Security Researcher Reveals iOS Security Flaw, Gets Developer License Revoked

[KnightWRX]

Apparently not.

Yes, we did. We know you think he's a big "attention whore". I don't agree with you. I think he's just your standard security researcher. But maybe that's because I've read about these disclosures before. Maybe you should hang out on some security related sites to see how these are done.

----------

They've had 8 months to replicate it, why not?

When did they get this 8 months ? The App was approved and the video done in September. That's less than 2 months in my book. And what makes you think it's trivial ?

Apple has had a month to fix this now, high time for a public reveal to get the "wheels" in motion.

 

[r.j.s]

When did they get this 8 months ? The App was approved and the video done in September. That's less than 2 months in my book. And what makes you think it's trivial ?

Miller says he knew of the vulnerability when 4.3 came out - in March: 8 months.

Apple has had a month to fix this now, high time for a public reveal to get the "wheels" in motion.

3 weeks, not a month.

 

[silver8ack]

Wirelessly posted (Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Mobile/9A334)

Well what freaking app was it??

 

[qtx43]

... And what makes you think it's trivial ?

Don't put words in my mouth.

 

[Rodimus Prime]

Miller says he knew of the vulnerability when 4.3 came out - in March: 8 months. .

So in 4.3 he saw a possible vulnerability. There is a big difference between finding a possible vulnerably and figuring out how to exploit it.

So in 4.3 he started looking for a way to exploit it. More than likely found it was possible in unapproved app and then he had to submit said app to see if it could make it threw Apple approval process.

That gate keeper part on Apple part was the key. Since it clearly can go threw the gate no problem there is a massive problem.
It is not like Apple could scan the code to find something like this. Even if they had the source code themselves chances are many things like this would go threw since lets face it finding it in a lot of code and then using miss leading method and variable names make it a cake walk to slip threw. Hell you could break it up and spread it across multiple classes and hide it pretty easily.

 

[qtx43]

...It is not like Apple could scan the code to find something like this...

So you admit that there was no practical reason for him to submit it to the App store; there was nothing to prove from a technical point of view. I agree, we already know that social engineering can work.

 

[BC2009]

Federal charges? What laws were actually broken? Please site the laws F. Lee Bailey.

If somebody launched that app while he put some of the malicious code up that allowed him to browse the iPhone file system remotely he just gained access to a system illegally. Breaking into somebody's computer whether or not you take something is illegal.

The right way to do his app might have been to require an obscure gesture or combination of stock symbols to enable the "phone home" feature. And even then to pop a confirmation box asking for the user's permission to test out the iOS exploit and explaining it may cause remote access to the device's private file system.

Is that good enough for you? If AT&T put a system up that allowed me to login and view their customer's email addresses and I chose to take advantage of it and took a look around, then I could have charges brought against me. Anybody who bought the app could potentially bring charges. If that was a corporate-owned phone, then the company could bring charges. Whether or not there are laws allowing Apple to bring charges themselves is unknown to me.

 

[r.j.s]

So in 4.3 he saw a possible vulnerability. There is a big difference between finding a possible vulnerably and figuring out how to exploit it.

You are right, however, if he was really trying to help improve the security of the platform, he should have reported it as soon as it was found. Instead, he chose to develop the exploit, and write an app to utilize the exploit.

 

[geniusj]

So in 4.3 he saw a possible vulnerability. There is a big difference between finding a possible vulnerably and figuring out how to exploit it.

So in 4.3 he started looking for a way to exploit it. More than likely found it was possible in unapproved app and then he had to submit said app to see if it could make it threw Apple approval process.

Ding ding ding! We have a winner.

----------

You are right, however, if he was really trying to help improve the security of the platform, he should have reported it as soon as it was found. Instead, he chose to develop the exploit, and write an app to utilize the exploit.

Neither of the articles have full details that I could find, but it's very possible that in 4.3 he found that iOS had an intentional loophole in it to allow Safari to execute arbitrary code. That by itself is not necessarily a vulnerability. It sounds like he was only able to prove that he could find a way around the checks recently. Basically, if he had submitted a bug saying "Safari is allowed to execute remote arbitrary code!", the response would have been "We know." He had to first prove that another application would be able to bypass the checks and do the same thing.



One additional note about security researchers. What he is doing is pretty normal. Typically, you give the vendor a certain amount of time and then if they are unresponsive, you put pressure on them by releasing the information. Now, even if the vendor does patch the vulnerability, usually the researcher will still release details and/or an exploit after the patch. This is just the environment they live in. You can't gain a good reputation and therefore good paychecks if no one knows what you've done. If everything happened behind closed doors with NDAs, etc, it would not benefit the researchers at all. So, you take the good with the bad. Apple gets a vulnerability reported before it's used for something truly malicious, and the researcher gets the credit and reputation to keep him relevant and valuable. Remember: the companies don't pay these guys large sums of cash (if they do pay, it's usually a joke) for all the work they do in discovering these bugs, so if the researcher is to derive value from his work, it will likely be in reputation.

 

[Nostromo]

The headline of the Macrumors post was somewhat misleading.

He didn't only discover the weakness. That would have gotten him a big pat on the back.

He also managed to get an app approved that exploited it.

Nobody needs that.

Apple was right to revoke his developer license.

 

[KnightWRX]

Miller says he knew of the vulnerability when 4.3 came out - in March: 8 months.

Miller is not the black hat community like the other poster alluded to. Context man, context. Miller did not divulge this information to Black hats 8 months in advance.

 

[Mattsasa]

I don't understand where all the hate is coming from,

what exactly did Charlie do that is making people upset?

 

[r.j.s]

Miller is not the black hat community like the other poster alluded to. Context man, context. Miller did not divulge this information to Black hats 8 months in advance.

I never said anything about black hats, why do you assume things?

 

[lostngone]

The headline of the Macrumors post was somewhat misleading.

He didn't only discover the weakness. That would have gotten him a big pat on the back.

He also managed to get an app approved that exploited it.

Nobody needs that.

Apple was right to revoke his developer license.

Agreed. If this guy a "security researcher". Then a bank robber is a "physical intrusion tester".

 

[something3153]

Again, do you really think he told them exactly where it was? It is very likely they are going in blind.

Unless you have proof of that, it's nothing but wild speculation to try to make the situation conform to your love of Apple.

 

[KnightWRX]

I never said anything about black hats, why do you assume things?

Because you replied to my post that was a reply to a poster that had ?

Hence the "context".

Basically, you interjected in a conversation, make sure to understand what you're interjecting into uh ?

 

[Rodimus Prime]

I don't understand where all the hate is coming from,

what exactly did Charlie do that is making people upset?

Found an exploit and showed proof on concept in an Apple product. Nothing more than that.

If it was anyone else the same group praising Apple would call the other company in the wrong.

It is nothing more than Apple worship.

 

[KnightWRX]

I don't understand where all the hate is coming from,

what exactly did Charlie do that is making people upset?

His job. That is all.

Of course, you're dealing with a crowd here that is uninitiated to how this job is done, so they hate and are angry out of misunderstanding.

 

[hchung]

This sort of thing happened to me once. Forget about iOS. When I just bought my very first iMac G5, yes, the non-Intel one, some dude from Malaysia could switch on my iMac remotely using his smartphone. He never told me how but I would never let that the son-of-a-bitch into my house again. Anybody knows how you could prevent tho from happening? There is a way to remotely cold boot your iMac, as I read it somewhere in the net. If you live in a dense apartment block, somebody, your neighbor can hack into your wifi into your system and see what are in your folders. This is scary.

Here's what I think happened:
1) Your wifi is either unprotected, WEP, or you let him on it. So he could get your network.
2) He has the ethernet address of your iMac (easily done by sniffing traffic)
3) He asked you to turn off the iMac.
4) He sends a Wake-on-LAN packet to that ethernet address.
5) *ding* Your iMac turns on. You crap your pants.

It's expected behavior. It's not a bug, it's actually designed that way, and practically every server (PC, Mac, Sparc, PPC, Itanium, etc.) is designed with this feature nowadays.

No, it does not mean he can take your data. Unless your file sharing is turned on and your password is so easily guessable.

Anyways, to turn that feature off, go to System Preferences:Energy Saver and uncheck "wake for network access" or something along that line depending on your OS version.

 

[Mattsasa]

Found an exploit and showed proof on concept in an Apple product. Nothing more than that.

If it was anyone else the same group praising Apple would call the other company in the wrong.

It is nothing more than Apple worship.

His job. That is all.

Of course, you're dealing with a crowd here that is uninitiated to how this job is done, so they hate and are angry out of misunderstanding.

I see. I can definitely be considered an Apple fan boy, but not like this I can't see anything wrong with what Charlie or Apple did.

 

[r.j.s]

Unless you have proof of that, it's nothing but wild speculation to try to make the situation conform to your love of Apple.

Oh, yes, my love of Apple. You know nothing about me.

Because you replied to my post that was a reply to a poster that had ?

Hence the "context".

Basically, you interjected in a conversation, make sure to understand what you're interjecting into uh ?

I see. No one but you and the other poster allowed.

 

[qtx43]

Miller is not the black hat community like the other poster alluded to. Context man, context. Miller did not divulge this information to Black hats 8 months in advance.

I did not say Milller was in the black hat community, and I did not say he divulged it to them. I said they've had 8 months to figure it out just like Miller did. You seem to think patching a subtle and complicated bug in an OS can be done in a couple of weeks, but 8 months is too short a time to develop an exploit. An exploit which, by the way, only needs to work some of the time and can introduce other bugs with impunity and cares not for legal liabilities. Real life isn't so simple or lopsided.

 

[John.B]

It just seems like Apple can't win with some people.

If they lock down the javascript compiler on the iPhone, it's a walled garden or Apple is intentionally slowing down apps. If they speed up javascript processing by allowing applications (outside of Mobile Safari) to leverage the faster Nitro engine then the nature of the JIT obviously allows for potential vulnerabilities. Make up your minds.

I guess as long as the haters get to hate on Apple, that's the most important thing...

His job. That is all.

Just so we're clear, "his job" is to get people to pay to attend his conference sessions...

 

[hchung]

Previous exploits that have been identified and (only) reported took a very long time to be addressed by Apple.

Actually showing that this exploit urgently needs to be addressed is meant to speed things up.

He didn't "benefit" from the exploit...he showed that he was right and that it needed to be addressed.

His actions should be rewarded. Punishing an individual who had good intentions and didn't hurt anyone will not benefit Apple.

Next time, maybe this guy (or others like him) will just say "screw it...let Apple figure it out"...and by that time, some actual damage might get done.

Poor handling by Apple.

Of course he benefitted. The fact that a bunch of people outside the software industry know him by name now is a pretty nice way to gain some fame.

And apparently you're not a software developer. You don't know how long it takes to make a change and confirm that it doesn't break anything. Some bug fixes are easy to make and easy to confirm. Some bug fixes are the "omg that's going to be messy and potentially break a bunch of stuff; everybody better try this stuff out asap" and take months of discussion before something they're confident enough with is put together for release.

We don't know what the discussion looked like between Charlie and Apple. Maybe Apple ignored him. Maybe they said we'll fix it "soon." Maybe the fix is being tested in iOS 5.0.1 beta. Maybe Charlie waited as long as he could. Maybe he's playing the showmanship card for street cred.

But I can say this: it should have remained between Apple, Charlie, and security professionals. Involving customers is just not cool.

----------

Will glasses magically make Android 3.5 exist?

The latest version of Honeycomb is 3.2. I was questioning their findings on a non-existant version of Android.

http://developer.android.com/resources/dashboard/platform-versions.html
http://en.m.wikipedia.org/wiki/Android_version_history

Android 3.5 is probably early builds of ICS.
Remember, version numbers are an arbitrary thing and can always be in flux until final release.

The developer.android.com link is by released versions only, so it's incomplete.
The wikipedia page has to be updated by people, so it's also incomplete.
(update: just saw munkery posted the same thing)

----------

This guy reported a bug in OSX and after 9 months of Apple doing nothing he goes public. Patched 1 week later.

9 months? Where'd that come from?

As my friends from Infinite Loop would say, "what's the bug number?"

 

[Hurda]

If somebody launched that app FOR THE FIRST TIME while he put some of the malicious code up that allowed him to browse the iPhone file system remotely he just gained access to a system illegally.

FTFY

That's be right there with cracking the jackpot at next week's lottery to accomplish that. I doubt stock-app #85442 did have that much public attention to get that chance.

So you admit that there was no practical reason for him to submit it to the App store; there was nothing to prove from a technical point of view.

Does anybody outside Apple actually know how the app-review works and what it really does test for?
CM clearly tested it. If the app won't get through, fine, working as intended.
But it got through. Oops.