Security Alert: first iPhone vulnerability

spacerog

New Member
Bronze
Jun 11, 2007
463
0
0
www.spacerogue.net
#22
From my comments about the hole

Remote iPhone expliot? Big Deal.
http://www.spacerogue.net/wordpress/

So basically continue safe computing practices, don’t be complacent and don’t put to much trust in your devices and you’ll be fine. Vulnerabilities that require user interaction like this one aren’t what you should be worrying about, attacks that compromise entire cell sites and infrastructure like the one that hit the Greece Olympics are what should be keeping you awake at night.

- SR
 

Iwantmymtv35

New Member
Bronze
Jul 2, 2007
134
0
0
#24
IMO, this isn't that big of a deal. There is no way I am gonna stop using Safari over a little security breach...
 

spacerog

New Member
Bronze
Jun 11, 2007
463
0
0
www.spacerogue.net
#25
From my comments about the hole

Remote iPhone expliot? Big Deal.
http://www.spacerogue.net/wordpress/

So basically continue safe computing practices, don’t be complacent and don’t put to much trust in your devices and you’ll be fine. Vulnerabilities that require user interaction like this one aren’t what you should be worrying about, attacks that compromise entire cell sites and infrastructure like the one that hit the Greece Olympics are what should be keeping you awake at night.

- SR
 

Jeff

New Member
Bronze
Jun 13, 2007
52
0
0
#26

lilo

New Member
Bronze
Jul 2, 2007
66
0
0
#27
It depends...

IMO, this isn't that big of a deal.
If your name is Paris Hilton you may not want someone get access to your e-mails and a call log.

You probably might want to avoid logging to your bank account ant other sensitive sites
 

GP78

New Member
Jul 2, 2007
23
0
0
NJ, USA
#28
If you read the post on engadget they talk about how it's actually any mobile-web capable phone like a windows mobile 5 or 6 phone... and not limited to the iPhone.

Basically it's called an iPhone exploit to get headlines and readers.

Basically as long as you use known, secured WiFi hotspots and don't click on any suspicious links... you'll be fine.
 

Jeff

New Member
Bronze
Jun 13, 2007
52
0
0
#30
If you read the post on engadget they talk about how it's actually any mobile-web capable phone like a windows mobile 5 or 6 phone... and not limited to the iPhone.

Basically it's called an iPhone exploit to get headlines and readers.

Basically as long as you use known, secured WiFi hotspots and don't click on any suspicious links... you'll be fine.

The article from Computerworld:

Researchers claim first iPhone vulnerability; exploit steals data, operates phone

Apple has until Aug. 2 to patch; after that, details go public at Black Hat




July 23, 2007 (Computerworld) -- Three security researchers claimed Sunday that they have found the first exploitable vulnerability in Apple Inc.'s iPhone, a flaw that allows them to steal any data from the device or even to turn it into a remote surveillance tool.
The trio -- Charles Miller, formerly with the National Security Agency; Jake Honoroff; and Joshua Mason of Baltimore-based Independent Security Evaluators (ISE) -- have notified Apple of the vulnerability and given the company less than two weeks to fix the bug before Miller presents more information at the Black Hat conference on Aug. 2.
According to a paper posted by the three (download PDF), they rooted out a vulnerability in the iPhone's version of Safari using "fuzzing" tools and wrote a proof-of-concept exploit that can be delivered from a malicious Web site or using "man in the middle" tactics to trick users into connecting to a malicious wireless access point.


Once the exploit runs, it's essentially game over, the researchers said: The iPhone is owned. "In our proof of concept, this code reads the log of SMS messages, the address book, the call history and the voicemail data," the researchers wrote on the ISE site. "It then transmits all this information to the attacker."


But wait -- there's more!
That, however, could be just the beginning.
The researchers claimed that a second exploit actually operated the iPhone remotely once the device was hijacked. "When we viewed a second HTML page in our iPhone, it ran the second exploit payload which forced [the iPhone] to make a system sound and vibrate for a second," they said in the paper. "Alternately, by using other API functions we discovered, the exploit could have dialed phone numbers, sent text messages, or recorded audio (as a bugging device) and transmitted it over the network for later collection by a malicious party."


The vulnerability was reported to Apple last Tuesday, July 17. "We proposed a fix they could include in a future iPhone update," the researchers said, "but we don't know if they plan to do so.



They responded and are looking into it."


In an e-mail late Sunday night, Apple spokeswoman Lynn Fox would only say: "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We're looking into the report submitted by I.S.E. and always welcome feedback on how to improve our security." She declined to answer questions about the Aug. 2 deadline, whether Apple would issue a patch before then, or what the company thought of the way the trio disclosed the vulnerability.
Miller will provide more information on the vulnerability and exploit at the upcoming Black Hat 2007 security conference, which opens next Saturday, July 28, in Las Vegas.


But is this the ethical way?
ISE's president, Avi Rubin, defended the decision to announce the existence of the vulnerability prior to a patch being made available by Apple. "Why are we doing that? Well, I believe that there is a social responsibility to report it when a device is vulnerable to attackers," said Rubin on his own blog Sunday. "People buy these things and use them in ways that put their identity and their online accounts at risk, and by exposing these vulnerabilities, we can make users better judges of how to use their high-tech devices." Rubin is familiar to many security observers from his research into problems with electronic voting systems.
The paper by Miller, Honoroff and Mason also spelled out a number of weaknesses in the iPhone's security architecture, although it didn't specifically pin the vulnerability on any of those flaws. One, however, most likely contributed to the reach of the exploit.


"There are serious problems with the design and implementation of security on the iPhone," the paper said. "The most glaring is that all processes of interest run with administrative privileges. This implies that a compromise of any application gives an attacker full access to the device."
Other deficiencies the trio cited in the iPhone's operating system included not using address randomization -- a technique applied by Windows Vista that's designed to make it tougher for hackers to write reliable attack code -- and allowing code in the heap to execute.


Those last two shortcomings have been criticized in the desktop version of Mac OS X for some time

Three months ago, during the fallout after a hacking contest that jacked a MacBook Pro notebook, HD Moore -- the vulnerability researcher noted for the Metasploit hacking and attack testing software -- took on the claim that Mac OS X is safer than Windows. "The Mac OS X platform is years behind Linux, Windows, and OpenBSD in terms of operating-system security," said Moore then. "All of the above platforms support some form of address randomization (ASLR) and include features that make exploitation slightly more difficult."


The ISE researchers have also posted a short video of their .
 

spacerog

New Member
Bronze
Jun 11, 2007
463
0
0
www.spacerogue.net
#31
Duplicate thread. Just a different article about the same thing. For those to lazy to click the link here are the first two paragraphs

Today's New York Times includes iPhone Flaw Lets Hackers Take Over, Security Firm Says (never let it be said that American paper headlines aren't literal) by John Schwartz, who has had a direct demonstration of an iPhone being in effect taken over after visiting a malicious website.

And the researchers have in effect given Apple until August 2 to fix the problem (which they have already told the company about in detail): on that day, they will publish full details of the vulnerability, according to their website.
 

lilo

New Member
Bronze
Jul 2, 2007
66
0
0
#32
That is a different problem

If you read the post on engadget ...
This is a totally different problem. The fault is in Safari and can be exploited via any type of connection (including WiFi). WM devices do not use Safari.
 

joe

New Member
Gold
May 5, 2007
1,113
0
0
#34
This is a totally different problem. The fault is in Safari and can be exploited via any type of connection (including WiFi). WM devices do not use Safari.
On a positive note, this issue may trigger an iPhone update sooner rather than later. :)
 

lilo

New Member
Bronze
Jul 2, 2007
66
0
0
#35
It's hard to tell

Think they will implement oter updates as well on aug 2nd?
But Apple is under pressure to deliver a fix for this problem and if there are any other updates ready they might as well release them. So, in a way, it is a good news.:)
 

wjp09

Zealot
Gold
Feb 25, 2007
2,559
25
48
NJ
#36
If you guys haven't noticed this can happen with laptops too nothing new. Many phishers will go to local coffee shops and copy the credit card screens there and use the same ssid.
Since many laptops *and iPhones* register spots based off the ssid.
 

lilo

New Member
Bronze
Jul 2, 2007
66
0
0
#37
WiFi is not the only problem

If you guys haven't noticed this can happen with laptops too nothing new...
It is true that Apple laptops also run Safari, however the article states: "According to a paper posted by the three (download PDF), they rooted out a vulnerability in the iPhone's version of Safari using "fuzzing" tools and wrote a proof-of-concept exploit that can be delivered from a malicious Web site or using "man in the middle" tactics to trick users into connecting to a malicious wireless access point."

So, using malicious wireless access point is just one scenario. The phone can also be broken-in when user simply goes to a "wrong" web site.
 

ja_vo

New Member
Bronze
Jun 17, 2007
236
0
0
Atlanta, GA
#39
Duplicate thread. Just a different article about the same thing. For those to lazy to click the link here are the first two paragraphs

Today's New York Times includes iPhone Flaw Lets Hackers Take Over, Security Firm Says (never let it be said that American paper headlines aren't literal) by John Schwartz, who has had a direct demonstration of an iPhone being in effect taken over after visiting a malicious website.

And the researchers have in effect given Apple until August 2 to fix the problem (which they have already told the company about in detail): on that day, they will publish full details of the vulnerability, according to their website.
lol...........:laugh2:
 

DRabbit

New Member
Bronze
Jul 2, 2007
383
0
0
#40
Maybe now they have to put that software update?
Or maybe now there's just something else to HOLD UP software updates that bring us other thing. If they have to concentrate first on security, things like iChat seem less important.

I don't know how big a deal all this really is... I also think anyone who puts out threats to reveal the specifics of a vulnerability has motives that aren't so innocent.