PDA

View Full Version : Security Firm Reveals iPhone Vulnerability




j/k/Andy
Jul 22, 2007, 07:45 PM
link (http://www.drudgereport.com/flash6.htm)

FLAW LETS HACKERS EXPLOIT IPHONE, FIRM SAYS
Sun Jul 22 2007 16:03:45 ET

A team of computer security consultants say they have found a flaw in APPLE's popular new iPhone that allows them to take control of the device!

The researchers, working for Independent Security Evaluators, will report on Monday how they could take control of iPhones through a WiFi connection or by tricking users into going to a Web site that contains malicious code.

Developing...

or http://www.drudgereport.com/



chrisdazzo
Jul 22, 2007, 07:47 PM
that was the most excited post of the day. CAPS CAPS CAPS!

good thing i don't have an iphone, though, if this IS true.

bigmac4ever
Jul 22, 2007, 07:50 PM
Ouch...Im so very glad I didnt give up my Treo 700 wx for the apple joke of the year.I did come close though.

mkrishnan
Jul 22, 2007, 07:51 PM
Is this the same as or different from the SPI-announced web dialing issue (http://www.macnn.com/articles/07/07/17/iphone.web.dialing.flaws/)?

It would be overly generous to call the Drudge report article uninformative, and the referenced company's website is shockingly even less informative... nor does this seem to have been carried by anyone other than the Drudge Report as of yet, which seems a bit odd to me....

bxlewi1
Jul 22, 2007, 07:58 PM
Is this the same as or different from the SPI-announced web dialing issue (http://www.macnn.com/articles/07/07/17/iphone.web.dialing.flaws/)?

It would be overly generous to call the Drudge report article uninformative, and the referenced company's website is shockingly even less informative... nor does this seem to have been carried by anyone other than the Drudge Report as of yet, which seems a bit odd to me....

Well, it being a Sunday and all - it's not terribly surprising it's nowhere but Drudge (the man never sleeps.)

Dermot81
Jul 22, 2007, 08:02 PM
From the few links up at Drudge on the iphone, most have been negative. Pretty biased reporting.

j/k/Andy
Jul 22, 2007, 08:06 PM
it is a classic Drudge flash, short and sweet, but more often then not he gets it nearly right, sorry for the all caps (copy and paste error)

DMK
Jul 22, 2007, 08:13 PM
From the few links up at Drudge on the iphone, most have been negative. Pretty biased reporting.

The Drudge Report is biased ?! what a shocker. :rolleyes:

kkachurak
Jul 22, 2007, 09:08 PM
IMO, the Drudge Report has the same journalistic integrity as a tabloid.

Littlebit
Jul 22, 2007, 10:20 PM
The New York Times is reporting about it, as well...

http://www.nytimes.com/2007/07/23/technology/23iphone.html

MacRumors
Jul 22, 2007, 10:24 PM
http://www.macrumors.com/images/macrumorsthreadlogo.gif (http://www.macrumors.com)

The NY Times (http://www.nytimes.com/2007/07/23/technology/23iphone.html) reports that researchers at a security firm Independent Security Evaluators have announced that they have found a vulnerability in the Apple iPhone that allows them to extract personal information and "take control" of the device from a malicious website or WiFi connection:
The researchers, working for Independent Security Evaluators, a company that tests its clients’ computer security by hacking it, said that they could take control of iPhones through a WiFi connection or by tricking users into going to a Web site that contains malicious code. The hack, the first reported, allowed them to tap the wealth of personal information the phones contain.

The company has setup a website (http://www.exploitingiphone.com/) which provides a video demo of the exploit as well as answers to questions, but does not provide would-be hackers any detailed instructions. Apple has reportedly been notified of findings. A full disclosure of the hack will be released at the Black Hat (http://www.blackhat.com/html/bh-usa-07/bh-usa-07-index.html) conference on August 2nd.

According to the site, in their proof of concept, the exploit can read the log of SMS messages, address book, call history, voicemail data and transmit it to the malicious site.

The principal security analyst admits "It's not the end of the world; it's not the end of the iPhone" and it appears it hasn't changed their enjoyment of the iPhone itself. Even the security firm's founder states that while he may more cautious about using a random public WiFi network, "you'd have to pry it out of my cold, dead hands to get [the iPhone] away from me."




Article Link (http://www.macrumors.com/2007/07/22/security-firm-reveals-iphone-vulnerability/)

dfnj123
Jul 22, 2007, 10:26 PM
looks like apple better come out with a firmware update fast

jjarmoc
Jul 22, 2007, 10:29 PM
Well, this should be fun. I'll be out at blackhat watching this one anxiously, with an iphone in my pocket the whole time.. heh

I'll hold off on judging this until we see some details of what exactly they've found.

twoodcc
Jul 22, 2007, 10:29 PM
looks like apple better come out with a firmware update fast

yeah they need to. and i'm sure that they will

coumerelli
Jul 22, 2007, 10:31 PM
Here's the deal - don't go to random websites that present themselves to you. Simple. I also don't go to dark alleys...at night...by myself....with my iPhone. I just don't. Now, I'm not saying this isn't important, but my parents didn't raise no dummy. It's called caution. :eek:

JPyre
Jul 22, 2007, 10:32 PM
Thank god... this should speed up a much needed update. I want to listen to my music while browsing the web like it's been advertised.

retroneo
Jul 22, 2007, 10:33 PM
This is great, you can check to see if your girlfriend is cheating on you without even asking! Just SMS her the link to your specially modified site, and then you can see her call history and messages!

or

This is bad, now my girlfriend can check to see if I am cheating on her without even asking! She just SMSes me the link the her specially modified site, and she can see my call history and messages!

nimbuscloud
Jul 22, 2007, 10:37 PM
Thank god... this should speed up a much needed update. I want to listen to my music while browsing the web like it's been advertised.

Actually, you can. I'm listening to Depeche Mode while replying to your comment...all from my iPhone.

:apple:

jjarmoc
Jul 22, 2007, 10:38 PM
Thank god... this should speed up a much needed update. I want to listen to my music while browsing the web like it's been advertised.

Uhhh.. that feature's always worked fine for me.

Analog Kid
Jul 22, 2007, 10:42 PM
One of the risks of building this on a full OS X platform. Good news is that any fixes made to the desktop or iPhone should benefit the other...

anaknipedro
Jul 22, 2007, 10:43 PM
I don't believe this. A website crafted to force the iPhone to make unsolicited calls? These guys can't be for real. This is FUD FUD FUD.

badtzmaru
Jul 22, 2007, 11:01 PM
at least we know an iphone update is coming before, or around, august 2!!

ErikGrim
Jul 22, 2007, 11:02 PM
I don't believe this. A website crafted to force the iPhone to make unsolicited calls? These guys can't be for real. This is FUD FUD FUD.Why would this be FUD? Unlike the other recent claims of OS X worms and not to mention the whole Month of OS X bugs debacle, these are "ethical" hackers, disclosing the information to Apple FIRST so that they can issue a fix before releasing the information to the general public.

These kind of independent security analyses actually benefit the end user rather than harm them. There's no FUD here at all. Read their FAQ.

Lancetx
Jul 22, 2007, 11:04 PM
I'll bet Apple gets a fix out there before this August 2nd conference occurs. I'm not alarmed, as this will get fixed soon enough. In the meantime though, I'll just make sure not to connect to any unknown wi-fi networks.

badtzmaru
Jul 22, 2007, 11:05 PM
before anyone says "this is impossible" visit the firm's website and read their preliminary paper (ignore the part about the iphone being released on june 28 ;)

http://www.securityevaluators.com/

dfnj123
Jul 22, 2007, 11:06 PM
we should all really be happy about this. It points out a flaw made by apple that they can now fix.

~Shard~
Jul 22, 2007, 11:12 PM
This was bound to happen and shouldn't come as a surprise to anyone - especially not with a complicated device such as the iPhone. Apple has been made aware and they will no doubt address the vulnerability immediately.

I'm sure this is only the first of many security issues as well, but again, as long as Apple addresses them seriously and in a timely manner I don't think iPhone users should be too worried about anything.

coolfactor
Jul 22, 2007, 11:29 PM
we should all really be happy about this. It points out a flaw made by apple that they can now fix.


It's not a flaw _made_ by Apple. It's a flaw _missed_ by Apple. Big difference.

Dippo
Jul 22, 2007, 11:35 PM
If this "virus" is for real, then it could be considered a 3rd party app.

So then it should be possible to run other 3rd Party apps on the iPhone.
Maybe it is good news in disguise.

Personally, I think it is fake.

sunday888
Jul 22, 2007, 11:39 PM
Drudge is an idiot.

Maui
Jul 22, 2007, 11:44 PM
Anything with the word "iPhone" in it is going to get tons of press. It is the price for Apple's hyper-successful marketing campaign.

SC68Cal
Jul 22, 2007, 11:46 PM
This is why you don't run everything as Root

macrumors12345
Jul 22, 2007, 11:50 PM
Personally, I think it is fake.

It's not a fake. One of the principal analysts at the company is a friend of mine (he told us about this hack two days ago), not to mention a devoted Apple fan (and fulltime iPhone user).

The hack is definitely real (and it's not really a virus in the sense that it doesn't self-replicate - it's just an exploitable flaw that allows arbitrary code execution). That said, it really doesn't make a significance difference (though Apple should, and undoubtedly will, fix it). Unless you lock your iPhone with a passcode (which would be a major PITA), it's an inherently insecure device and should be treated as such. This hack doesn't give someone substantially more information than they could get by just pick-pocketing your iPhone or finding your lost iPhone. In other words, don't store anything on your iPhone (or any phone) that you feel must stay confidential.

Any limitations Apple puts on 3rd party apps are more likely for *reliability* than security. The iPhone is - like all cell phones - an inherently insecure device.

Spizzo
Jul 22, 2007, 11:52 PM
Already posted on front page.

http://forums.macrumors.com/showthread.php?t=332792

corywoolf
Jul 23, 2007, 12:00 AM
It makes you wonder if watching that YouTube video (of the exploit) on your iPhone would make your iPhone explode in confusion? :eek: ;)

33scottie33
Jul 23, 2007, 12:15 AM
How the exploit works

1. An attacker controlled wireless access point: Because the iPhone learns access points by name (SSID), if a user ever gets near an attacker-controlled access point with the same name (and encryption type) as an access point previously trusted by the user, the iPhone will automatically use the malicious access point.

Unless they set up APs across the world, this is no big issue. The odds are slim too, seeing that it has to be the same SSID and encryption type. Not to mention the range of WiFi.

2. A misconfigured forum website: If a web forum's software is not configured to prevent users from including potentially dangerous data in their posts, an attacker could cause the exploit to run in any iPhone browser that viewed the thread.

Stick with major, trusted forums like macrumors.


3. A link delivered via e-mail or SMS: If an attacker can trick a user into opening a website that the attacker controls, the attacker can easily embed the exploit into the main page of the website.

This can happen to any computer or device that connects to the Internet if you are not careful. Also, we all know not to click on links we are not familiar with or are unsolicited.

egdiroh
Jul 23, 2007, 12:16 AM
Depending on what they mean by arbitrary code, could this be used to open up the iphone to the home brew software crowd?

I'd love to get a native terminal+ssh or IM client on my phone. Then it would let me roam free from my laptop more.

inkswamp
Jul 23, 2007, 12:19 AM
Actually, you can. I'm listening to Depeche Mode while replying to your comment...all from my iPhone.

Um... he said music.







I kid. I kid. :D

SC68Cal
Jul 23, 2007, 12:26 AM
Unless they set up APs across the world, this is no big issue. The odds are slim too, seeing that it has to be the same SSID and encryption type. Not to mention the range of WiFi.

That's just one way. If you just join an open network, you get the same risks. You're missing the point.

Stick with major, trusted forums like macrumors.


Then how do you explain the author of the Oompa virus targeting this website for distribution?

It's not about "trusted" forums. Security does not rely on "trust" and
"let's go to only certain parts of the internet, because surely they can't be a target" and tinfoil hats. Good lord!

This can happen to any computer or device that connects to the Internet if you are not careful. Also, we all know not to click on links we are not familiar with or are unsolicited.

Most viruses spread through infected documents that trusted sources exchange between one another. Viruses don't rifle through your Outlook Address book for the sheer enjoyment of it.

This is like Gruber trying to talk about computer security. It's just a symptom of the thinking of Mac users. None of you ever worry about security problems, you all think it's just something that windows has to worry about. Get a grip on reality here people. (http://www.matasano.com/log/609/five-reasons-to-ignore-john-grubers-os-x-security-pundity/)

Dippo
Jul 23, 2007, 12:45 AM
It's not a fake. One of the principal analysts at the company is a friend of mine (he told us about this hack two days ago), not to mention a devoted Apple fan (and fulltime iPhone user).

The hack is definitely real ...

Nevermind.

SC68Cal
Jul 23, 2007, 12:48 AM
If the "hack" is so real and you are really friends with one of the analysts, why don't you get the web address so that we can see for ourselves!

I still think it is fake.


You're missing the point. By your logic, we should only worry about security vulnerabilities after there's already a virus/exploit running rampant through our systems. Hello? Is there anyone home?

EDIT: Apparently not. After writing this little gem, it is beyond me why anyone would seriously listen to anything you have to say.

This one is straight from Steve's mouth...

Apple is going to buy Microsoft.
If you think that I am kidding, just keep reading...

Link (http://forums.macrumors.com/showthread.php?t=57320)

Who ever said this is a joke, this is really going to happen, just wait and see.

TheNumberOneFan
Jul 23, 2007, 01:01 AM
they could say anything and us die-hard apple fans would go on using our phones

"and years of studies have shown that the iPhone, when used for prolong periods, leads to an acute case of melanoma with common symptoms of explosive diarrhea..."

:apple: i love my phone

Analog Kid
Jul 23, 2007, 01:05 AM
Thanks for saving me the trouble of replying to this-- something about the bold blue font seemed to require this kind of response... I might have been a little softer, but that's just me...
That's just one way. If you just join an open network, you get the same risks. You're missing the point.

Or setting up outside a particularly high-traffic Starbucks (not that Starbucks customers don't have it coming...), or a company of interest.

Then how do you explain the author of the Oompa virus targeting this website for distribution?

It's not about "trusted" forums. Security does not rely on "trust" and
"let's go to only certain parts of the internet, because surely they can't be a target" and tinfoil hats. Good lord!

Most viruses spread through infected documents that trusted sources exchange between one another. Viruses don't rifle through your Outlook Address book for the sheer enjoyment of it.

This is like Gruber trying to talk about computer security. It's just a symptom of the thinking of Mac users. None of you ever worry about security problems, you all think it's just something that windows has to worry about. Get a grip on reality here people.
The only thing I'd add are that security shouldn't rely on trust, but trust adds a layer of security in an insecure world.

It's that trust that can be exploited though. Everyone thinks they're too smart to click on an unsolicited link, but if I got an SMS that appeared to come from my wife telling me to look at a website, I probably would.

33scottie33
Jul 23, 2007, 01:14 AM
This vulnerability is stupid just like the rest that will come after this one. BTW, I'm sure only .0001% of iPhones would be affected anyway.

If the iPhone was not so popular, we would not be having this discussion. They just want to make a name for themselves.

rjlawrencejr
Jul 23, 2007, 01:33 AM
I'm sorry. Your a total idiot. For real.

Hey, I realize this is 2007 and all but what happened to civility? I am glad you know your stuff and I am sure your suggestions are on target, but your lack of tact and maturity is shameful.

I don't necessarily intend to be the courtesy patrol, but I would hope you realize you can correct someone without resorting to name calling.

Go ahead and flame me if you feel so inclined, but I am sure your responses will br taken that much more seriously when you show you can still respect people even if you are positive they are totally off-base.

SC68Cal
Jul 23, 2007, 01:34 AM
"Dolt", ha, thank you for exposing your first name to all of us.

It's not like I went out of my way to hide it. It's not like I do some published writings every now and then, or participate on a mailing list where my full name is used. Not going to score any points there my friend.

What a useless post! This vulnerability is stupid just like the rest that will come after this one. BTW, I'm sure only .0001% of iPhones would be affected anyway.

If the iPhone was not so popular, we would not be having this discussion. They just want to make a name for themselves.

1) No, it's not 0000.1% of iPhones that will be affected. You have no idea what you're talking about. All iPhones contain the same OS environment. It's called mass production. Get with the program here.

2) Apple doesn't have the luxury of saying "well, if we weren't so popular we'd be better off, not having these pesky security issues. You don't run prime time ad campaigns and then expect everyone to not look into your backyard.

SC68Cal
Jul 23, 2007, 01:41 AM
Hey, I realize this is 2007 and all but what happened to civility? I am glad you know your stuff and I am sure your suggestions are on target, but your lack of tact and maturity is shameful.


Hey, I'm just trying to drag people kicking and screaming out of the groupthink and out into the world. We need to move beyond the whole "invulnerability" myth and dismiss things that we don't understand.

Yes, I'm nasty, yes I speak my mind, yes I'm sure many don't like it. I hope nobody loses sleep over what I say, because that's not the point.

ajhill
Jul 23, 2007, 02:09 AM
Independent Security Evaluators

Gee, wonder who pays their bills. Someone named Bill perhaps?

Never trust any group that tries to tell you that they are independent in the title of the organization.

Who are these jokers, and is this as SERIOUS as the Duke University denial of service attack that the iPhone wa supposedly responsible for, that later turned out to be a Cisco router problem.

And still they attack Apple Inc. All the way up to $300/share and beyond...

bdj21ya
Jul 23, 2007, 02:18 AM
Actually, you can. I'm listening to Depeche Mode while replying to your comment...all from my iPhone.

:apple:

I can certainly understand what he's saying, iPod stops playing ALL THE TIME when I'm browsing, or just using the iPhone for other things. Also, Safari crashes over nothing, the same site will work fine on one load, then cause Safari to crash the next time. Safari needs to be able to handle more sites reliably without crashing. I notice this happens especially frequently if I scroll before a page finishes loading. FSJ's site seems to cause quite a lot of problems.

eyebye
Jul 23, 2007, 02:28 AM
Independent Security Evaluators

Gee, wonder who pays their bills. Someone named Bill perhaps?

Never trust any group that tries to tell you that they are independent in the title of the organization.

Who are these jokers, and is this as SERIOUS as the Duke University denial of service attack that the iPhone wa supposedly responsible for, that later turned out to be a Cisco router problem.

And still they attack Apple Inc. All the way up to $300/share and beyond...

These "jokers" include Charles Miller, a computer science PHD, formerly under the employ of the NSA. Ahem, and you are, who?

rob@robburns.co
Jul 23, 2007, 02:57 AM
These "jokers" include Charles Miller, a computer science PHD, formerly under the employ of the NSA. Ahem, and you are, who?

The PhD may be impressive, but the "under the employ of the NSA" simply demonstrates he'd sell his soul to anyone. :) So who's he selling his soul to now?

arn
Jul 23, 2007, 03:11 AM
Gee, wonder who pays their bills. Someone named Bill perhaps?

And still they attack Apple Inc. All the way up to $300/share and beyond...

Let's try to tone down the blind apple loyalty.

If you read the article, you'd see these people aren't particulary anti-apple and realistically toned down the long term implications. But that doesn't exclude the fact that this appears to be a real and serious issue which will likely be patched by Apple before August 2nd.

arn

Evangelion
Jul 23, 2007, 03:48 AM
It's not a flaw _made_ by Apple. It's a flaw _missed_ by Apple. Big difference.

No, that is not a "big difference". Besides: which company wrote the software (OS X) that has this bug? I believe the name starts with "A" and ends with "e".

PowerFullMac
Jul 23, 2007, 05:08 AM
OS X seems to have started attracting more hackers, I think we are lucky it was researchers and not black hat hackers who discovered this.

iAmLegend
Jul 23, 2007, 05:43 AM
Yeah...I'm not worried about this.

Now back to playing with my amazing iPhone :)

Nall
Jul 23, 2007, 06:56 AM
Ouch...Im so very glad I didnt give up my Treo 700 wx for the apple joke of the year.I did come close though.
You think flaws in phones are a new thing? They're not, they just usually don't make important news headlines.

That said, wonder if this will change Apple's schedule for the next update.

33scottie33
Jul 23, 2007, 07:13 AM
I have just found a new way to take control of YOUR iPhone!!!

Ship it to me along with your passcode if you have set one up!

Seriously though, I heard on the radio this morning that the company was paid by Apple to exploit the iPhone.

spimp31
Jul 23, 2007, 07:41 AM
Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419.3)

What's with calling this "fake" or suggesting MS is paying this firm off? They OWN iPhones just like many of us. I'm sure they have the same concerns as I do.

This exploit is pretty minimal in the grand scheme of things. Two issues though:
1. iPhone users shouldn't think their super phone provides security above and beyond a trek or blackberry, and also realize this device will be highly targeted.
2. The NYT and media on the whole will misreport and exaggerate stories luke this to generate fear and negative buzz about the most hyped consumer electronic device of this century. I heard this story on the radio then pulled up MR and kinds chuckled. Insecure wifi APs open you up? Following strange urls even from trusted contacts without proper explanation is a bad practice? Some of this is personal security 101

rob@robburns.co
Jul 23, 2007, 07:44 AM
Let's try to tone down the blind apple loyalty.

If you read the article, you'd see these people aren't particulary anti-apple and realistically toned down the long term implications. But that doesn't exclude the fact that this appears to be a real and serious issue which will likely be patched by Apple before August 2nd.

arn

I read the article and the PDF. I would say they do not come across as particularly anti-Apple. However, they do come across as particularly touting a Microsoft party line. The claim the reason Apple's Mac OS X is more secure (when compared to Windows)i s only because it is on fewer computers. While there may be some truth to that as a factor, that's a sentiment that directly reflect Microsoft's propaganda campaign and its' touted without any qualification. The article also mentions add-on style security measures similar to those used by Microsoft and doesn't mention other sensible security-by-design steps that Apple does take (at least on the desktop), that make these other measure less important.

So, I imagine they found some vulnerabilities. However, often times the tactic is to tout these huge security holes which hit the press hard. Then in a month when it comes time to put-up or shut-up, the press has already forgotten about he whole ordeal and the PR hitmen, can simply slink back into their hole.

Finally, the last claim seems to be a big tipoff If they're actually injecting javascript code to use as a audio-recorder and sending voice over the network connection as an exploit (a javascript exploit), why don't they ship these apps, because their are a lot of iPhone users who have been clamoring for these features.

WildPalms
Jul 23, 2007, 08:00 AM
It's not a fake. One of the principal analysts at the company is a friend of mine (he told us about this hack two days ago), not to mention a devoted Apple fan (and fulltime iPhone user).

The hack is definitely real (and it's not really a virus in the sense that it doesn't self-replicate - it's just an exploitable flaw that allows arbitrary code execution). That said, it really doesn't make a significance difference (though Apple should, and undoubtedly will, fix it). Unless you lock your iPhone with a passcode (which would be a major PITA), it's an inherently insecure device and should be treated as such. This hack doesn't give someone substantially more information than they could get by just pick-pocketing your iPhone or finding your lost iPhone. In other words, don't store anything on your iPhone (or any phone) that you feel must stay confidential.

Any limitations Apple puts on 3rd party apps are more likely for *reliability* than security. The iPhone is - like all cell phones - an inherently insecure device.

So, I'm looking on the website, looking for other examples of exploits exhibiting this companies work....and I'm not seeing it. I see a couple of blurbs from CEO's and mission statements...but no other exploits that this company has found.

Strikes me that this company is using the iPhone and this 'so called' flaw as a vehicle for cheap self promotion.

Digitalclips
Jul 23, 2007, 08:55 AM
Even the security firm's founder states that while he may more cautious about using a random public WiFi network, "you'd have to pry it out of my cold, dead hands to get [the iPhone] away from me."


I think this says a lot, considering the source. Wildpalms' theory (above) also seems to be a strong possibility.

Evangelion
Jul 23, 2007, 08:59 AM
I read the article and the PDF. I would say they do not come across as particularly anti-Apple. However, they do come across as particularly touting a Microsoft party line.

They are?

The claim the reason Apple's Mac OS X is more secure (when compared to Windows)i s only because it is on fewer computers.

Do you know for a fact that they are wrong in making such a claim? No you do not. So how can you question their claims, since you do not have any hard facts to back up your own viewpoint?

While there may be some truth to that as a factor, that's a sentiment that directly reflect Microsoft's propaganda campaign and its' touted without any qualification.

So they and Microsoft share a common viewpoint on some issue, it automatically means that "they are touting Microsoft's party-line!"? By same logic: since Hitler was a vegetarian, and Steve Jobs doesn't eat meat either, does that mean that SJ is "touting Hitler's party-line"?

The article also mentions add-on style security measures similar to those used by Microsoft and doesn't mention other sensible security-by-design steps that Apple does take (at least on the desktop), that make these other measure less important.

Well, in recent years Microsoft HAS been improving the security of their software at the design-level as well, as opposed to just bolting on firewalls and antivirus-tools.

So, I imagine they found some vulnerabilities.

So you are saying that their findings are genuine? So what are you complaining about then? Because they make Apple look bad? because they said something partially unrelated that you disagree with?

rdrr
Jul 23, 2007, 09:06 AM
at least we know an iphone update is coming before, or around, august 2!!

There may be an update coming soon, but I betcha it will be a security fix only, and not an enhancement/bug fix.

macnews
Jul 23, 2007, 09:10 AM
Unlike other "hacks" in the past how this was posted (i.e. contacting Apple first, not telling other people how to do it when you posted and seems to not just bash Apple rather go out of there way to defend Apple - comment about protecting the revenue model) I think these guys are for real and just trying to make the iPhone better and safer for everyone.

I find it interesting the same hack potential exists in Safari on OSX and Windows. This is all good to know and I hope it does get fixed soon. Also notice they will plan on releasing details of how they did this. Not all hackers have been so willing to do so, often leaving out key details which only serves to seriously question if the hack really exists (i.e. the "wireless" hack - was it just third party wireless or did they ever prove this works on the built in wireless?)

dejo
Jul 23, 2007, 09:17 AM
Unlike other "hacks" in the past how this was posted (i.e. contacting Apple first, not telling other people how to do it when you posted and seems to not just bash Apple rather go out of there way to defend Apple - comment about protecting the revenue model) I think these guys are for real and just trying to make the iPhone better and safer for everyone.
Isn't it considered better etiquette to wait a period of time for a response from the notified (i.e Apple in this case) before making any public announcement? We don't know when they first notified Apple but I find it hard to believe Apple has been given ample time to respond before this vulnerability was publicized.

overcast
Jul 23, 2007, 09:25 AM
Thank god... this should speed up a much needed update. I want to listen to my music while browsing the web like it's been advertised.

Yeh you're right, Apple has just been holding out on adding additional features, waiting for a Security issue to get them going. :rolleyes: The issue would be addressed and that's it.

Peace
Jul 23, 2007, 09:51 AM
This sounds more like a Safari vulnerability than the iPhone specifically.

Still serious but fixable.The quicker Apple fixes it the better off they are going to be.This report is spreading like wildfire and I'd guess has caused some people to not purchase one.




This is the reason I am personally opposed to Apple doing web 2.0 apps.They are asking for trouble with this vulnerability being web based.Put out a iPhone Dev kit Apple !!..

Cleverboy
Jul 23, 2007, 09:57 AM
I don't believe this. A website crafted to force the iPhone to make unsolicited calls? These guys can't be for real. This is FUD FUD FUD.:mad: Wow. I love my iPhone, but when I commented on the last security problem, it seemed that the most interested response was from somone trying to *downplay* the problem... for no clear benefit either. :confused: It was clear to me then, that if Apple wasn't looking for this type of problem, then there's probably many other things one could do. I was tempted to actually do a test run on a series of things I could imagine to be insecure (based on the fact that the existing bug hadn't been caught, so related exploits might not be either), but I had better things to do. Apple needs to update this, or its all downhill on security from here. :(

NOTICE TO iPHONE APOLOGISTS: Don't make excuses. Say NOTHING if you can't stop dismissing serious problems. Understand what FUD is. It's not "real problems", its fear and doubt surrounding nothing. It's clear the existing exploit was not "NOTHING"! Downplaying the problem only encourages people to make a much more damaging headline to have it taken seriously.

~ CB

fastbite
Jul 23, 2007, 10:09 AM
This sounds more like a Safari vulnerability than the iPhone specifically.

Still serious but fixable.The quicker Apple fixes it the better off they are going to be.This report is spreading like wildfire and I'd guess has caused some people to not purchase one.

Yes, it is spreading like mad. And anybody desiring a new angle to criticize the iphone will be feeling pretty happy. So the sooner they sort it out the better.

w00master
Jul 23, 2007, 11:44 AM
The fanboy-ism on these forums sometimes astound me. It's really amazing to me that some people on here really cannot find or *refuse* to find *ANYTHING* wrong (or potentially) wrong with Apple and their products.

Absolutely amazing. GET YOUR HEAD OUT OF THE SAND.

w00master

KingYaba
Jul 23, 2007, 12:14 PM
If one does not critique their favorite company their loyalty does not exit. :cool:

w00master
Jul 23, 2007, 12:28 PM
If one does not critique their favorite company their loyalty does not exit. :cool:

Well said.

w00master

33scottie33
Jul 23, 2007, 12:36 PM
Well said.

w00master

Everyone knows that Apple and their products are not perfect. There is just no flaw that is so significant that it would merit this type of attention.

In this society, the only thing people like to see more than a company reaching it's zenith, is to see it fall.

w00master
Jul 23, 2007, 12:39 PM
Everyone knows that Apple and their products are not perfect. There is just no flaw that is so significant that it would merit this type of attention.

In this society, the only thing people like to see more than a company reaching it's zenith, is to see it fall.

No, it's just that once a "flaw" is mentioned for *any* Apple product, there are people that come out of the Macrumors woodwork and cry that there is some sort of incredible conspiracy.

Sorry, but I just don't see a "conspiracy" in this instance, and it's something that Apple *should* fix, and their users to recognize the importance of security which *many* on here continue to deny.

w00master

33scottie33
Jul 23, 2007, 12:51 PM
Sorry, but I just don't see a "conspiracy" in this instance, and it's something that Apple *should* fix, and their users to recognize the importance of security which *many* on here continue to deny.

w00master

Don't worry, I'm sure Apple has already fixed the issue and we'll get the update soon. As of now, it's not an issue unless you are within WiFi range of this hacker's location. Besides, it's been reported that Apple paid them to do this anyway.

Peace
Jul 23, 2007, 12:53 PM
***snippet***

Besides, it's been reported that Apple paid them to do this anyway.


link please?

Analog Kid
Jul 23, 2007, 01:14 PM
2. The NYT and media on the whole will misreport and exaggerate stories luke this to generate fear and negative buzz about the most hyped consumer electronic device of this century.
It's kind of the purpose of the NYT and news organizations to inform people. I'd be much more critical of the Times if they didn't report this. It's important to know if insecurities exist so you can behave accordingly. It's also important for potential buyers to weigh the risks of a purchase.
So, I'm looking on the website, looking for other examples of exploits exhibiting this companies work....and I'm not seeing it. I see a couple of blurbs from CEO's and mission statements...but no other exploits that this company has found.

Strikes me that this company is using the iPhone and this 'so called' flaw as a vehicle for cheap self promotion.
In the same breath you're criticizing the company for not promoting other flaws found and then criticizing them for promoting this one... Of course they're promoting their work here, that's what companies do-- otherwise people look at their websites and say "they don't seem to have done anything"... If they're a new group and this is the first they've done, there's all the more reason to try and get their name out there. This doesn't suggest their claims are invalid at all...
Everyone knows that Apple and their products are not perfect. There is just no flaw that is so significant that it would merit this type of attention.
If being able to extract all of your personal details and potentially be able to initiate calls isn't significant, what *do* you consider a significant flaw?

This is the reason I am personally opposed to Apple doing web 2.0 apps.They are asking for trouble with this vulnerability being web based.Put out a iPhone Dev kit Apple !!..

I was thinking the same thing, but this doesn't look like it's a legitimate 2.0 app-- rather it's crashing Safari and executing native code. If you provide a native code dev kit, you're just making this kind of attack that much easier. If Safari were more stable, it would act as a reasonable firewall from the underlying system-- which is what web based apps are meant to do.

Java still strikes me as a reasonable alternative though...

Someone mentioned above that everything on the phone appears to run with admin privileges, and that seems to be the case. That's something they should change if they can do so. This is an embedded device, but it has a window to the network. Besides, it would be kind of cool to be able to fast-user-switch your phone...

rob@robburns.co
Jul 23, 2007, 01:15 PM
I read the article and the PDF. I would say they do not come across as particularly anti-Apple. However, they do come across as particularly touting a Microsoft party line.

The claim the reason Apple's Mac OS X is more secure (when compared to Windows)i s only because it is on fewer computers. While there may be some truth to that as a factor, that's a sentiment that directly reflect Microsoft's propaganda campaign and its' touted without any qualification. The article also mentions add-on style security measures similar to those used by Microsoft and doesn't mention other sensible security-by-design steps that Apple does take (at least on the desktop), that make these other measure less important.


They are [touting the Microsoft party line]?

Yes, I would say they are.

Do you know for a fact that they are wrong in making such a claim? No you do not. So how can you question their claims, since you do not have any hard facts to back up your own viewpoint?

Yes, I know for a fact. The security differences between Mac OS X and Windows are striking. Certainly the fact that Mac OS X is a minority OS is significant, but to state wholly one-sided is to tout the Microsoft party line.

So they and Microsoft share a common viewpoint on some issue, it automatically means that "they are touting Microsoft's party-line!"? By same logic: since Hitler was a vegetarian, and Steve Jobs doesn't eat meat either, does that mean that SJ is "touting Hitler's party-line"?

If you say so.

Well, in recent years Microsoft HAS been improving the security of their software at the design-level as well, as opposed to just bolting on firewalls and antivirus-tools.

Sure, they have. And in recent years Microsoft has been engaging in these PR hit jobs too.

So, I imagine they found some vulnerabilities. However, often times the tactic is to tout these huge security holes which hit the press hard. Then in a month when it comes time to put-up or shut-up, the press has already forgotten about he whole ordeal and the PR hitmen, can simply slink back into their hole.

So you are saying that their findings are genuine? So what are you complaining about then? Because they make Apple look bad? because they said something partially unrelated that you disagree with?

No, I don't care if they make Apple look bad. I have no doubt there are serious bugs in the iPhone. The crashing apps attest to that. And Apple should be embarrassed about that. Also, if these are real exploits, Apple should be embarrassed about that. However, the claims made are a bit far fetched (and I noticed you truncated that part of my message; repeated below), because they're claiming they're using javascript to enable functionality (through an exploit) that no one else has been able to enable with the user's permission. Recording and communicating voice over the internet is functionality many would love to have on their iPhone though Web 2.0 apps. It's just not going to happen because Javascript does not support that. Yet these folks claim they did it with javascript because they found an exploit? Be real.

Finally, the last claim seems to be a big tipoff If they're actually injecting javascript code to use as a audio-recorder and sending voice over the network connection as an exploit (a javascript exploit), why don't they ship these apps, because their are a lot of iPhone users who have been clamoring for these features.

33scottie33
Jul 23, 2007, 01:20 PM
***snippet***

link please?

I heard it on WTOP news (www.wtop.com) this morning on my way to work, but I can't find anything posted on their website.

However, I did find this comment:

"These weaknesses allow for the easy development of stable exploit code once a vulnerability is discovered," the researchers wrote in a whitepaper. They said they were unwilling to divulge any more details about the exploits until the Black Hat security conference in Las Vegas in August, because Apple was only notified of their research findings on 17 July.
http://news.zdnet.co.uk/security/0,1000000189,39288165,00.htm

Apple knew about this last week; seems like an established relationship to me.

Black Belt
Jul 23, 2007, 01:26 PM
I'd been predicting this since Apple snubbed the developers and opted for web scripting, which is inherently dangerous. Making an open call and inviting extensively scripted websites to be created for the iPhone was a result of Apple being completely naive about the security environment. OSX had never been a real target for real hackers but the iPhone just made it irresistible and will open up the incentive to exploit both the iPhone and as a result, the Mac. Enjoy!

33scottie33
Jul 23, 2007, 01:30 PM
If being able to extract all of your personal details and potentially be able to initiate calls isn't significant, what *do* you consider a significant flaw?

Every computer in the world faces this type of threat if you go to a bad website of click on the wrong link. What's new about this besides the fact that it can now be done on an iPhone?

The government has the ability and the right to turn on your cell receiver or initiate a call if they want.

Black Belt
Jul 23, 2007, 01:33 PM
Everyone knows that Apple and their products are not perfect. There is just no flaw that is so significant that it would merit this type of attention.

In this society, the only thing people like to see more than a company reaching it's zenith, is to see it fall.

Uh, flaws that endanger my personal information and my personal computer network is way significant enough! And the flaws come from an arrogance toward security and computing in general. If they fall, it is from that.

Black Belt
Jul 23, 2007, 01:36 PM
Every computer in the world faces this type of threat if you go to a bad website of click on the wrong link. What's new about this besides the fact that it can now be done on an iPhone?

Hardly! Maybe only computers running Safari, it is trivial for me to protect myself from this with Firefox. What's different is that you have been locked out of any ability to control the security of the phone and any exploited iPhone is a potential danger to the network it joins.

rob@robburns.co
Jul 23, 2007, 01:46 PM
Earlier I said Apple should be embarrassed about Safari crashing exploits. That's true. However, I should add that exploits involved with using WiFi hotspots are always there: monkey in the middle exploits. That's why it's a good idea to use SSL for email, VPN for other confidential information and more ubiquitous use of trust certificates would improve things in that situation. That is the monkey in the middle would be able to intercept all your data, but it would do them no good without the decryption keys.

Analog Kid
Jul 23, 2007, 02:43 PM
Every computer in the world faces this type of threat if you go to a bad website of click on the wrong link. What's new about this besides the fact that it can now be done on an iPhone?

The government has the ability and the right to turn on your cell receiver or initiate a call if they want.
And it's a big deal whenever either of those scenarios are discovered. People concerned about Windows security are mostly concerned about exactly these kinds of problems.

I think it's safe to say the NYT made a bigger deal about the government accessing peoples phones without warrants...
Hardly! Maybe only computers running Safari, it is trivial for me to protect myself from this with Firefox. What's different is that you have been locked out of any ability to control the security of the phone and any exploited iPhone is a potential danger to the network it joins.
Firefox isn't impervious either...
Earlier I said Apple should be embarrassed about Safari crashing exploits. That's true. However, I should add that exploits involved with using WiFi hotspots are always there: monkey in the middle exploits. That's why it's a good idea to use SSL for email, VPN for other confidential information and more ubiquitous use of trust certificates would improve things in that situation. That is the monkey in the middle would be able to intercept all your data, but it would do them no good without the decryption keys.
Good advice. Apple should have file vault enabled on the iPhone as well...

shawnce
Jul 23, 2007, 02:54 PM
Besides, it's been reported that Apple paid them to do this anyway.
....
Apple knew about this last week; seems like an established relationship to me.

Most respectable security researchers report what they find to the vendor and given them time to address the issue before releasing details. The fact that Apple was told about this doesn't imply Apple has any type of partnership with these folks.

coffey7
Jul 23, 2007, 02:58 PM
The Drudge Report is biased ?! what a shocker. :rolleyes:

CNN is also Biased. It happens every where. This forum is very biased. If you have a different opinion they might ban you. I once put a link to a New York Times(a left sided paper) article that was not friendly to people around here and I was banned. I had to open another account. I was mean spirted and full of hate because I linked a story in a fricken news paper. So much for free speech. Drudge is usually right on for the most part. He breaks tons of good stuff. Just because the source is not pro this or that does not mean the story has to be wrong.

Stella
Jul 23, 2007, 03:03 PM
The Drudge Report is biased ?! what a shocker. :rolleyes:

Drudge report is pretty good for breaking news.

I don't see it as biased at all.

Of course, according to these forums, any publication is automatically 'Apple haters' because they 'dare' to publish a single negative Apple article.

ajhill
Jul 23, 2007, 03:11 PM
First of all my iPhone is set NOT to ask to join unknown networks.

So you would have to be browsing on a secured website on an open wi-fi access point that a hacker had physically compromised.

What they left out here is whether or not other users of this access point would be just as vulnerable???? Hmmm

The NY Time has been know to make up news in the past. They really should change their motto from "All the news that's fit to print" to the following "All the news we see fit to print" or "All the news, true or not"

The video gives no details or the "exploit" if it exists, nor does it mention if this is something that is iPhone exclusive. As a matter of FACT it doesn't say much of anything. Mostly it just suggest some very serious problem with the iPhone. Kinda like yelling fire in a crowded theater.

CNBC was quick to jump on this story. Most media outlets in this country just ape the stories blindly that appear in the NY Times. The times is quickly loosing ad revenues and influence. And we are a better society as a result.

This rumor knocked the stock down today and it fully recovered, down $2.30 and closed -$.15. Considering that it went up $3.75 on Friday, today was a great day (none of the Friday gains given back). No doubt there will be some after hours idiots selling on the CNBC package that will be aired in the 4pm EDT timeslot. It will be interesting to see if CNBC gives some balance to the point of view by putting someone on to challenge the claims made by the "security" company that no one has even heard of before...

This is bullsh** at its finest...

offwidafairies
Jul 23, 2007, 03:12 PM
wow. i guess the bigger apple get, the more people wanna bring it down.

hayesk
Jul 23, 2007, 03:50 PM
Wow, the speculation here.

This is a standard buffer-overrun bug, is it not? It's pretty sad that in this day and age, we still have bugger overrun bugs. Apple ought to be ashamed of themselves for this - in the iPhone and in Safari on the desktop.

However, I expect a fix very soon.

ajhill
Jul 23, 2007, 04:03 PM
Independent Security Evaluators has a sparse website. No mention of exactly what they do, or how they make a profit. (Microsoft payments?) They are all of 2 years old. Would you take security advice from a 2 year old?

They only list two employees on the website. They do have a page for people looking for a job, but they don't mention what the job description is. This creates the illusion that they are a GROWING company.

They also provide their public PGP key for those looking to send them and email. This is also crap. Who would want to spoof an email to a security company. As their website says "Life is too short"

Just saw the CNBC report with Maria "The Babe" Bartoromo, CNBC teased this piece with adjectives like "SERIOUS" and "END OF PRIVACY"

What this all boils down to is a simple publicity play for these yahoos at Independent Security Evaluators. They informed Apple about the "serious security flaw" and AT THE SAME TIME PROVIDED AT PATCH. So if they were really concerned about helping out their fellow man, as their PR department would have you believe, they would have waited until after Apple had patched the iPhone before going public.

But then that would not have been SERIOUS and AN END TO PRIVACY AS WELL KNOW IT! Come on, no one is falling for this. IF we made this big of deal about all the windows security flaws, CNBC would have the have a "BREAKING NEW" report two or three times a week.

And where is the disclosure for this Independent Security Evaluators? I don't trust any company or group that has works like Independent, or Fair, or Truth in their names. Because they usually aren't .

Have any of Independent Security Evaluators's profits ever come from Apple's competitors? We may never know? Follow the money, people.

I phone is a huge hit and those who have a lot to loose will stop at nothing to slow it down. If they can...

longofest
Jul 23, 2007, 04:24 PM
I heard it on WTOP news (www.wtop.com) this morning on my way to work, but I can't find anything posted on their website.

However, I did find this comment:

"These weaknesses allow for the easy development of stable exploit code once a vulnerability is discovered," the researchers wrote in a whitepaper. They said they were unwilling to divulge any more details about the exploits until the Black Hat security conference in Las Vegas in August, because Apple was only notified of their research findings on 17 July.
http://news.zdnet.co.uk/security/0,1000000189,39288165,00.htm

Apple knew about this last week; seems like an established relationship to me.

I heard it on WTOP too, but I've heard WTOP report unreliably several times about Apple-related things in the past. I don't know how much stock I'd put in the report unless you've heard it elsewhere as well.

defeated
Jul 23, 2007, 04:25 PM
Let me put my comment here

I guess this is a side effect of apple's triple-platform-safari strategy. Apple apparently needs to put more effort into safari's security.

I come to realize apple's developing strength is weak. Very incompatible with its strength in designing.

longofest
Jul 23, 2007, 04:32 PM
Of course, according to these forums, any publication is automatically 'Apple haters' because they 'dare' to publish a single negative Apple article.

We actually took it easy on Apple in our interpretation of the white-paper. see this:

However, there are serious problems with the design and implementation of security on the iPhone. The most glaring is that all processes of interest run with administrative privileges.

There are some kind of damning points from a security perspective. There is no way that Apple should have written every app with admin privileges. That's just stupid.

PCMacUser
Jul 23, 2007, 04:40 PM
Independent Security Evaluators has a sparse website. No mention of exactly what they do, or how they make a profit. (Microsoft payments?) They are all of 2 years old. Would you take security advice from a 2 year old?

This is a very silly statement! For starters, I don't think Microsoft gives a crap about finding vulnerabilities in the iPhone, so to suggest that they are paying people to do so is very weird and conspiratorial. Secondly, two years is old enough in the IT industry to be considered respectable. And I'm sure the employees of the said company are not actually two years old themselves. Age doesn't seem to matter so much anyway - some people in these forums continuously trash Symantec's security advice - and they are 25 years old - so go figure. (eg, http://forums.macrumors.com/showthread.php?t=308363&highlight=symantec)

AlexisV
Jul 23, 2007, 05:36 PM
I guess this is a side effect of apple's triple-platform-safari strategy. Apple apparently needs to put more effort into safari's security.


Really? Safari is 99.9% secure on Macs and fairly unproven on Windows. As with Firefox though, I would be very surprised if Safari on Windows was less secure than IE7.

There are always going to be exploits uncovered for every browser occasionally. This particular story appears vague and any vulnerability on Safari is well reported (and soon to be plugged by Apple apparently), whereas there are tens of these things uncovered for IE7 every week, yet not well publicised as it's old news.

It's the old 'Macs don't get viruses because nobody bothers and the market share is too small anyway' addage. The truth is that even a fairly unserious piece of malware for OS X would get a lot of publicity (as this thread proves), which is what a lot of hackers would love to infamous for.

Stella
Jul 23, 2007, 06:39 PM
There are some kind of damning points from a security perspective. There is no way that Apple should have written every app with admin privileges. That's just stupid.

Which is a good reason why Apple haven't allowed native 3rd party applications.

As I've always said and suspected, mobile OSX isn't up to scratch yet. Its still a very 'immature' OS.

iQuit
Jul 23, 2007, 08:22 PM
I have an iPhone, Safari crashes at times, but I haven't had any security problems with my iPhone. Regardless, I still have no regrets. The iPhone is a great product and it isn't like there aren't some bugs to be worked out. Apple will fix the bugs in due timing, and all my information is backed up. :)

AidenShaw
Jul 23, 2007, 08:33 PM
...and all my information is backed up. :)

...and your "friends" at Starbucks are making backup copies of your private information too....

You should feel really safe!

rob@robburns.co
Jul 23, 2007, 08:38 PM
We actually took it easy on Apple in our interpretation of the white-paper. see this:



There are some kind of damning points from a security perspective. There is no way that Apple should have written every app with admin privileges. That's just stupid.

I'd say that's a rather extreme statement. You do realize every Mac Apple sells ends up with admin privileges by default, don't you? There may be more Apple can do with that, but most of what anyone would care about on the phone needs to have their permissions anyway. It's not really the kind of device for multiple users. And most people aren't even going to password protect the device. So everything that could be stolen would be available from anyone who stole or found the phone. When you hear people talking about needing to lock down the iPhone to security levels below administrator they're not rally providing any constructive advice. Admin doesn't give anyone root access to the phone. It just give someone the user name of an admin. They'd still need to crack the password.

As it's been said before, this sounds like standard buffer overflow exploit (or maybe more hype than anything). Locking down the user account to a non-admin would still have read access to all of the files they're claiming access to.

rob@robburns.co
Jul 23, 2007, 08:53 PM
...and your "friends" at Starbucks are making backup copies of your private information too....

You should feel really safe!

Are you complaining about T-Mobile WiFi hotspots at Starbucks now? If you don't trust T-Mobile, why would you trust any ISP? I'm not saying you have to trust them, but at that point, all bets are off. Cerainly you can deploy your own servers and peer-2-peer security measures, but this isn't the kind of problem that get wide publicity as a security exploit.

Fairly
Jul 23, 2007, 09:17 PM
Here's the deal - don't go to random websites that present themselves to you. Simple. I also don't go to dark alleys
If that's OK by you then why leave Windoze?

AidenShaw
Jul 23, 2007, 09:18 PM
Are you complaining about T-Mobile WiFi hotspots at Starbucks now?

No, "Starbucks" was just a random example of a public hotspot. If Starbucks and T-Mobile are using two-factor authentication and strong encryption, then I apologize for suggesting that one may be at risk while having a tall iced mocha as you surf.

More to the point, I was trying to make fun of the earlier post where it was implied that backing up your data is a security ploy.

It doesn't matter whether *you* backup your data, the more important issue is to make sure that *others* aren't saving your private information as well.

Myself - I use EV-DO whenever possible, and public hotspots as a last resort. Even then, I use a VPN and a SecureID hard token to encrypt everything on the VPN channel (both EV-DO and WiFi). I don't care if someone grabs every packet - it'll be nonsense to them.

It also doesn't matter if someone steals my Windows Mobile phone and/or my laptop. The disks and storage are encrypted, and they'll "brick" themselves after 4 password failures.

Fairly
Jul 23, 2007, 09:20 PM
I don't believe this. A website crafted to force the iPhone to make unsolicited calls? These guys can't be for real. This is FUD FUD FUD.
You're right. They can't be for real. They sound real amateurs to me. Like they use to hang out at MR and all that. Or read yourself. :D
ISE was founded by Johns Hopkins University professor Avi Rubin. The technical staff at ISE have produced dozens of leading publications in the field of computer security and cryptography. They have won numerous awards including many best paper awards, the EFF Pioneer Award, Baltimorean of the Year, the CRA Outstanding Undergraduate Award, and the MIT Technology Review TR35. The staff includes several Ph.D.s in Computer Science and in Math, as well as Masters degrees in computer science and security informatics.

ISE security analysts have backgrounds that include academia, industry, as well as former employees of the National Security Agency. Several ISE consultants have certifications including Certified Information Systems Security Professional (CISSP), GIAC Certified Forensics Analyst (GCFA), and Red Hat Certified Engineer (RHCE).
Not so much FUD as - what did Howlin' Pelle call it? "A-K-A-I-D-I-O-T"?

Fairly
Jul 23, 2007, 09:23 PM
Why would this be FUD? Unlike the other recent claims of OS X worms and not to mention the whole Month of OS X bugs debacle, these are "ethical" hackers, disclosing the information to Apple FIRST so that they can issue a fix before releasing the information to the general public.

These kind of independent security analyses actually benefit the end user rather than harm them. There's no FUD here at all. Read their FAQ.
Agreed but for one thing. The "debacle" of MoAB was only a "debacle" because fanboys chose to make it so.

Fairly
Jul 23, 2007, 09:26 PM
This was bound to happen and shouldn't come as a surprise to anyone - especially not with a complicated device such as the iPhone.
Then you haven't read the PDF. There are security design flaws. Ordinary userland apps run as root, stack, load and heap addresses are not randomised (almost all OSes do this today for obvious reasons) and memory is left both executable and writable - a total no-no. The authors also recommend chrooting all userland apps so they can't get at each other's data.

They also criticize Apple for worrying more about AT&T than security.

Fairly
Jul 23, 2007, 09:29 PM
It's not a flaw _made_ by Apple. It's a flaw _missed_ by Apple. Big difference.
Then you too haven't read the PDF. Apple made design decisions to not run userland code in userland, to not write-protect executable memory, to not cordon off userland apps and their data from one another, and to not take the rather common precaution today of randomizing addresses. These are not things missed - these are CONSCIOUS decisions. They are "made".

Fairly
Jul 23, 2007, 09:31 PM
Personally, I think it is fake.
You're right - professors at Johns Hopkins go around making things up all the time. :p
http://securityevaluators.com/people.html

Fairly
Jul 23, 2007, 09:33 PM
[QUOTE=33scottie33;3950547]Stick with major, trusted forums like macrumors.
You'll lead us out of the darkness, Mr. Blue? :p

Fairly
Jul 23, 2007, 09:36 PM
Nevermind.
The all-time classic. Title is "Still a Fake" and it's still a fake because despite the impressive resume of the researchers behind the news Mr. Dippo still proclaims it to be a fake. Good thinking, Mr. Dippo.

Do you have any faith healers amongst your many and varied relatives? :p

rob@robburns.co
Jul 23, 2007, 09:37 PM
Then you too haven't read the PDF. Apple made design decisions to not run userland code in userland, to not write-protect executable memory, to not cordon off userland apps and their data from one another, and to not take the rather common precaution today of randomizing addresses. These are not things missed - these are CONSCIOUS decisions. They are "made".

A buffer overflow is the exploit. That was not a conscious decision; that was a mistake. The other issues which — I haven't read an independent confirmation of — may be conscious decisions. However, without the buffer overflow, they wouldn't do a hacker any good.

Fairly
Jul 23, 2007, 09:37 PM
:apple: i love my phone
Yes. We know. And yesterday it told us it loves you too. :cool:

rob@robburns.co
Jul 23, 2007, 09:41 PM
No, "Starbucks" was just a random example of a public hotspot. If Starbucks and T-Mobile are using two-factor authentication and strong encryption, then I apologize for suggesting that one may be at risk while having a tall iced mocha as you surf.

I don't know what two-factor authentication is, but tmobile offers an 802.1x connection with strong encryption. Most people probably do not connect that way and they make it difficult for non-Windows users to figure out how. However, even with the tightest security, if your ISP wants to peek in on what you're doing they're free to do so (unless you take other measures like you mentioned).

Fairly
Jul 23, 2007, 09:41 PM
BTW, I'm sure only .0001% of iPhones would be affected anyway.
So you have inside information that iPhones are configured differently?
They just want to make a name for themselves.
Too true. That's the way of all those Johns Hopkins professors. Always trying to make a name for themselves. There might be one person visiting this forum who has the academic credits to even be poorly compared with them. Most haven't finished high school and most can't spell but you're better than Johns Hopkins professors.

The last to leave the Mac Rumors forums please turn off the lights.

Fairly
Jul 23, 2007, 09:44 PM
Independent Security Evaluators

Gee, wonder who pays their bills. Someone named Bill perhaps?
Exactly. JHU is totally owned by Microsoft. :p
http://www.jhu.edu/

defeated
Jul 23, 2007, 09:44 PM
This particular story appears vague and any vulnerability on Safari is well reported (and soon to be plugged by Apple apparently).

This is the funny excuse I see every apple fanboy use. They always has confidence that apple will "patch this soon". And guess what? Apple is the slowest to patch their security holes.

Did I mention anything about windows, firefox, IE7, etc? Or you guys just always jump out in any situation to bash others, even when we are clearly discussing apple's problem?

Fairly
Jul 23, 2007, 09:45 PM
Who are these jokers
Why ask when you can find out yourself like anyone else on this board? They're not the jokers but there's definitely a major joker in this scenario. :p

Fairly
Jul 23, 2007, 09:48 PM
Also, Safari crashes over nothing, the same site will work fine on one load, then cause Safari to crash the next time.
That's the impossible dream. Browsers are always vulnerable because people can throw anything at them they want. Consider a graphics editor or a text editor you use on your system. Which apps write the files and which apps read them? The same ones. That's not the way the web works.

Fairly
Jul 23, 2007, 09:49 PM
These "jokers" include Charles Miller, a computer science PHD, formerly under the employ of the NSA. Ahem, and you are, who?
Exactly. LMAO Thanks. That felt good. Haha. Finally. :cool:

Fairly
Jul 23, 2007, 09:50 PM
the "under the employ of the NSA" simply demonstrates he'd sell his soul to anyone.
Oh it does? As eyebye asked - "ahem who are YOU?"

Fairly
Jul 23, 2007, 09:52 PM
Let's try to tone down the blind apple loyalty.

If you read the article, you'd see these people aren't particulary anti-apple and realistically toned down the long term implications. But that doesn't exclude the fact that this appears to be a real and serious issue which will likely be patched by Apple before August 2nd.

arn
Thank you for injecting sanity into this chicken coop. Some of us might actually sleep tonight as a result. It seems you arrived just in the nick of time. Thanks. :cool:

Fairly
Jul 23, 2007, 09:54 PM
Seriously though, I heard on the radio this morning that the company was paid by Apple to exploit the iPhone.
Not saying it isn't true but no one else is running that story.

Fairly
Jul 23, 2007, 09:56 PM
However, they do come across as particularly touting a Microsoft party line.
Oh is THAT ever stretching it. Only one person with a "party line" seen around here right now, friend. :)

Fairly
Jul 23, 2007, 09:59 PM
Strikes me that this company is using the iPhone and this 'so called' flaw as a vehicle for cheap self promotion.
Good call. I can sense already you're a knower of men and with an incredibly colourful background in academia and the computer security industry. For it was just my thought exactly but you beat me to it: all these millionaire Ph.D.s with tenures and their own books in the libraries and all those fancy parties and BMW's and all that - all they really want to do is make a name for themselves.

But make a name with who exactly? The people in MR forums? :rolleyes:

longofest
Jul 23, 2007, 10:02 PM
I'd say that's a rather extreme statement. You do realize every Mac Apple sells ends up with admin privileges by default, don't you? There may be more Apple can do with that, but most of what anyone would care about on the phone needs to have their permissions anyway. It's not really the kind of device for multiple users. And most people aren't even going to password protect the device. So everything that could be stolen would be available from anyone who stole or found the phone. When you hear people talking about needing to lock down the iPhone to security levels below administrator they're not rally providing any constructive advice. Admin doesn't give anyone root access to the phone. It just give someone the user name of an admin. They'd still need to crack the password.

As it's been said before, this sounds like standard buffer overflow exploit (or maybe more hype than anything). Locking down the user account to a non-admin would still have read access to all of the files they're claiming access to.

An example of why having admin privileges running everywhere isn't good. Safari runs as admin. I break into Safari, and inject my code. I now have read/write/execute access to pretty much everywhere. I can do the following that I couldn't do without admin privileges:

1) over-write contacts with spam. Or perhaps just change contacts subtely so that the user doesn't notice it, and then when they are synched, they don't stop the iPhone from syncing those changes. (i.e. changing telephone digits by one digit)
2) Change configuration files. This can be done either a minor, harassing manner (constantly reset default ringtone), or in such a way that the iPhone is "bricked" until a restore is done.
3) Delete other programs.

A true security researcher could probably think of more... I'm a mere software engineer and news/rumor editor. But those should be enough to point out that admin privileges should only be given when necessary and never by default.

Fairly
Jul 23, 2007, 10:02 PM
I think this says a lot, considering the source. Wildpalms' theory (above) also seems to be a strong possibility.
I agree we should get to the bottom of this. For it's OBVIOUS no one in their right minds - not even people in the computer security industry - would go tampering with their iPhones and looking for exploits. There HAS to be a sick evil hypocritical deep dark motivation for their doing this. There HAS to be! LOL :cool:

Fairly
Jul 23, 2007, 10:03 PM
We don't know when they first notified Apple
Yes we do. July 17.

Fairly
Jul 23, 2007, 10:06 PM
This sounds more like a Safari vulnerability than the iPhone specifically.
What all you people should do is READ THE PDF. Whatever hole they found now - great. But they DO point out four rather serious security architecture issues that must be addressed. And those, for the record in case there's any doubt, have absolutely nothing to do with Safari. :)

Fairly
Jul 23, 2007, 10:10 PM
:mad: NOTICE TO iPHONE APOLOGISTS: Don't make excuses. Say NOTHING if you can't stop dismissing serious problems. Understand what FUD is. It's not "real problems", its fear and doubt surrounding nothing. It's clear the existing exploit was not "NOTHING"! Downplaying the problem only encourages people to make a much more damaging headline to have it taken seriously. ~ CB
Put another way it gets the gray hats after your butts because they see you just asking for it.

These Cleverboy's words are amongst the sanest tonight and yesterday and with that I wish everyone a good night. Don't stop using your phones; Apple's iPhone is never going to be the kind of joke a Microsoft software product is so just relax a bit, OK? And these professors from Johns Hopkins and the NSA: wait a week and see what they say at Black Hat. Then you'll know.

dejo
Jul 23, 2007, 10:28 PM
Yes we do. July 17.
Okay, thanks. I still wonder if 5 or 6 days is really enough time for Apple to respond before going public but I suppose they wanted to build some hype for their disclosure on Aug. 2nd. I wish they'd waited longer but I understand their motivation.

Erik2v
Jul 23, 2007, 11:00 PM
An example of why having admin privileges running everywhere isn't good. Safari runs as admin. I break into Safari, and inject my code. I now have read/write/execute access to pretty much everywhere. I can do the following that I couldn't do without admin privileges:

1) over-write contacts with spam. Or perhaps just change contacts subtely so that the user doesn't notice it, and then when they are synched, they don't stop the iPhone from syncing those changes. (i.e. changing telephone digits by one digit)
2) Change configuration files. This can be done either a minor, harassing manner (constantly reset default ringtone), or in such a way that the iPhone is "bricked" until a restore is done.
3) Delete other programs.

A true security researcher could probably think of more... I'm a mere software engineer and news/rumor editor. But those should be enough to point out that admin privileges should only be given when necessary and never by default.

All this is true. It's THEORETICALLY possible to run any code behind a buffer overrun (signed or not).

However, everyone here is missing something pretty obvious. We are most likely safe (FOR A WHILE). Not only will Apple fix this particular hole, but there's a larger obstacle facing anyone that wants to actually use this exploit...

There is very little info on the phone and architecture. According to sources in the iPhone dev. hacking community they've made SOME progress, but not anything incredible. There is a toolchain in place atm - they could stick a "HELLO WORLD" app. behind the exploit. They *are* working on the binary tools - they'll come along shortly, but it's still in its infancy.

1) Overwriting my contacts - fixed by sync or restore
2) Change config - fixed by restore
3) Deleting programs - fixed by restore

All of these are minor annoyances. Since the phone currently is "read-only"... i.e. doesn't really contain but a *copy* of your important stuff - it can be wiped at any time without worrying about it too much.

As for tying into all my contacts, taking over my phone and running up charges, good luck. Point is there's a TON of uncharted API and tool building that'll need to happen before someone makes *real* use of any exploit.

I am surprised Apple is compiling their browser code using unsafe string copies, not checking buffers, etc. Most of this is taken care of you if you would just use the newer "secure" compiler functions.

There will always be ways of hacking *any* device. No browser is ever safe.

People are getting their panties in a wad. Let Apple patch their poorly written code.

Rot'nApple
Jul 23, 2007, 11:02 PM
You're right - professors at Johns Hopkins go around making things up all the time. :p
http://securityevaluators.com/people.html

So if you are a professor at a prestigious university you have credibility?:rolleyes:

Credibility like Professor Ward Churchill at Colorado U?!:D

Why can't professor's "go around making things up all the time"?

He did - http://www.hd.net/danrather.html ;)

donlphi
Jul 24, 2007, 12:26 AM
The fanboy-ism on these forums sometimes astound me. It's really amazing to me that some people on here really cannot find or *refuse* to find *ANYTHING* wrong (or potentially) wrong with Apple and their products.

Absolutely amazing. GET YOUR HEAD OUT OF THE SAND.

w00master

I guess it's not that people on here "cannot find" anything wrong with it, but I think as an APPLE FANBOY you actually read the facts not some blown out of proportion version of the story.

It would take pretty impressive circumstances to get yourself into this mess they are describing. There have been no reports of people having their iPHONES "taken over" by malicious people (YET), and Apple (LIKE ALWAYS) will fix the problem before anything becomes a real problem.

Mr. Rubin said, “I will think twice before getting on a random public WiFi network now,” but his overall opinion of the phone has not changed.

“You’d have to pry it out of my cold, dead hands to get it away from me,” he said.

I would hardly say there is cause for alarm, but if you want to be completely virus free, I have an Atari 2800 I'm selling - if you're getting nervous.:rolleyes::rolleyes:

Black Belt
Jul 24, 2007, 02:00 AM
Actually the exploits make it trivial to complete a serious scenario: load a trojan script and when you sync your iPhone - VOILA! - Your computer has been now infected BEHIND YOUR FIREWALL. And when you join a network, malicious code can start infecting computers on that network because it is BEHIND THE FIREWALL. That's the seriousness of the matter. And most of you people are living in the 90s, exploiting your computer is not about inflicting damage or messing up your data like a schoolboy, it is about using your bandwidth, processor cycles and IP to execute criminal actions en masse over the internet without your knowledge. No reports? I seriously doubt most people running an iPhone or a Mac would have the slightest clue about how to detect it.

Apple products no longer reside in fairyland where no one has to understand security, welcome to the real world fanboys.

rob@robburns.co
Jul 24, 2007, 06:14 AM
Put another way it gets the gray hats after your butts because they see you just asking for it.

These Cleverboy's words are amongst the sanest tonight and yesterday and with that I wish everyone a good night. Don't stop using your phones; Apple's iPhone is never going to be the kind of joke a Microsoft software product is so just relax a bit, OK? And these professors from Johns Hopkins and the NSA: wait a week and see what they say at Black Hat. Then you'll know.

If it is just a PR hit job (and I think there are indicators that it might be), then we will all have forgotten about this in a few days. The presentation may or may not happen, but then no one will remember. That's if it's only a PR hit job. This thread will be dead in a day or two.

rob@robburns.co
Jul 24, 2007, 06:18 AM
An example of why having admin privileges running everywhere isn't good. Safari runs as admin. I break into Safari, and inject my code. I now have read/write/execute access to pretty much everywhere. I can do the following that I couldn't do without admin privileges:

1) over-write contacts with spam. Or perhaps just change contacts subtely so that the user doesn't notice it, and then when they are synched, they don't stop the iPhone from syncing those changes. (i.e. changing telephone digits by one digit)
2) Change configuration files. This can be done either a minor, harassing manner (constantly reset default ringtone), or in such a way that the iPhone is "bricked" until a restore is done.
3) Delete other programs.

A true security researcher could probably think of more... I'm a mere software engineer and news/rumor editor. But those should be enough to point out that admin privileges should only be given when necessary and never by default.


#1 is true even without admin access: unless you're going to require a password every time a user changes or saves a contact. The other's would be isolated by a less-than-admin, account. However, you fail to address the substance of my post: that every Mac ships with admin privileges by default.
Why is this, all of the the sudden, a major architectural security flaw. And on a phone designed as a single user device, no less. The "security design flaws" (scare quotes) are being blown way out of proportion. This is a buffer overflow exploit issue (if there's even an exploit). Try to bring a little skepticism to this. They'r claiming to be able to add features to the iphone everyone wants and no one has delivered through a buffer overrun exploit.

Evangelion
Jul 24, 2007, 06:46 AM
Independent Security Evaluators has a sparse website. No mention of exactly what they do, or how they make a profit. (Microsoft payments?) They are all of 2 years old. Would you take security advice from a 2 year old?'

You just won my "the most idiotic comment on MacRumors"-award. Should they start their company, and then twiddle their thumbs for about 25 years, because only then will people take you seriously? By your logic:

F-secure is 19 years old. Most 19 -year olds are idiots, would you take security-advice from one? Panda Software is 17 years old. Kaspersky Lab is 10 years old, how can they know anything about viruses or security?! When Apple intruduced the iPod, it used a CPU from PortalPlayer. Back then PP was just two years old, how could Apple buy a CPU from a two-year old?!?!?

They only list two employees on the website.

And Bruce Schneier is just a one guy. Clearly, he's even less useful than these guys!

I phone is a huge hit and those who have a lot to loose will stop at nothing to slow it down. If they can...

It's "lose", not "loose". But you are right: this MUST be some kind of MASSIVE anti-Apple/iphone conspiracy! Nothing else makes sense!

:rolleyes:

Evangelion
Jul 24, 2007, 06:48 AM
Yes, I would say they are.

By merely having a similar viewpoint? Anyone who ever agrees with Microsoft on anything is automatically a paid schill of Microsoft?

Yes, I know for a fact.

You do eh? Let's hear them then.

The security differences between Mac OS X and Windows are striking.

Well, that's your opinion. But I asked for _facts_.

Certainly the fact that Mac OS X is a minority OS is significant

So you are agreeing with them? Doesn't that make you a Microsoft sock-puppet? Quick, burn him!

Sure, they have. And in recent years Microsoft has been engaging in these PR hit jobs too.

So, you are claiming that if some company finds a security-flaw in an Apple-product (in this case the iPhone), it's a "Microsoft PR hit job"?

No, I don't care if they make Apple look bad. I have no doubt there are serious bugs in the iPhone.

But if someone else than Apple finds one, they are being paid by Microsoft to make Apple look bad, right?

However, the claims made are a bit far fetched

Are you an expert on this field? Do you have detailed insight to their methods and results? No? Then how can you make a claim like that?

Recording and communicating voice over the internet is functionality many would love to have on their iPhone though Web 2.0 apps.

And maybe such functionality is possible on the iPhone?

longofest
Jul 24, 2007, 08:27 AM
...
1) Overwriting my contacts - fixed by sync or restore
...
All of these are minor annoyances. Since the phone currently is "read-only"... i.e. doesn't really contain but a *copy* of your important stuff - it can be wiped at any time without worrying about it too much.
...

You can edit contacts on the phone. As I described in my post above, a malicious program could be written in such a way that it mildly edits your contacts so you don't notice the change, and then when you sync, your address book on your computer is changed as well. You would then have to manually change it back unless you have a backup copy.

My point is not so much regarding the current state of matters. Obviously, the only current exploits are not in the wild. However, Apple needs to do a better job in programming with a security-based mindset, or such exploits as I described are very possible by any hacker worth his/her weight (as we have seen on the windows world).

WildPalms
Jul 24, 2007, 10:20 AM
Independent Security Evaluators has a sparse website. No mention of exactly what they do, or how they make a profit. (Microsoft payments?) They are all of 2 years old. Would you take security advice from a 2 year old?

They only list two employees on the website. They do have a page for people looking for a job, but they don't mention what the job description is. This creates the illusion that they are a GROWING company...<cut>


What this all boils down to is a simple publicity play for these yahoos at Independent Security Evaluators. <cut>

"What this all boils down to is a simple publicity play for these yahoos at Independent Security Evaluators."

- Exactly what I believe is going on. Its just a cheap publicity exploit. Its pointless arguing about whether its a flaw in iPhones, Apples, p.c. or every man made device and too many people here are focusing on that side too much.

Its about how this itty-bitty startup is grasping at a chance for 15 minutes of free publicity riding on another companies' reputational coat tails.... thats the real rub.

Black Belt
Jul 24, 2007, 12:16 PM
"What this all boils down to is a simple publicity play for these yahoos at Independent Security Evaluators."

- Exactly what I believe is going on. Its just a cheap publicity exploit. Its pointless arguing about whether its a flaw in iPhones, Apples, p.c. or every man made device and too many people here are focusing on that side too much.

Its about how this itty-bitty startup is grasping at a chance for 15 minutes of free publicity riding on another companies' reputational coat tails.... thats the real rub.

If this is the level of security knowledge of Apple users - let the games begin! I mean this is bypassing the koolaid and going right to sucking on Jobs' nipple. :D

rob@robburns.co
Jul 24, 2007, 01:10 PM
If this is the level of security knowledge of Apple users - let the games begin! I mean this is bypassing the koolaid and going right to sucking on Jobs' nipple. :D


Perhaps, I've had to much Jobs milk, but my impression is that what David Blaine does isn't real either. But I'm sure you think it looks so real.

Safari has crashing issues which indicates that a buffer overrun exploit might be possible. However, the claims made by this company just border on the absurd. The machinations they go through to show they love the iPhone are a bit over acting (thou doth protest too strongly). Finally, we Mac users have seen this b*llsh*t for decaades. Step 1) put out a sensationalist press release; Step 2) get lots of press and fame over nothing; Step 3) there's no step (3). No one ever follow up to see what all the hype was about.

On the other hand we also see lots of vulnerabilities go through the normal channels. Step 1) Report them to through OIS or other usual vulnerability reporting channel; Step 2) no fame for the reporter except an acknowledgment buried in a software update FAQ somewhere; Step 3) vulnerability hole is plugged by the vendor (Apple in this case).

BobZimmerman
Jul 25, 2007, 02:14 AM
Are you an expert on this field? Do you have detailed insight to their methods and results? No? Then how can you make a claim like that?

I don't know about Rob, but I am an expert in the field of information security. This company's claims are extremely suspect. Let's take a look at exactly what they claim and what they show, shall we?

First, they claim arbitrary code execution. They then break this down into two sub-exploits. The first is an information disclosure flaw. "The compromised iPhone then sent personal data including SMS text messages, contact information, call history, and voice mail information over this connection." Doesn't sound like code execution to me, but whatever.

The second sub-exploit they list involves "[performing] physical actions on the phone". They specifically state they were able to "make a system sound and vibrate the phone for a second".

Second, they claim these exploits can be delivered via the phone automatically connecting to WiFi access points.



Now, what they actually show.

They show a video of someone retrieving data off of the iPhone. That much is clear. What isn't clear is whether they used the information disclosure technique that hit Full Disclosure (a security mailing list) a week ago. It looks very much like they do. If so, this isn't a "remote code execution" flaw, but instead a simple information disclosure flaw, albeit a rather serious one. Even so, the people on Full Disclosure largely dismissed it, since other phones have similar functionality.

They don't actually show the phone performing any "physical actions", but their described accomplishment and the theoretical scenarios that follow sound an awful lot like the things that Apple's web API was described as allowing. You know, having a web-based contact list and dialing the phone app directly from it. Things like that. Yes, they are literally crediting themselves with discovering Apple's public API for the phone. "Alternatively, by using other API functions we discovered, the exploit could have dialed phone numbers, sent text messages, or recorded audio ..." (emphasis mine).

Now, for perhaps the most irritating part of their claims. They act like the iPhone is somehow magically vulnerable to attacks involving associating to malicious APs. Look up AirPwn some time. That tool does exactly what they describe. It inserts malicious code into every page. This isn't an iPhone flaw. If anything, it's a flaw in the 802.11* suite of protocols.



So in short, based on the evidence they have given us so far, there is no remote code execution exploit. At the very least, all of their exploits require user interaction and are therefore local. Even using the contorted version of "remote" used to classify OpenBSD's second hole (a flaw that could only be exploited from the same network segment), these still are in no way remote. Calling them that is disingenuous at best, and in this case, more like an outright lie. They should know better.

HyperZboy
Jul 25, 2007, 08:38 AM
They're not the jokers but there's definitely a major joker in this scenario. :p

Yes, the joke was, "Hey JHU students/grads, first 3 people to hack into an iPhone all get FREE iPhones!"

"YAAAAAAAY"

2 Weeks later......... iPhone hacked. Professor out $1800.

And no, JHU is not owned by Bill Gates or Microsoft, although you could make a good case that they are owned by the Federal Government as I believe they receive more Federal research grant money than any other university in the nation and the professor in this case is an ex-NSA (National Security Agency) employee (it's right near Baltimore, shhhhh, seeeecret).

Doubtful they got a research grant for this though. :-)

Maccus Aurelius
Jul 25, 2007, 12:07 PM
No, that is not a "big difference". Besides: which company wrote the software (OS X) that has this bug? I believe the name starts with "A" and ends with "e".

Well, technically, making a flaw and missing a flaw are pretty different significantly, since they didn't actively go out and say "hey, let's make this flaw!" but rather it's a failing on a certain design that they overlooked. But anyway, I nitpick :p

Well I'd say it's better to have ethical hackers find this flaw before virtual lowlifes start messing with people's phones. This is just like the Quicktime and OS X security updates for our computers. What's all the hubbub? Not sure if it's real or not, but since I don't own an iPhone, I guess I'll live if it is.

trngmchn
Jul 26, 2007, 01:49 PM
I don't know about Rob, but I am an expert in the field of information security. This company's claims are extremely suspect. Let's take a look at exactly what they claim and what they show, shall we?

First, they claim arbitrary code execution. They then break this down into two sub-exploits. The first is an information disclosure flaw. "The compromised iPhone then sent personal data including SMS text messages, contact information, call history, and voice mail information over this connection." Doesn't sound like code execution to me, but whatever.
.

Wow... you are an expert in information security but you just really don't get it. What do you think arbitrary code execution is? It's a crafted buffer overflow that allows the execution of arbitrary (e.g. whatever the exploit author chooses) machine code. This is a textbook security vulnerability and this first sub-exploit you mention is just that -- arbitrary code execution. The personal information sent from the iPhone isn't transmitted over any "web API calls", it's done by instructing the phone/machine (via the buffer overflow) to open a socket (via a system call) and send the data as bytes to an IP address of their choosing (via more system calls). Did you actually read the tech report?

BobZimmerman
Jul 26, 2007, 08:01 PM
Wow... you are an expert in information security but you just really don't get it. What do you think arbitrary code execution is? It's a crafted buffer overflow that allows the execution of arbitrary (e.g. whatever the exploit author chooses) machine code. This is a textbook security vulnerability and this first sub-exploit you mention is just that -- arbitrary code execution. The personal information sent from the iPhone isn't transmitted over any "web API calls", it's done by instructing the phone/machine (via the buffer overflow) to open a socket (via a system call) and send the data as bytes to an IP address of their choosing (via more system calls). Did you actually read the tech report?

Yes, I certainly did read the report. They made no mention of how they got the information off of the phone. The CVE likewise does not explain it. Various groups claimed to have found a set of web API calls that send information to arbitrary servers.

Where exactly did you read that it was done through a buffer overflow? The entire document that they published makes no reference to "buffer", "overflow", "overrun" or any combination thereof. In fact, the main reason I call this simple fearmongering is that they provide literally no details about their exploit. They go to the media and say that they have an exploit, but then they don't let the rest of the community see it so we can't evaluate the real risks. CVE lists the severity as a 9.3 out of 10, and it's completely unconfirmed at this point! No details. No proof of concept. It certainly hasn't been seen in the wild yet as far as I can tell.

So now, we are left with a series of questions. Do you have some inside information? Have they published something besides what is on their websites? Has another group somehow discovered the same exploit and published a more detailed description (this is entirely possible, though I haven't heard anything about it yet)?

My information was based on what they have released to the public. What's yours based on?

trngmchn
Jul 26, 2007, 11:02 PM
I don't have any more information than you do. A few points:


Use Google to query the string "iphone buffer overflow".
Maybe you don't understand what is happening in the video that was posted... they load a web-page that simultaneously crashes Safari and runs their code. Seems what's going on is pretty clear to me.
Another clue: the report says the vulnerability also exists in OS X Safari and Windows Safari. If this doesn't mean anything to you - you don't get it.
The full vulnerability will be revealed at Black Hat. By then Apple can patch Safari. That's why you can't see it now -- not because it doesn't exist.


Denial doesn't make systems any more secure. This could have happened on any other device just as easily. There is no need to get excited or defensive about it.

Fairly
Jul 31, 2007, 01:48 AM
Screw Drudge. Drudge is Drudge. Find Avi Rubin's site. He's got good stuff up. And in two days we'll either know all or know we don't know all. :D
From the few links up at Drudge on the iphone, most have been negative. Pretty biased reporting.

BobZimmerman
Aug 1, 2007, 12:08 PM
I don't have any more information than you do. A few points:


Use Google to query the string "iphone buffer overflow".
Maybe you don't understand what is happening in the video that was posted... they load a web-page that simultaneously crashes Safari and runs their code. Seems what's going on is pretty clear to me.
Another clue: the report says the vulnerability also exists in OS X Safari and Windows Safari. If this doesn't mean anything to you - you don't get it.
The full vulnerability will be revealed at Black Hat. By then Apple can patch Safari. That's why you can't see it now -- not because it doesn't exist.


Denial doesn't make systems any more secure. This could have happened on any other device just as easily. There is no need to get excited or defensive about it.

My issue with using Google to find details on this is that Google reflects public perception more than it reflects reality. The media was reporting it as a buffer overflow. The people who documented and claimed the vulnerability did not call it that. Nowhere in their actual materials did they call it any kind of overflow.

As for the video, you do realize how easy it is to rig demos like that, right? After the airport fiasco, my standard for disclosure is a lot higher. These people didn't even come close to giving the community enough information to verify the issue independently. Thus, I discounted the issue as marketing for the time being and decided to wait until they revealed what was actually going on at Blackhat tomorrow. I was mostly wanting to shoot down some of the stranger things I was seeing in this thread.

Yes, the report says that, but it doesn't necessarily mean anything. At this point, when a vulnerability in something that has been getting a lot of media attention is reported but not disclosed, it looks very much like a hoax. Again, the airport "vulnerability" springs immediately to mind.



Anyway, it would seem that I was wrong and this apparently can lead to ACE:
Safari
CVE-ID: CVE-2007-3944
Available for: iPhone v1.0
Impact: Viewing a maliciously crafted web page may lead to arbitrary code execution
Description: Heap buffer overflows exist in the Perl Compatible Regular Expressions (PCRE) library used by the JavaScript engine in Safari. By enticing a user to visit a maliciously crafted web page, an attacker may trigger the issues, which may lead to arbitrary code execution. This update addresses the issues by performing additional validation of JavaScript regular expressions. Credit to Charlie Miller and Jake Honoroff of Independent Security Evaluators for reporting these issues.

It's still not a 'remote code execution' flaw as is being widely reported, and I'm still wondering how they verified arbitrary code execution when the researchers couldn't possibly have had a working toolchain to compile that code when they discovered the issue.

I suppose we'll find out more tomorrow.

trngmchn
Aug 1, 2007, 06:20 PM
As for the video, you do realize how easy it is to rig demos like that, right? After the airport fiasco, my standard for disclosure is a lot higher. These people didn't even come close to giving the community enough information to verify the issue independently.

...

It's still not a 'remote code execution' flaw as is being widely reported, and I'm still wondering how they verified arbitrary code execution when the researchers couldn't possibly have had a working toolchain to compile that code when they discovered the issue.


Bob, I don't mean to pick on you, but you still have some misunderstandings. First of all, don't you think it would be strange for a reputable company to rig a demo like this? It wouldn't make sense. Second, if enough information was given to independently verify the issue then the exploit would have instantly gone wild. Now that the patch has been released, it is no longer an issue and we should see the details this week.

Now, the part that is really getting under my skin is this one issue that you just don't understand. It is a 'remote code execution' flaw. You don't need a toolchain or a compiler to run arbitrary code. You only need to know information about the processor architecture and how to write assembly code for that particular architecture. This is the case for any buffer overflow exploit, for just about any platform. I don't know what your background is and I know this may be hard to understand, but if you ever decide to write an buffer overflow exploit yourself, this fact will become immediately obvious.

Fairly
Aug 3, 2007, 10:50 AM
The media was reporting it as a buffer overflow. The people who documented and claimed the vulnerability did not call it that.
But that's what it was. Draw your own conclusions. To some of us it's pretty obvious.
As for the video, you do realize how easy it is to rig demos like that, right?
I agree. I never trusted those attention whores at the NSA and Johns Hopkins anyway. This proves everyone's suspicions were correct. :D
After the airport fiasco, my standard for disclosure is a lot higher.
I think you should make ISE aware of your new standards.
These people didn't even come close to giving the community enough information to verify the issue independently.
Of course not.
At this point, when a vulnerability in something that has been getting a lot of media attention is reported but not disclosed, it looks very much like a hoax.
No it does not. It instead looks like a fortnight's reprieve for the vendor to patch.
Again, the airport "vulnerability" springs immediately to mind.
For some people it does. And at the same time the names Lynn Fox, Jim Dalrymple, and David Chartier spring to mind too.
It's still not a 'remote code execution' flaw as is being widely reported
Who cares what they call it? You're missing the bigger picture. The regex library which was supposed to be updated a year ago was updated finally on Monday only because ISE forced Apple to.

What would have happened if black hats knew of this and were exploiting it?

How do you know they weren't?

Fairly
Aug 3, 2007, 10:53 AM
Now, the part that is really getting under my skin is this one issue that you just don't understand. It is a 'remote code execution' flaw. You don't need a toolchain or a compiler to run arbitrary code. You only need to know information about the processor architecture and how to write assembly code for that particular architecture. This is the case for any buffer overflow exploit, for just about any platform. I don't know what your background is and I know this may be hard to understand, but if you ever decide to write an buffer overflow exploit yourself, this fact will become immediately obvious.
Quite. After all, that's the whole point of it - you're making a remote app do something it didn't intend to do - something you want it to do. The whole point is you don't have to come into contact with the target and you can still squash it.

Kawasaki
Aug 8, 2007, 11:32 AM
Everything has a vulnerability if you try hard enough. I don't know why people expect perfection.

Fairly
Aug 11, 2007, 04:05 PM
Everything has a vulnerability if you try hard enough. I don't know why people expect perfection.
What a name. Kawasaki that is. Wouldn't be Guy Kawasaki by any chance?

Is your middle name "Troll" too?

SC68Cal
Aug 11, 2007, 09:56 PM
I don't know why people expect perfection.

It's not like Apple markets their products to people with that expectation.

"It just works," after all.