NYT reports on first announced iPhone vulnerability
Happy Monday, everyone; are you done reading Potter yet? Here's a somewhat less magical story for you. Today's New York Times includes an article with the utterly un-sensational headline "IPhone Flaw Lets Hackers Take Over, Security Firm Says" (yes, Times-style requires that even the 'i' in iPhone be capitalized in a headline), discussing the discovery of a buffer overflow exploit in Mobile Safari. The exploit, which can be triggered by browsing to a malicious page in Safari from the phone, claims to allow the execution of arbitrary code, and could expose personal information to an attacker. The exploit is not in the wild and has been reported to Apple; full details are at the Independent Security Evaluators site.Is this a very bad thing? Not necessarily; it's not a zero-day vulnerability, the research team is communicating with Apple, and there is no released exploit code out there in the big bad Internet that can currently zombify your iPhone. Unlike many smartphones, which may not have a frequent firmware update mechanism, the iPhone is syncing to iTunes constantly and can be updated at any point, so one would hope this gets patched rapidly. If you use some basic precautions (don't click mystery links, don' t use unfamiliar wireless access) you should be covered if something like this ever sees general distribution.
Is this, on the other hand, an top-notch opportunity for some iPhone and Mac OS X security FUD from the Grey Lady? You betcha. Let's take a look at some of the assertions in the article, and compare them with both the claims of the vulnerability discoverers and the reality on the ground.
In the second paragraph, the Times story states that the exploit "could take control of iPhones through a WiFi connection or by tricking users into going to a Web site that contains malicious code." If you read that they can hijack iPhones through a WiFi connection, that's pretty worrisome, right? Here's the real deal: if your iPhone connects to a malicious wireless network, and you surf to a web page (which the black hats replace with a poison page), you'd get the malware. Erica calls this the "Panera Bread" problem, where the bad guys set up an access point with the same name as a popular, trusted point. This exploit does not allow an attack from a remote machine on a shared WiFi network that is uncompromised; you'd have to connect to a WLAN specifically configured and owned to catch iPhones. If you use WiFi only when you have access to a trusted WLAN, you're in the clear on that score (if you click a mystery, malicious link, you're potentially affected regardless of your connectivity).
The exploit allows running arbitrary code, so both the Times and the exploit page suggest that this could theoretically be used to record and transmit room audio to an attacker. Only one problem with that plan: the iPhone's recording capability is itself theoretical at this point, and no application or sample code to do this is available.
You might think from reading the article that this vulnerability isn't only the first for the iPhone but the first ever reported on any smartphone anywhere. The Times quotes CS prof Steven M. Bellovin of Columbia University: "This looks like a very genuine hack." Bellovin goes on to mention that he "suspected that phones based on the Windows mobile operating system would be similarly "attackable," though he had not yet heard of any attacks." Dr. Bellovin must be unfamiliar with a technology called Google, which revealed reports of vulnerabilities both in IE for Windows Mobile and in MMS, which could be exploited simply by the recipient opening a malicious message. Even the corporate-friendly Blackberry platform has a security problem, where the Blackberry Enterprise Server could open a back-channel for evil Java apps to target internal systems. The only thing extraordinary about an iPhone vulnerability is the publicity to be gained by discovering one.
It's also interesting to read the comments of ISE founder Aviel Rubin (who, to his credit, also insists that he's keeping his iPhone: "You'll have to pry it out of my cold, dead hands to get it away from me") about the relative security of Apple products.
[Rubin said] the research was not intended to show that the iPhone was necessarily more vulnerable to hacking than other phones, or that Apple products were less secure than those from other companies. "Anything as complex as a computer - which is what this phone is - is going to have vulnerabilities," he said.
There are far more viruses, worms and other malicious software affecting Windows systems than Apple systems. But Mr. Rubin said that Apple products have drawn fewer attacks because the computers have fewer users, and hackers reach for the greatest impact.
"Windows gets hacked all the time not because it is more insecure than Apple, but because 95 percent of computer users are on Windows," he said. "The other 5 percent have enjoyed a honeymoon that will eventually come to an end."
Never mind the fact that an article about the iPhone as a malware target has suddenly turned the corner into discussing Mac OS X vulnerabilities (and apparently Dr. Rubin has a bad case of "Can't Remember That Apple's The Company And Mac OS X is the OS" disorder), although that's certainly a bit of journalistic whiplash. The real problem here is that he's stating a theory of Mac OS X security that has been thoroughly discredited.
I could go on and on about the "Mac OS X has security by obscurity" argument; many security researchers who are otherwise clever folk but apparently not experts in population statistics continue to repeat this canard. One would think, however, that the Times could at least run that quote by their own computer columnist, who disavowed the argument back in 2003 and again last year (comparing OS X and Windows XP at the time; the malware score is still something on the order of 3 to 200,000+). Plenty of other reputable sources have debunked the myth of security by obscurity, so no need to repeat that here. We can summarize by paraphrasing Mr. Rubin himself: Windows XP gets hacked all the time not only because it is more insecure than Mac OS X, but because malicious parties can profit by the exploitation. The Mac OS X and iPhone honeymoon may come to an end, but it would take a lot of malware to get even close to the stuff that Windows XP users have to put up with.
Anyway, let's be careful out there. Bring extra pinches of salt for your morning paper.
Thanks Nick
Share
Categories
Happy Monday, everyone; are you done reading Potter yet? Here's a somewhat less magical story for you. Today's New York Times includes an...
Add a Comment
Gopi, good comment. Smart folks who connect to an unknown wireless network will go right to an SSL proxy or SSL VPN (no cleartext responses allowed) to prevent an attacker from imitating the server.
#20, #23 -- Kai & basscadet, I'm not arguing that the vulnerability is trivial or nonexistent; I agree that it's a serious problem and I'm glad that Apple has been informed of the problem.
My issues are with the way the NYT (and the security researchers to a lesser extent) conflated the iPhone issue with the larger "Mac security is due to lesser market share" theory, and with the inaccurate statements in the NYT report.
oh, and denial won't make the iphone safer. I'd rather have security firms uncovering security flaws than the hackers that will use them without publicizing them to the media. don't give them flak as if they're part of a Redmond conspiracy and accept that nothing is perfect.
July 24 2007 at 3:48 AM Report abuse Permalink rate up rate down Replymore details here:
http://www.newsfactor.com/story.xhtml?story_id=54043
I'm not sure who's to blame for the vulnerability, the iphone OS, Safari or both. It seems like a rather dangerous exploit (no way iphone can be used as a business phone) if phishing mails start sending out URLs with malicious content. Let's see how fast apple deploys a patch.
Ah the blinders are on full i see.
I'll tell you this, if this isn't patched by apple by the 2nd of august, the 3rd of august should be a VERY interesting day indeed :)
Stability and Security indeed.
You'd be a fool to try out "Kewl New iPhone Killer Wep App Dot Com" because kids, as the man said, this runs as *uid 0* on the phone.
Essentially, the iPhone's OS, OS X v1.0 is at least one order of magnitude less secure than Mac OS X, simple because every single thing on the phone runs as "root".
I you have no idea what the implications of this are, then that's sad, but I'm telling you, this entire thing should be taken very, very seriously and someone at apple should be slapped silly, because all of the "security" is tossed out the window when every single process is granted superuser privs.
"Happy Monday, everyone; are you done reading Potter yet?"
Why yes, thank you for asking.
I don't think this is a display on Mac security, for the PC fanboys who will bring this up. It sas to me that the iPhone is a very popular device, and was not designed with the same security implementations as a computer.
Apple should be able to patch this quickly. (And they're in trouble if they don't).
"This exploit does not allow an attack from a remote machine on a shared WiFi network that is uncompromised; you'd have to connect to a WLAN specifically configured and owned to catch iPhones."
This is not accurate. HTTP injection attacks have been demonstrated that do _not_ require that you own the WLAN AP.
The way it works is very simple: The attacker sits on the WLAN network and runs a packet sniffer - this allows his computer to see everything you send over the WLAN network.
When you send a request to a particular web site, the remote web site will take a little bit of time to respond. Not long, but, and this is the key, the attacker's computer can response more quickly since it's on the local network.
The attacker's computer sends a response that pretends to be from the web site you want to visit, and sends it before the real web site responds. By the time the real web site responds, your computer has already gotten the evil packets and will usually just ignore the response from the real web server.
Here's an example of an injection attack some guys did in the wild:
http://evilscheme.org/defcon/
The bottom line is that data sent to you over the Internet must be assumed to be malicious. Any time you don't work with that assumption, you will be burned. The only question is how bad your burns will be.
This attack will not be seriously harmful, in my opinion, for a few weeks at least. It requires extremely specialized knowledge which few people have.
"Newspapers, especially the NY Times, have a god complex when it comes to language, and have anointed themselves arbiters of English usage"
Sure, but does that excuse Apple's God Complex with regard to, everything they do?
I don't understand. Don't we WANT to execute arbitrary code on the iPhone?
We just prefer it be our arbitrary code and not someone else's.
Hot Apps on TUAW
Deals of the Day
more deals- Verizon Leather Sleeve for Tablets for $4 + free shipping
- Wicked Jaw Breaker Noise-Isolating In-Ear Headphones for $6 + free shipping
- Refurb Apple MacBook Air Laptops: 12" 64GB SSD for $699 + free shipping
- JVC Motion Sensing Clock Radio with Dual iPod Docks for $55 + free shipping
- Apple iPhone Headset with Mic for $4 + $2 s&h
- Refurb Apple iPod nano 8GB MP3 Player for $99 + free shipping, 16GB for $119
Software Updates
more updates- EFI Firmware Update brings Lion Internet Recovery to 2010-model Macs
- OS X Lion 10.7.3 released with Safari 5.1.3, Wi-Fi bug fix
- Aperture updated to 3.2.2, addresses Photo Stream issue
- Apple updates Keynote to address Lion issues
- Google Search app gets new look on iPad
- Apple releases Apple TV Software Update 4.4.3
Featured Stories
more stories
Popular Stories
TUAW (or The Unofficial Apple Weblog) is a website devoted to tips, reviews, news, analysis and opinion on everything Apple.
25 Comments