , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: New Tool Automates Webmail Account Hijacks
Next: Letter From Hackerdom: Not the Same Old DEF CON, Black Hat

Comments

Apple's attitude towards security is about to bite them in the behiney. bizarre

Posted by: David | August 3, 2007 2:25 PM | Report abuse

One must be dumb enough to permit this exploit, which I suppose some are. How many people are going to go to some bogus website in their daily business? Compared to other devices, my iPhone seems to be extremely secure. Jealousy, green-eyed and whining, and a hacker exploiting the publicity for personal gain, that's all I see here.

Posted by: Phil | August 3, 2007 4:08 PM | Report abuse

I'm not sure what David means about "Apples attitude towards security." They're generally quite responsive for a commercial software firm when they told about issues, and more innovative than most when larger challenges come up. And they give back to those opens source communities they leverage and build into their products.

It isn't like anybody produces unexploitable software. And it isn't like Apple has a particularly notable record of refusing to fix issues identified.

Launched products -- for anything from washing machines to cell phones to computers -- are usually just the last round of testing, whether any company wants to admit that or not. QA and other pre-launch testing can only catch so much.

Posted by: M | August 3, 2007 4:16 PM | Report abuse

I found a interesting bug (depending on your perspective) in Safari 3.03 yesterday. I was allowed to log into Yahoo! Mail with cookies set to "never accept cookies." I found this odd because Yahoo Mail requires acceptance of cookies, so I closed the browser, re-opened and "Reset Safari" to ensure that all tracks had been cleared. Then I made sure "never" was still the cookie acceptance option. Once again, I was able to log into Yahoo! Mail. So, just to make sure it wasn't a Yahoo issue, I ran a browser analysis at privacy.net. In this test, Safari allowed all cookies to be set, both persistent and session, yet under preferences > Security - "show cookies" claims there are no cookies.

Posted by: Tom | August 3, 2007 5:16 PM | Report abuse

@Phil:

Avoiding "bogus" sites is always a good idea but that doesn't mean you are 100% "safe". There have been a large number of reputable sites used as vectors, either because they were hacked directly or used ad-providers who got hacked.

For example, the Superbowl ticket site was hacked earlier this year, as covered in this very blog: http://blog.washingtonpost.com/securityfix/2007/02/official_superbowl_site_pushin.html

I'm sure I'd feel safe-ER using an iPhone than IE just because it's a less attractive target other than as a publicity stunt. But if it gets anywhere near as popular as Apple wants it to I'd start worrying about Apple's attitude toward security flaws and security researchers.

Posted by: Dan | August 3, 2007 6:00 PM | Report abuse

@Phil: fanboy. It takes a lot of cheek to call an NSA security researcher what you just did. You owe him an apology. And you own Brian an apology for posting this fanboy nonsense at his blog.

@M: how do you define "generally responsive"? As in waiting since February 2005 - before Tiger - to upgrade the regex library and only doing so because Charlie Miller threatened to unleash the exploit? You can that "generally responsive"? You need to go back to school and learn to use language more properly.

@Tom: send the bug to Apple. They will deal with it. Or at least should. Hopefully faster than the two and one half years for the regex blooper.

Posted by: Brendon | August 3, 2007 9:45 PM | Report abuse

Actually, Krebs has been hostile to Apple since he got caught up in that bogus 'we are hacking Apple's Wi-Fi (Oops! We forgot to say we're using a third-party Wi-Fi card)' fiasco last year. Put him in the Hall of Shame right along with his beloved hackers. Krebs irresponsibly reported the inflated claims of the hackers and ended up looking very foolish.

http://news.com.com/8301-10784_3-6107384-7.html

Furthermore, Apple's patch of the iPhone vulnerability was rather fast. It may have even been quicker, since that patch was rolled in with other updates. Maybe Apple waited until it had the whole batch ready, meaning its motivation for the time of release was not necessarily Black Hat.

OS X's security may be imperfect, but no one -- hostile hackers, Krebs, Microsoft, trolls -- can disprove that it is many times better than the competition's.

Posted by: Podesta | August 4, 2007 7:09 AM | Report abuse

Actually, BK has been quite circumspect since that episode you mention, IMHO.

I see nothing wrong with this story, from either the "hackers" actions, which obviously were of a different caliber than your usual suspects this time, nor from Apple's response so far.

Although the Mac environment is currently head and shoulders above wintel a far as safety is concerned, (For a combination reasons, the relative importance of which is futile to argue about.) I have no doubt in my mind that with the release of Safari on Wintel, and less so on the iphone, Apple is entering a brave new world of vulnerability that will tax their best efforts on keeping a lid on malware.

It will be interesting to follow.

Posted by: cbum | August 4, 2007 7:43 AM | Report abuse

Tom, have you seen the same type of behaviour you found in Safari 3.0.3 - i e, permitting cookies despite their ostensibly having been turned off - in other popular browsers, like recent releases of Firefox, IE, Opera, etc ?...

Henri

Posted by: mhenriday | August 4, 2007 12:49 PM | Report abuse

It's amazing that people still deny that Apple had vulnerabilities in their wireless drivers. If only you could run iPods on the power of deniability, no one would ever need new batteries... ;^)

Posted by: antibozo | August 4, 2007 2:08 PM | Report abuse

@ Podesta:
You're such a tool. Such a fanboy tool. No more need be said. Let's just hope what you got's not contagious.

Posted by: Brendon | August 4, 2007 2:37 PM | Report abuse

@mhenriday:
There's another matter with Safari. It promises to only use cookies "from sites you navigate to". This has never worked correctly. You get cookies from all over the place - you get "dot" cookies and more.

Posted by: Brendon | August 4, 2007 2:41 PM | Report abuse

It's worth noting that part of the reason Apple was able to so quickly release a patch is that Miller provided it to them. He gave them the exploit and the patch and asked the patch to be released before BH. Claiming that Apple was really on top of security matters misses this key fact. (See Forbes article and interview with Miller.)

Posted by: Bean | August 4, 2007 5:04 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company