Security Researcher Reveals iOS Security Flaw, Gets Developer License Revoked

[KnightWRX]

So, Miller finds this bug in iOS 4.3, and waits until Oct. 14 to tell Apple - long after he submitted an exploit-laden app to the App Store.

Attention grabbing much? He's like a little kid throwing a tantrum.

Attention grabbing is what he is doing. Putting the spot light on Apple so they have no choice to fix this and so all of us iOS users are not at risk anymore. I applaud his efforts to make my computing device more secure.

----------

No, he did not. Apple take these reports very seriously even if they don't respond personally in a way that Charlie approves of.

So you're saying no one would have claimed the exploit code wouldn't have made it through the application approval process ?

Please, I wasn't born yesterday.

 

[BC2009]

Charlie Miller may be very intelligent but short on wisdom.

He just tricked Apple into exposing its customers to an app that could violate their personal data. Supposedly he told them about the bug on October 14 (according to Forbes), but then he goes on the Internet and publicly shows off the exploit three weeks later. Then gets upset when his app is pulled and refers to Apple as "those bastards" on Twitter.

Apple now has to notify every user who downloaded his Instastock app that "by the way, we subjected your phone to an exploit and Charlie Miller may have had access to your personal information".

#1) Of course they have to pull the app rather than subject unsuspecting users to it. This is not being a "bastard"

#2) They are in a very bad position with some potentially some high-valued customers since an "Instastock" app would be appealing to wall street types to try out. Apple has to notify these folks that "by the way, you downloaded malware from the App Store".

#3) Apple has worked hard to keep the App Store secure and malware free. Only an idiot would believe that nothing would ever slip by, but certainly a single heavily publicized incident in which a single app does slip by could be extremely damaging. He certainly went about this the wrong way.

Charlie Miller should have simply shown them the bug and told Apple that he would make it publicly known by a certain date if Apple failed to fix it. Then Apple should have paid him a bounty for finding the bug and keeping it quiet. Certainly if he showed them on October 14, three weeks is not enough lead time for that.

It seems to me that Charlie Miller really wanted to have something to talk about at this upcoming conference and decided to he needed a little media attention. He was too impatient to wait for an Apple fix. That's not how the white hat community is suppose to work, he should either make it public the very day Apple provides the fix or should have given Apple enough lead time to fix it.

You are certainly not suppose to expose a company's customers to an exploit the way he did. I would not be surprised if federal charges are not brought against him. This is almost as stupid as the guys who posted the email addresses of iPad owners that they lifted from AT&T's original iPad data subscription web service.

I'm guessing that what Charlie wanted to do was prove that the App Store review process was not perfect and that he could in fact slip his bug past them. If he had told Apple about it, then he may not have been able to get the malware past Apple and proven that point. The mere fact that some Apps have released with unapproved "Easter Eggs" in the past has already proved that the process is not perfect -- so more likely Charlie wanted a little media attention in advance of this upcoming conference where he will speak.

The end result is that Charlie will likely continue to try to hack Apple devices and will be very quick to make the hacks public to embarass Apple. But since he did that anyway, the only difference is that now he will do it without being a member of the developer program.

 

[r.j.s]

Attention grabbing is what he is doing. Putting the spot light on Apple so they have no choice to fix this and so all of us iOS users are not at risk anymore. I applaud his efforts to make my computing device more secure.

Oh, come on. Miller does this stuff all the time. Read some of his interviews - he does it for the attention. Period.

 

[tatonka]

Now they have no choice but to stop everything else and address this issue - and it would not surprise me if they caused every app submitted since Charlie discovered the exploit to be pulled and no new apps approved until they have a fix in place. Could be weeks. Could cost us thousands in lost revenue.

Apple did have time to react. In fact they could probably have bought some time from him without any problem. Security is a business like anything else these days.

I highly doubt you or anybody else will loose one penny because of this. Apple needs to "simply" implement an additional step to the approval process and they had weeks to this already and they have another week before any information will go public.

And just for the record. I agree that the guys is a publicity w***e and that one could have gone differently about this whole thing. Just don't believe the repercussions will be as bad.

T.

 

[rich2000]

And throughout computing history, that's always what it took to get corporations to react. He submitted the bug on Oct 14th and Apple will have had 1 month to issue a fix (temporary or permanent) by the time he does the disclosure.

That's just awful for such an important security flaw.

And just how do you know that it doesn't take a month to fix this and tes it without breaking everything else? No you don't know that, so don't make assumptions.
Security holes like this are very complicated and very difficult to patch easily. That's the point. Do it properly and don't make some half arsed job because some jerk wanted publicity.

 

[r.j.s]

Charlie Miller should have simply shown them the bug and told Apple that he would make it publicly known by a certain date if Apple failed to fix it. Then Apple should have paid him a bounty for finding the bug and keeping it quiet. Certainly if he showed them on October 14, three weeks is not enough lead time for that.

Especially since he's had since March to come up with the exploit.

Bottom line: Miller knew about it in March, but waited until Oct. to notify Apple so he could grab some media attention. It's just Miller being himself - an attention whore.

 

[CoreForce]

I doubt we know the full story. There might be personality problem or not. Nobody is perfect. However, the bottom line holds true:
With this move Apple discourages any honest, goodwill hacker to explore on security holes, leaving the field to the bad ones. Good luck next time.

 

[munkery]

This iOS issue isn't as serious as the article makes it out to be.

This bug doesn't include privilege escalation so it doesn't allow apps to be installed. It also doesn't have access to protected data storage and protected data entry.

This bug has no value in relation to mass automated malware. Computer criminals don't care about your photos and access to contacts is only meaningful to spread automated mass malware if a vector to make that malware profitable is present, which isn't the case with this bug.

__________

Google Android has a similar bug but the bug in Android does allow for privilege escalation.

The two Android vulnerabilities, which have been reported to Google but not yet patched, shown in this video are:

- A permission escalation allowing the installation of applications with arbitrary permissions without user approval.

- A privilege escalation targeting Android’s Linux kernel that allows an unprivileged application to gain root access.​

http://blog.duosecurity.com/2011/09/android-vulnerabilities-and-source-barcelona/

The kernel vulnerability in Android presented in the article above is patched but the other issue is still unpatched. These threats were publicly disclosed on Sept. 20, 2011 and were most likely reported to Google prior to being publicly disclosed.

More information about these Android issues is found in the following link:

http://www.securityfocus.com/bid/49709

__________

Apple's response time to fix critical iOS vulnerabilities has been much better than that of Google. Especially for critical bugs which include privilege escalation.

 

[r.j.s]

With this move Apple discourages any honest, goodwill hacker to explore on security holes, leaving the field to the bad ones. Good luck next time.

No, with this move, Apple discourages smartass, attention-craving people who quit their previous jobs because they didn't get the attention they wanted.

 

[*LTD*]

According to the original article he apparently did inform apple and they did not give him a response.

Then that is the end of it. He informed Apple. They were made aware. There is nothing more that needs to be done. A concerned citizen, etc. They need not respond. Unless he has some ulterior motive. Which he does, because he likes his name in the tech headlines.

Well he certainly got it. But he violated Apple's TOS in doing so. Rules are rules. They apply to everyone. Even greedy, attention-seeking hackers who expect more than their due (which is no more than yours or mine.)

 

[Stella]

Apple should be thanking him.. did he go the right way about it? Probably not - but he got his point across. Just filing a bug report won't have been noticed quite as much as a real life Application there exploiting the hole.

Anyway, I'm sure given a week or two Apple will back track and he'll have his developer license back.

Good work for finding a security hole.

 

[KnightWRX]

Oh, come on. Miller does this stuff all the time. Read some of his interviews - he does it for the attention. Period.

Yes, he does. So do a lot of other security researchers. Again, like I've stated (and I hate repeating myself), that's because otherwise corporations don't react on these reports or react way too slowly.

Do you even pay attention to this stuff ? This is how stuff has been done for years, otherwise we wouldn't have the patches and fixes we do. Find, prove, report, wait a few weeks, publish. That's the modus operandi. It's not a Charlie Miller exclusive.

----------

And just how do you know that it doesn't take a month to fix this and tes it without breaking everything else? No you don't know that, so don't make assumptions.
Security holes like this are very complicated and very difficult to patch easily. That's the point. Do it properly and don't make some half arsed job because some jerk wanted publicity.

Then the proper course would have been for Apple to contact him and arrange for more time before disclosure after they identified the issue and the fix proved non-trivial.

Jesus, it's as if this is the first time we've had a security flaw in the industry or something. Oh no wait, It's just that I'm discussing it with the non-initiated who don't have actual knowledge on how this stuff is done.

----------

Computer criminals don't care about [...] access to contacts [...]

Yes, because mass-collection of e-mail addresses for spam lists is not really "the big thing" right ? Sure, it's just a few more spam hits in the e-mail of all your friends, who cares how their address got leaked, they probably post all over themselves already.

 

[Bilbo63]

I'm not fussy about the way that Charlie handled this. It seems as though Apple didn't respond quick enough for his liking.

However, Mr. Miller is clearly a pretty smart guy. I'd rather see cooler head's prevail. Apple should consider hiring the guy.

 

[apolloa]

Whilst we must all really appreciate guy's like this, working hard and picking up flaws Apple has missed or exposing holes in the coding of an OS. I'm not sure I feel comfortable with the guy letting the public download and install an app that would send him your personal information, just to prove the flaw?

I hope their is much more to this story then being reported, otherwise he needs to explain why he felt letting the public prove the hole was there rather then just telling Apple was more important? I guess that criminal charges could be brought against the guy as he effectively knowingly hacked peoples devices.

 

[Tunster]

We have reported many bugs in iOS since the first iPhone, including some security holes. There is no reason for Charlie to be a jerk except that he is a jerk...

Apple accepts bug reports through many channels, and they address them as appropriate.

This exploit is likely going to delay all app approval now while Apple figures out how to test for this, because millions of iPhones running iOS 5.0 have this hole, and Charlie is going to tell the world how to exploit it..

The impact could be huge on new app submission approval.

Thanks for nothing Jerk

Jesus christ. He hasn't committed murder or anything on the contrary. It's a software bug that Apple refused to deal with which was pretty serious.

Media grabbing or not, it's got the attention of Apple and now they definately have to do something. Especially being quite a big exploit in running code that is banned under the current rules.

It leaves Apple with the responsibility rather than the security researcher now. A very weird way to prove a point but I'm sure Apple are revoking the license just to stay in-line rather than make a special case. Pretty normal. As others have said, I'm sure he'll be speaking to Apple and making amends to get his developers license back.

No point keeping this security researcher out of touch; especially if he can pull out these sorts of bugs which could do serious damage in the wrong hands.

 

[BC2009]

And if he hadn't done the "wrong thing" and the "very wrong thing", you'd be the first to say "non-issue, wouldn't get through the App submission process". For iOS, the submission process itself is part of the security measures. If your proof of concept can't make it into the app store or be exploited on live devices, then you haven't found much of a security flaw.

He had to push this through to prove to people that it could be done. Otherwise, the people here, like yourself, that simply flame his efforts would be saying how he found nothing, some theoretical bug that would never be exploited in the wild.

You're right that the approval process is part of the security of the device. But the mere fact that past apps have snuck in "Easter Eggs" is already proof that the process is not perfect. So nobody should believe the process is perfect when we know some apps did video streaming over 3G before AT&T allowed it on their network as well as other fun things that caused their apps to be pulled after being approved.

Another route that Charlie Miller could have gone was to contact Eddy Cue about planting some "bad apps" in the approval process in order to internally test Apple's own approval process and the engineers doing the work. Cue or a manager reporting to him could have it setup so the apps would never go public by having a "final veto" in place would trigger an email to the approver telling them that they just got tricked into approving a bad app. This whole process could be handled internally without tricking Apple into exposing its customers to malware. When you start calling out instances of "bad apps" that got approved at quarterly meetings, you don't want to be one of the folks who did that.

Miller and Cue could have even setup a channel by which hackers could submit "bad apps" under fictional developer accounts to test the app store process. Any app received through this method would simply be a test to see if the approvers are savvy enough to catch things and then you can train them on how to catch them.

Nobody should have believed the App Store approval process was perfect given the past slips, but exposing somebody's customers to malware so that now they have to go contact those customers and tell them they may have been compromised is unwise.

Remember folks : People on MacRumors know crap about security flaws, their scope or the way we need to react to them. People on this forum (and I'll get downvoted here by them) *cheered* when the guy behind jailbreakme.com exploited the PDF bug in Safari to run arbitrary code on their devices without their intervention, simply through visiting a web page. These same people *booed* when Apple fixed that bug.

A bug that could have had disastrous effects on their personal data and device. This is the sort of crowd that is now insulting Charlie Miller. Sorry if I don't lend any credibility to the folks here on subject matters that relate to computing and security (not to generalize, some of the people here actually understand the issues, they just get drowned out by the masses who are completely ignorant on the subject and just want to put in their 2 cents to defend Apple).

Keep in mind that the guy who exposed the PDF bug also provided a fix with it. Right after you used the jailbreak you could patch your phone and close the door behind you. Those who jail broke their phones loved this. Also, his Web page was very clear that it was going to exploit a bug on your device to jailbreak. No secrets.

Charlie Miller just duped potentially many Apple users into downloading what they believed to be a stock ticker application. Those users currently don't know if he decided to take a copy of their personal data or not. They don't know if he decided to browse their photo libraries to check for inappropriate pictures of their girlfriends or wives. They don't know if he checked to see what kind of movies they like to watch. They don't know if he read their personal emails. They don't know if he downloaded their password value database and is now attempting to decrypt it. These users have been duped and they are probably very angry about it. This is a very different mode of operation than saying "click here to allow me to exploit a bug on your phone to do something".

The only way for Apple to save face with these customers who just got duped is to take swift action against Charlie Miller. They may even bring federal charges against him.

There were better ways for Charlie to go about this. I like Charlie and I think his efforts are great. But kicking him out of the dev program is not going to have any ill effects. He will still hack Apple devices to try to embarrass Apple, and this is what he did anyway. I'm glad Charlie Miller found this bug. I feel bad for users who downloaded his app and are now nervous about having potentially been compromised. I don't think a federal seizure of his computer and hard drives would be far-fetched in order to determine if he used the exploit against customers of the app. He crossed a line when he duped customers who bought the app. The app's description did not read "this is a fake stock ticker app that demonstrates an exploit in iOS", instead it read:

Get real time stock updates with this app. Configure the app with the stocks you want to follow and watch their values change in real time. Red and green flashes occur over the stocks as their value rises or falls.

I wish Charlie had taken an alternate course in getting this exposed. I wish Apple had offered him a job under Eddy Cue to head up a "plant bad apps" project to discover how savvy the reviewers are. I sure hope Apple is re-reviewing past apps right now for this exploit and taking measures to fix this in iOS 5.0.1.

 

[KnightWRX]

Whilst we must all really appreciate guy's like this, working hard and picking up flaws Apple has missed or exposing holes in the coding of an OS. I'm not sure I feel comfortable with the guy letting the public download and install an app that would send him your personal information, just to prove the flaw?

Hum, where does it say his proof of concept actually uploaded your data ? His proof of concept was downloading and executing code that was unsigned. This unsigned code has access to the same public APIs that standard applications use, which include access to your data on iOS (contacts, music, location, etc..) some with or without your explicit approval.

I hope their is much more to this story then being reported, otherwise he needs to explain why he felt letting the public prove the hole was there rather then just telling Apple was more important? I guess that criminal charges could be brought against the guy as he effectively knowingly hacked peoples devices.

He did tell Apple. He then waited a few weeks and now is on to the next phase in these reports which is public disclosure. This is how this stuff is done.

Sure, bring criminal charges against the good guys who are out there finding these and working to get corporations to fix them before the malicious guys get to write real exploits with real consequences.

 

[Hyper-X]

We can debate whether it was a good or bad idea to have Miller do what he did to demonstrate the severity and reality of the exploit he discovered, however I'm almost certain his reasons wasn't out of stupidity, ignorance or maliciousness towards Apple. If he simply told Apple about it instead of testing it for real, Apple could fire back and state that

"Yeah Charlie Miller found something but it would've likely not affect anyone realistically" or something along those lines denying or merely downplaying the true severity of a real problem.

I say this based on Apple's track record of admitting serious security flaws regarding their operating systems, they always seem to blow it off like it's no big deal. Since Charlie was able to prove that the problem is real and confirmed to be 100% effective, it leaves Apple zero room to save face with excuses other than retaliate by canceling his dev account privileges.

 

[KnightWRX]

Keep in mind that the guy who exposed the PDF bug also provided a fix with it. Right after you used the jailbreak you could patch your phone and close the door behind you. Those who jail broke their phones loved this. Also, his Web page was very clear that it was going to exploit a bug on your device to jailbreak. No secrets.

Sure *that* web page was clear. What about other web pages that used this bug for more malicious intents ? That's the point, the PDF bug was not a jailbreakme.com exclusive that could only be triggered by their site.

And frankly, why boo Apple for fixing such a nasty bug for all of us who are not interested in jailbreaking our devices ? Apple did the right thing in fixing it, breaking jailbreaking was a side effect of having a secure device, and I'm all for it. People who boo Apple for fixing this stuff have no grasp on the issues.

----------

I wish Charlie had taken an alternate course in getting this exposed. I wish Apple had offered him a job under Eddy Cue to head up a "plant bad apps" project to discover how savvy the reviewers are. I sure hope Apple is re-reviewing past apps right now for this exploit and taking measures to fix this in iOS 5.0.1.

Why would they hire him now ? It's not the first time he's found exploits for OS X or iOS.

 

[ChazUK]

This iOS issue isn't as serious as the article makes it out to be

Apple's response time to fix critical iOS vulnerabilities has been much better than that of Google. Especially for critical bugs which include privilege escalation.

The link references Android 2.3.5 as the llatest version vulnerable.

Are Android 2.3.7, 3.2 and 4.0 still affected at all?

Whilst the issues Google have with Android are potentially bad, I'm unsure what it has to do with the discovery, submission and approval of a potentially malicious app on a vetted application store such as Apple's.

A lot of people tout the approval process as the best safety net over rival platforms application distribution but this just emphasizes how much of a fallacy that is.

 

[munkery]

Yes, because mass-collection of e-mail addresses for spam lists is not really "the big thing" right ? Sure, it's just a few more spam hits in the e-mail of all your friends, who cares how their address got leaked, they probably post all over themselves already.

Spam is not malware.

Try using an email service with more effective spam filtering if you are having issues with spam.

The primary vector for the mass collection of email addresses for spam is public profiles and commonly compromised social networking sites, such as Facebook.

Compromised systems are used to send spam but this doesn't apply to this bug in iOS because the function of the email client is integrated with the protected storage and this issue doesn't allow the installation of a third party email client.

 

[KnightWRX]

Spam is not malware.

Nor did I say it was. But malware can be used to mine for valid e-mail addresses that then can be used for spam.

Try using an email service with more effective spam filtering if you are having issues with spam.

I'm not, doesn't mean we should let any old application collect lists of valid e-mails from our devices.

The primary vector for the mass collection of email addresses for spam is public profiles and commonly compromised social networking sites, such as Facebook.

And then there's secondary and tertiary vectors we shouldn't ignore.

Compromised systems are used to send spam but this doesn't apply to this bug in iOS because the function of the email client is integrated with the protected storage and this issue doesn't allow the installation of a third party email client.

Nor did I say it was. Obtuse much ?

Downplaying security flaws only lead to tardy fixes. Unless you work for Apple, you have exactly 0 reasons to downplay this and should just keep quiet if all you're going to do is play at Knight in shining armor. Apple is big and old enough to defend themselves.

 

[BC2009]

He did tell Apple. He then waited a few weeks and now is on to the next phase in these reports which is public disclosure. This is how this stuff is done.

I don't know if Apple asked for more time to fix it. Usually you give at least a month, but technically Charlie is not divulging the details of the exploit until a conference next week so perhaps that is in line with a deadline he gave to Apple for fixing it.

I think the hardest thing for Apple here is the fact that he demonstrated the exploit along with the imperfect approval process in a single blow and now customers are worried about the potential of having been compromised. You could have sent a rather benign app through the review process to demonstrate it was imperfect (i.e.: one that allowed you to FaceTime over 3G). And then used another means of exposing this exploit.

Apple's problem (besides the security flaw) is the fact that they have customers that the app was provided to who are now uncertain about their personal data. What's more, the only person who may have accessed their personal data is Charlie Miller -- and he is a complete stranger to them. So there is going to be some focused anger against Charlie Miller. For Charlie to be upset about his app being pulled from the App Store is ridiculous though.

 

[Hurda]

Lovely how knowledgable and reasonable guys like KnightWRX et al. get downvoted. You guys crack me up.

And to the people crying foul over C.M. seeking attention: WELL DUH! That's the point. He hasn't disclosed the specifics of the exploit, or what the exploiting payload looks like. Just the app in the app-store which could load and execute the payload. Easy, guys.

Plus: Scanning compiled binaries for this stuff of functions is next to pointless anyway. You can probe it for some API-calls or something, but really juicy deals like this one? No chance. You'd be hardpressed to find it with the source code, and only with a lot of time and money to be invested. Try that with hundreds of submitted apps and updates each day.

 

[r.j.s]

And to the people crying foul over C.M. seeking attention: WELL DUH! That's the point. He hasn't disclosed the specifics of the exploit, or what the exploiting payload looks like. Just the app in the app-store which could load and execute the payload. Easy, guys.

Not crying foul ... Miller is whining about being kicked on twitter, but what did he really expect would happen, given his personality.