Filed under: Analysis / Opinion, iPhone
NYT reports on first announced iPhone vulnerability
Happy Monday, everyone; are you done reading Potter yet? Here's a somewhat less magical story for you. Today's New York Times includes an article with the utterly un-sensational headline "IPhone Flaw Lets Hackers Take Over, Security Firm Says" (yes, Times-style requires that even the 'i' in iPhone be capitalized in a headline), discussing the discovery of a buffer overflow exploit in Mobile Safari. The exploit, which can be triggered by browsing to a malicious page in Safari from the phone, claims to allow the execution of arbitrary code, and could expose personal information to an attacker. The exploit is not in the wild and has been reported to Apple; full details are at the Independent Security Evaluators site.Is this a very bad thing? Not necessarily; it's not a zero-day vulnerability, the research team is communicating with Apple, and there is no released exploit code out there in the big bad Internet that can currently zombify your iPhone. Unlike many smartphones, which may not have a frequent firmware update mechanism, the iPhone is syncing to iTunes constantly and can be updated at any point, so one would hope this gets patched rapidly. If you use some basic precautions (don't click mystery links, don' t use unfamiliar wireless access) you should be covered if something like this ever sees general distribution.
Is this, on the other hand, an top-notch opportunity for some iPhone and Mac OS X security FUD from the Grey Lady? You betcha. Let's take a look at some of the assertions in the article, and compare them with both the claims of the vulnerability discoverers and the reality on the ground.
In the second paragraph, the Times story states that the exploit "could take control of iPhones through a WiFi connection or by tricking users into going to a Web site that contains malicious code." If you read that they can hijack iPhones through a WiFi connection, that's pretty worrisome, right? Here's the real deal: if your iPhone connects to a malicious wireless network, and you surf to a web page (which the black hats replace with a poison page), you'd get the malware. Erica calls this the "Panera Bread" problem, where the bad guys set up an access point with the same name as a popular, trusted point. This exploit does not allow an attack from a remote machine on a shared WiFi network that is uncompromised; you'd have to connect to a WLAN specifically configured and owned to catch iPhones. If you use WiFi only when you have access to a trusted WLAN, you're in the clear on that score (if you click a mystery, malicious link, you're potentially affected regardless of your connectivity).
The exploit allows running arbitrary code, so both the Times and the exploit page suggest that this could theoretically be used to record and transmit room audio to an attacker. Only one problem with that plan: the iPhone's recording capability is itself theoretical at this point, and no application or sample code to do this is available.
You might think from reading the article that this vulnerability isn't only the first for the iPhone but the first ever reported on any smartphone anywhere. The Times quotes CS prof Steven M. Bellovin of Columbia University: "This looks like a very genuine hack." Bellovin goes on to mention that he "suspected that phones based on the Windows mobile operating system would be similarly "attackable," though he had not yet heard of any attacks." Dr. Bellovin must be unfamiliar with a technology called Google, which revealed reports of vulnerabilities both in IE for Windows Mobile and in MMS, which could be exploited simply by the recipient opening a malicious message. Even the corporate-friendly Blackberry platform has a security problem, where the Blackberry Enterprise Server could open a back-channel for evil Java apps to target internal systems. The only thing extraordinary about an iPhone vulnerability is the publicity to be gained by discovering one.
It's also interesting to read the comments of ISE founder Aviel Rubin (who, to his credit, also insists that he's keeping his iPhone: "You'll have to pry it out of my cold, dead hands to get it away from me") about the relative security of Apple products.
[Rubin said] the research was not intended to show that the iPhone was necessarily more vulnerable to hacking than other phones, or that Apple products were less secure than those from other companies. "Anything as complex as a computer - which is what this phone is - is going to have vulnerabilities," he said.
There are far more viruses, worms and other malicious software affecting Windows systems than Apple systems. But Mr. Rubin said that Apple products have drawn fewer attacks because the computers have fewer users, and hackers reach for the greatest impact.
"Windows gets hacked all the time not because it is more insecure than Apple, but because 95 percent of computer users are on Windows," he said. "The other 5 percent have enjoyed a honeymoon that will eventually come to an end."
Never mind the fact that an article about the iPhone as a malware target has suddenly turned the corner into discussing Mac OS X vulnerabilities (and apparently Dr. Rubin has a bad case of "Can't Remember That Apple's The Company And Mac OS X is the OS" disorder), although that's certainly a bit of journalistic whiplash. The real problem here is that he's stating a theory of Mac OS X security that has been thoroughly discredited.
I could go on and on about the "Mac OS X has security by obscurity" argument; many security researchers who are otherwise clever folk but apparently not experts in population statistics continue to repeat this canard. One would think, however, that the Times could at least run that quote by their own computer columnist, who disavowed the argument back in 2003 and again last year (comparing OS X and Windows XP at the time; the malware score is still something on the order of 3 to 200,000+). Plenty of other reputable sources have debunked the myth of security by obscurity, so no need to repeat that here. We can summarize by paraphrasing Mr. Rubin himself: Windows XP gets hacked all the time not only because it is more insecure than Mac OS X, but because malicious parties can profit by the exploitation. The Mac OS X and iPhone honeymoon may come to an end, but it would take a lot of malware to get even close to the stuff that Windows XP users have to put up with.
Anyway, let's be careful out there. Bring extra pinches of salt for your morning paper.
Thanks Nick
Reader Comments (Page 1 of 2)
Mark said 1:51AM on 7-23-2007
"Yes, Times-style requires that even the 'i' in iPhone be capitalized in a headline..."
AP style mandates that the first letter of a title be capitalized, regardless of Apple's marketing department's preference.
Reply
Joost Schuur said 2:10AM on 7-23-2007
I wish my iPhone could execute arbitrary code and not just web apps. I'd call that a feature ;)
Reply
Doug McIntosh said 3:06AM on 7-23-2007
The NYTimes article is FUD of the first order. He took HIS phone and browsed to HIS website? Am I the only one who smells a rat?
Yeah, let's see that with a "fresh" iPhone. 'Til then, forget it!
Reply
Michael said 3:58AM on 7-23-2007
I lost my sympathy for Rubin when he repeated his little piece of propaganda about market-share and OS vulnerabilities. His suggestion is a reasonable (if unprovable) suggestion - up to a point. But it's presented by him as fact not as a possible explanation.
More to the point, as Michael Rose points out, it has absolutely nothing to do with the iPhone. It makes one immediately suspicious of Rubin's bona fides - as one is of the numerous others who keep repeating this little talking point at any and every opportunity.
I'd suggest those who like to keep saying this need to refresh their memories with consideration of some of the destructive malware episodes from the past. As example, consider the ILOVEYOU Worm:
"This particular malware caused widespread outage for an estimated $5.5 billion in damage, making it the most damaging worm ever."
http://en.wikipedia.org/wiki/ILOVEYOU
This worm, which ran on Windows, was able to cause so much damage not merely because Windows had a large market share but because ***Microsoft allowed scripts to run in its mail clients***.
It wasn't market share that was responsible but a stupid design decision.
I also can't help noticing that Windows IIS is *not* the dominant server platform, but has had far more than its share of vulnerabilities. At one time the US Government's Department of Homeland Security actually advised people simply not to use it, because it thought it was so bad.
Reply
Tom said 5:24AM on 7-23-2007
This is not a surprise, it was only a matter of time. Hopefully Apple is on top of this and getting an update ready to be released before Defcon.
By the way, the Info Sec Sellout jackass needs to take note of how ISS handled this... i.e. not being a childish attention hungry asshole.
Reply
Fritz Laurel said 6:01AM on 7-23-2007
And just what code do they think someone could inject without an iPhone SDK?
Not a big deal, me thinks. At least not at the moment.
Reply
JeffDM said 9:09AM on 7-23-2007
I really don't see a problem with the article title capitalization. I don't think writing standards should change just because a few companies come up with lame trademark or company names, like iPod and nVidia.
Reply
DanRobinson said 9:26AM on 7-23-2007
Re: #7
Newspapers, especially the NY Times, have a god complex when it comes to language, and have anointed themselves arbiters of English usage, If Webster were alive today, he'd roll over in his grave. When I spell my name phyDoux, no newspaper has the right to spell it Fido or capitalize it. They are simply spelling words wrong in a lexicographical pissing contest.
Re: #2
Me too. I want a way to put RTFs, PDFs, and other formats on my iPhone to read later (without having to put them of a web site).
Reply
Mr. Shabadoo said 9:41AM on 7-23-2007
>> 1. "Yes, Times-style requires that even the 'i' in iPhone be capitalized in a headline..."
AP style mandates that the first letter of a title be capitalized, regardless of Apple's marketing department's preference.
umm, e.e. cummings would beg to disagree. the times's style guide is not an excuse to munge proper names, which munging is an explicit inaccuracy.
Reply
Tyler LaVite said 10:05AM on 7-23-2007
yeah and this also proves that Alex Jones story is bullshit about the iPhone check it out basically all he is doing is claiming this vulnerability is being used by out gov. to spy on us.. now i do believe the government does all that but listen to his iPhone claim.
http://www.prisonplanet.com/articles/july2007/200707iphonesurveillance.htm
Reply
CRH said 10:14AM on 7-23-2007
Why do people still read the New York Times?
Reply
Michael Rose said 10:33AM on 7-23-2007
Thanks for the comments, everyone.
#3 -- Doug, I don't mean to cast doubt on the authenticity of the exploit; the research seems legit and a Safari buffer overflow is not that surprising. What I tried to do in the post (possibly not that successfully, it was very late) was point out the conflations of the claims/facts of the exploit versus the suppositions and "Macs are just more obscure, not more secure" silliness of the NYT article.
Reply
K. Mitchell said 10:42AM on 7-23-2007
That's all I see on the internet anymore whenever I do a search for the iPhone articles. It's just a race to see who can try to uncover the most interesting information to discredit the iPhone as quickly as possible. I appreciate this article which takes a somewhat defensive but an honest approach to this vulnerability issue. There's been nothing but propaganda from the start. The honest truth is that there isn't as much wrong with the iPhone as people like to say.
Reply
Aron Trimble said 10:46AM on 7-23-2007
I love how I can watch my AAPL fluctuate and then visit TUAW to read which POS news organization is spewing the latest FUD.
This post has been brought to you by the letter "Y" - reminding everyone that even vowels break the rules. And also by acronyms; the favourite product of millions of txtrs everywhere! TTYL!
Reply
sholt said 11:02AM on 7-23-2007
This article implies the threat this vulnerability poses only exists over a malicious WiFi network. This is untrue.
As stated in the preliminary report (http://www.securityevaluators.com/iphone), This is an attack based on MobileSafari's rendering of a malicious website, and any untrusted website is a potential vector; your standard phishing attacks would work just as well here.
That said, the security company has already submitted the vulnerability information to Apple, and supposedly even provided a patch. I expect this to be patched by Apple before the Aug. 2nd full disclosure.
Reply
JeffDM said 12:01PM on 7-23-2007
"Newspapers, especially the NY Times, have a god complex when it comes to language, and have anointed themselves arbiters of English usage"
Sure, but does that excuse Apple's God Complex with regard to, everything they do?
Reply
Ben Englert said 12:08PM on 7-23-2007
I don't understand. Don't we WANT to execute arbitrary code on the iPhone?
We just prefer it be our arbitrary code and not someone else's.
Reply
gopi said 1:06PM on 7-23-2007
"This exploit does not allow an attack from a remote machine on a shared WiFi network that is uncompromised; you'd have to connect to a WLAN specifically configured and owned to catch iPhones."
This is not accurate. HTTP injection attacks have been demonstrated that do _not_ require that you own the WLAN AP.
The way it works is very simple: The attacker sits on the WLAN network and runs a packet sniffer - this allows his computer to see everything you send over the WLAN network.
When you send a request to a particular web site, the remote web site will take a little bit of time to respond. Not long, but, and this is the key, the attacker's computer can response more quickly since it's on the local network.
The attacker's computer sends a response that pretends to be from the web site you want to visit, and sends it before the real web site responds. By the time the real web site responds, your computer has already gotten the evil packets and will usually just ignore the response from the real web server.
Here's an example of an injection attack some guys did in the wild:
http://evilscheme.org/defcon/
The bottom line is that data sent to you over the Internet must be assumed to be malicious. Any time you don't work with that assumption, you will be burned. The only question is how bad your burns will be.
This attack will not be seriously harmful, in my opinion, for a few weeks at least. It requires extremely specialized knowledge which few people have.
Reply
Fernando said 1:58PM on 7-23-2007
"Happy Monday, everyone; are you done reading Potter yet?"
Why yes, thank you for asking.
Reply
Kai Cherry said 2:16AM on 7-24-2007
Ah the blinders are on full i see.
I'll tell you this, if this isn't patched by apple by the 2nd of august, the 3rd of august should be a VERY interesting day indeed :)
Stability and Security indeed.
You'd be a fool to try out "Kewl New iPhone Killer Wep App Dot Com" because kids, as the man said, this runs as *uid 0* on the phone.
Essentially, the iPhone's OS, OS X v1.0 is at least one order of magnitude less secure than Mac OS X, simple because every single thing on the phone runs as "root".
I you have no idea what the implications of this are, then that's sad, but I'm telling you, this entire thing should be taken very, very seriously and someone at apple should be slapped silly, because all of the "security" is tossed out the window when every single process is granted superuser privs.
Reply