Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New iPhone Attack Kills Apps, Reroutes Web Traffic

kdawson posted more than 4 years ago | from the dead-cert dept.

Cellphones 125

Trailrunner7 sends in a threatpost.com article on exploiting flaws in the way the iPhone handles digital certificates. "[Several flaws] could lead to an attacker being able to create his own trusted certificate and entice users into downloading malicious files onto their iPhones. The result of the attack is that a remote hacker is able to change some settings on the iPhone and force all of the user's Web traffic to run through any server he chooses, and also to change the root certificate on the phone, enabling him to man-in-the-middle SSL traffic from that phone. ... Charlie Miller, an Apple security researcher at Independent Security Evaluators, said that the attack works, although it would not lead to remote code execution on the iPhone. 'It definitely works. I downloaded the file and ran it and it worked,' Miller said. 'The only thing is that it warns you that the file will change your phone, but it also says that the certificate is from Apple and it's been verified.'"

cancel ×

125 comments

Sorry! There are no comments related to the filter you selected.

Heh (4, Funny)

Pojut (1027544) | more than 4 years ago | (#31001240)

::cue "see, Apple isn't perfect" comments::

See? Apple isn't perfect!

Re:Heh (2, Insightful)

Locke2005 (849178) | more than 4 years ago | (#31001362)

"Not perfect"?!? Blasphemy!!! Burn the Blasphemer!

Yes, all software has security flaws, including Linux and MacOS, which is why a many-layered approach to security is necessary to limit the scope of vulnerabilities.

Re:Heh (0, Flamebait)

sopssa (1498795) | more than 4 years ago | (#31001628)

But everyone on slashdot always tells that Linux and Mac OSX have no vulnerabilities, that it's only on Windows!

Re:Heh (0, Troll)

DJRumpy (1345787) | more than 4 years ago | (#31001940)

No, they state that they are more secure. I don't think I've ever seen someone claim they are invulnerable. That would be foolish. That said, the issue here seems to be with Verisign issuing a certificate for Apple Computer, not with the phone OS itself. At some point you have to trust your root certificate credentials.

Why did they hand out a certificate like this?

Re:Heh (1, Funny)

Anonymous Coward | more than 4 years ago | (#31002034)

Linux and MacOS are indeed invulnerable.

See? Now you have.

Re:Heh (0, Flamebait)

AHuxley (892839) | more than 4 years ago | (#31002492)

No in the wild easy to find virus for a Mac running OS X at this time.
As for physical access of self install, have a look at
http://www.iantivirus.com/threats/ [iantivirus.com]
Nice long list but few are 'I was just surfing the net and ...."
No chatter in forums, irc, slashdot ect.
So someone must be keeping Mac hack sites very much as a needs to know or the spooks want people to trust Macs ;)

Re:Heh (2, Insightful)

sbeckstead (555647) | more than 4 years ago | (#31003162)

I'm supposed to believe a site that calls itself "PC tools iAntivirus"?

Re:Heh (2, Interesting)

DJRumpy (1345787) | more than 4 years ago | (#31003258)

A site that sells antivirus software claiming there are a lot of dangerous viruses? But wait, there's more! Your PC is infected! Click here [cknow.com] for your free virus scan! Act before it's too late! ;)

A good read of computer history on Wikipedia if anyone is interested: http://en.wikipedia.org/wiki/Computer_virus [wikipedia.org]

Re:Heh (0)

Anonymous Coward | more than 4 years ago | (#31002546)

When I last checked, the iPhone runs neither Linux nor OSX.

Re:Heh (1)

xch13fx (1463819) | more than 4 years ago | (#31002902)

from Wikipedia

iPhone OS (known as OS X or OS X iPhone in its early history) is the operating system for the iPhone, iPad and iPod touch from Apple Inc.[3][4]

It was derived from Mac OS X, with which it shares the Darwin foundation

Re:Heh (3, Interesting)

ijitjuice (666161) | more than 4 years ago | (#31001400)

If you get apps from the app store how would this get installed? If Im about n about this would just pop up on my screen? I guess Im lost as to how it would get on my phone in the first place?

Re:Heh (5, Funny)

jjoelc (1589361) | more than 4 years ago | (#31001468)

Easy, just go to "jailbreaking for dummies dot com" enter you credit card, social security, and bank information. Then download the "MakeYourPhoneCooler.vbs" file to your PC. it will present you with complete directions to download and install the software to your iPhone. FREE WITH EVERY PURCHASE! Banned by Apple! STRIP Poker game!

Re:Heh (1)

DarkAxi0m (928088) | more than 4 years ago | (#31002776)

Um your link didnt work...

ive got dads credit card here ready to go..

!!! I WaNT MY PHoNE TO BE CooLER THaN ALL THE OTHeRS!!! ONE!!! ELEVEN

Re:Heh (5, Informative)

kybur (1002682) | more than 4 years ago | (#31001480)

Certain settings can be changed on an iPhone just based on links/downloads clicked on from within Safari (on the device). That is how iphone os 3.0.x users could enable tethering without jailbreaking their phones. It was just a settings file that could be downloaded. I believe it was unsigned, but now, apparently it would be easy to make it look like an apple signed file.

Re:Heh (4, Insightful)

Sechr Nibw (1278786) | more than 4 years ago | (#31001664)

Easy?

As part of the attack, the anonymous researchers obtained a signature certificate from VeriSign for a company named Apple Computer

You have to fool VeriSign first, just like any other SSL man-in-the-middle attack, so I guess it depends on what you call easy.

Re:Heh (1, Insightful)

Anonymous Coward | more than 4 years ago | (#31001798)

"Apple Computer, Inc" is now "Apple, Inc". So obviously any certificate from "Apple Computer" (with or without the "Inc") would be a fake.

Re:Heh (2, Insightful)

nstlgc (945418) | more than 4 years ago | (#31002578)

If you think this is obvious, you haven't met the horde of users that still believe CNN and Microsoft work together to announce viruses.

Re:Heh (4, Funny)

Dishevel (1105119) | more than 4 years ago | (#31001816)

Oh nos! You have to fool someone? Now it will never work.

Re:Heh (3, Interesting)

Oooskar (806935) | more than 4 years ago | (#31002474)

As part of the attack, the anonymous researchers obtained a signature certificate from VeriSign for a company named Apple Computer

You have to fool VeriSign first, just like any other SSL man-in-the-middle attack, so I guess it depends on what you call easy.

Actually, as stated in the original blog post liked from the article, it was a demo signature certificate for a person named "Apple Computer". Such certificates are offered by VeriSign without validation. The problem is that the iPhone trusts such certificates, and that it doesn't make it clear that it isn't a validated organization name it publishes.

Re:Heh (1)

Sir_Lewk (967686) | more than 4 years ago | (#31002872)

You have to fool VeriSign first

Yeah, that's what we said. Easy.

Re:Heh (0)

Anonymous Coward | more than 4 years ago | (#31002738)

You probably wouldn't even need to make it look like Apple signed it. How many people do you think would tap OK even if it said the file came from "Bubbles O'Rly"?

Apple supposedly set up a walled garden for apps to prevent people from doing stupid stuff to their phone, and then left in such a simple way to do something stupid to the phone. My reaction to this is somewhere between a sarcastic oops and a complete facepalm.

Re:Heh (0, Flamebait)

interkin3tic (1469267) | more than 4 years ago | (#31001424)

::cue "see, Apple isn't perfect" comments::

See? Apple isn't perfect!

Now cue "It's not a bug / a missing feature / an intentionally and pointlessly broken function / restriction put there by business interests to get you to spend more money for shit you already own, it's a feature" in 3...2...1...

Re:Heh (1)

Kitkoan (1719118) | more than 4 years ago | (#31003196)

Its not who is better then the other, it's which one is the biggest player in the market which will get the most recognition. All software can be hacked, even locked ones. Just have to find the weak link and have an interest to do so

Thank Ghod I run Windows (5, Funny)

Anonymous Coward | more than 4 years ago | (#31001266)

Oh my! These repeated iPhone & Mac attacks are making me happy I run MS-Windows on my *(@&!)Sw2
***NO CARRIER***

Re:Thank Ghod I run Windows (0)

Anonymous Coward | more than 4 years ago | (#31002162)

I have a Moto Q (Win Mobile 6). It does everything I need a phone to do, including retreiving email and information (web pages). It still amazes me how many people who are otherwise intelligent geeks keep on chugging the Apple Koolaid.

Re:Thank Ghod I run Windows (1)

svanheulen (901014) | more than 4 years ago | (#31002838)

Try a phone with Android or Maemo and you'll realise how incredibly shitty WinMo is.

Re:Thank Ghod I run Windows (1)

PixetaledPikachu (1007305) | more than 4 years ago | (#31003156)

I have a Moto Q (Win Mobile 6). It does everything I need a phone to do, including retreiving email and information (web pages). It still amazes me how many people who are otherwise intelligent geeks keep on chugging the Apple Koolaid.

any phone except the USD20-30 Nokias can do email and http with opera. The problem lies in user experience. I have seen how my friend uses his Samsung Omnia, requiring him to press that minuscule "windows" button on the top left with his nail, so his finger wouldn't touch anything else in the screen. That windows button then churns out text menu with small fonts, that were packed so close together, causing him having to use his nail again to press one of them. It's annoying.

Re:Thank Ghod I run Windows (1)

Hucko (998827) | more than 4 years ago | (#31003646)

I've used a Win Mobile (5) and it did everything I wanted a phone to do and more. I've anecdotally found the iphone to be more stable, quicker and easier to use. Why is it koolaid chugging to decide one product does what you want it to better than another?

IMPOSSIBLE (1, Funny)

Some.Net(Guy) (1733146) | more than 4 years ago | (#31001274)

Cmon, everyone knows that Apple products are impervious to viruses. ....bahahahahaha

Re:IMPOSSIBLE (3, Informative)

Anonymous Coward | more than 4 years ago | (#31001366)

Except this isn't a self-replicating binary, so no, it's not a virus. /pedant

Re:IMPOSSIBLE (1)

sopssa (1498795) | more than 4 years ago | (#31001692)

Viruses are so 90's on all operating systems anyway. Most malware now a days comes via vulnerabilities like exploits, or in this case a vulnerability in certificate system.

Re:IMPOSSIBLE (1)

toadlife (301863) | more than 4 years ago | (#31003520)

Most malware now a days comes via vulnerabilities like exploits

Most malware these days is spread via social engineering. Go to a random AV vendor's site and look the top ten viruses for Windows. At any given time, most of them will be worm/trojan combos that spread via social engineering. Checking McAfee's site [mcafee.com] right now, it looks like three of the top ten actually spread via exploits.

Re:IMPOSSIBLE (4, Insightful)

pclminion (145572) | more than 4 years ago | (#31002864)

A self-replicating binary isn't a virus either. It's a worm. A virus is a piece of code that attaches itself to a host program and depends on the host program's execution to replicate itself. As long as we're being pedantic.

Re:IMPOSSIBLE (0)

Anonymous Coward | more than 4 years ago | (#31001374)

The iPhone by default will trust configuration files that it receives over the air or while connected to a PC...

There you have it, it's Microsoft's fault.

Apple's in the clear.

Re:IMPOSSIBLE (0, Troll)

Ziwcam (766621) | more than 4 years ago | (#31001378)

Still not a virus Fake edit: Bah, beat by someone who didn't bother to log in.

Re:IMPOSSIBLE (0)

Anonymous Coward | more than 4 years ago | (#31001470)

So you don't know the difference between a falsified PKI certificate and a virus...typical for a .Net programmer, I guess, but still disappointingly stupid.

yikes! (1)

dropadrop (1057046) | more than 4 years ago | (#31001314)

"You can make any part of the phone not work. You definitely don't get to run code, but there's lots of nasty things you can do. You can make applications not work, make it so that you can't remove this config file. At the very least, you can make someone's day miserable."

Sounds terrible :)

Seriously though, I've been wondering why there have been so few vulnerabilities on the iphone.

Re:yikes! (5, Interesting)

Voyager529 (1363959) | more than 4 years ago | (#31001546)

My guess is that at least a part of the reason is that many of the exploits are used for jailbreaking and unlocking. With Apple trying feverishly to outwit the iPhone Dev Team, many of the vulnerabilities they use get patched (TIFF Exploit?). I'd imagine that this ultimately helps keep the iPhone a more secure platform.

Re:yikes! (1)

0xdeadbeef (28836) | more than 4 years ago | (#31001948)

Which means there have actually been many exploits for the iPhone.

Re:yikes! (1)

AHuxley (892839) | more than 4 years ago | (#31002520)

But who is using them and why no chatter?
Most of the time would the tools would be sold, bragged about or just shown to be build on by others to make better tools?

Re:yikes! (2, Interesting)

Voyager529 (1363959) | more than 4 years ago | (#31004726)

But who is using them and why no chatter?

Apple seems to think that plenty of people are running them. The first gen iPhone was activated by the user at home. After the battle with people who didn't sign up for AT&T service once they got home, they started activating in the store (although admittedly they also started subsidizing them at that point). Every baseband update has also patched whatever the current-gen exploit was at the time; tools were modified to strip out the baseband updates before jailbreaking. Apple "silently" (as in made the front page of Slashdot, but wasn't the subject of an Apple press release) updated the hardware in the 3GS to prevent jailbreaking. If it was a few dozen computer geeks who wanted to tether, Apple wouldn't go to these lengths to actively prevent jailbreaking (which as we've determined, is simply desirable use of an exploit).

Most of the time would the tools would be sold, bragged about or just shown to be build on by others to make better tools?

Winpwn. Quickpwn. PwnageTool. Redsn0w. Yellowsn0w. Ultrasn0w. Purplera1n. Blackra1n. ZiPhone.

Re:yikes! (1)

interkin3tic (1469267) | more than 4 years ago | (#31001568)

Seriously though, I've been wondering why there have been so few vulnerabilities on the iphone.

Me too. I guess my days of carelessly visiting untrustworthy but hott websites on my iphone and then clicking on whatever popups came up without bothering to read it are over.

It's a fetish, alright? I like clicking on buttons while looking at pictures of goats. Don't judge me.

Re:yikes! (1)

TrancePhreak (576593) | more than 4 years ago | (#31003902)

The SMS vulnerability makes up for it in my opinion.

Re:yikes! (1)

BitZtream (692029) | more than 4 years ago | (#31004714)

The part you quoted is rather untrue.

You can make applications not work, make it so that you can't remove this config file. At the very least, you can make someone's day miserable.

Right up until they old down the power and home button for a few seconds and wipe the device. Plug it in to the PC, restore, done.

This isn't a vulnerability in the phone, it is be design.

You can argue that its a design flaw, but its a direct result of features requested by users. Everything about this exploit is a direct result of requests from businesses and users. If Apple 'locked it down' to make it safer, we'd end up with everyone bitching about it being closed and under apples control like the AppStore whining.

Phishing (1)

goldaryn (834427) | more than 4 years ago | (#31001422)

So I guess that if you can route outbound web traffic through any server you like, you can phish login detail and who knows what else?

No danger... (1)

Pedrito (94783) | more than 4 years ago | (#31001454)

'It definitely works. I downloaded the file and ran it and it worked,' Miller said. 'The only thing is that it warns you that the file will change your phone, but it also says that the certificate is from Apple and it's been verified.'"

That's it? Who'd be dumb enough to fall for t#1$j213!%
NO CARRIER

Re:No danger... (1)

exomondo (1725132) | more than 4 years ago | (#31001606)

if the average person downloads a file - obviously with the intention of opening it - and is told that the file is verified by apple then i think it's pretty obvious that a LOT of people would be susceptible to this kind of attack.

Re:No danger... (1)

v1 (525388) | more than 4 years ago | (#31001830)

You can't download and run apps on your iphone, you have to get them from the app store, unless you've jailbroken it.

And if you can't be smart enough to figure out what apps are safe to open, you shouldn't have jailbroken it in the first place.

Re:No danger... (1)

exomondo (1725132) | more than 4 years ago | (#31002478)

i should have worded that differently...rather goes to a website and opens a link.

Re:No danger... (1)

v1 (525388) | more than 4 years ago | (#31003094)

does the link cause the iphone to download and launch the downloaded app, or is it a browser-executed thing like an SWF, or is it using an overflow bug in a browser system like the recent TIFF vulnerability, or how does it manage to get into an execution/interpretation chain?

Re:No danger... (1)

exomondo (1725132) | more than 4 years ago | (#31003634)

It's an OTA configuration file

Re:No danger... (5, Informative)

dgatwood (11270) | more than 4 years ago | (#31001784)

I don't think there's really any security check that Apple could have performed on an over-the-air configuration profile that would not defeat the purpose of having such a profile. The idea is to make it as painless as possible for users to sign up for custom settings specific to a company where they work or whatever (e.g. adding corporate firewall keys, that sort of thing). As soon as you limit who can sign the profiles, they become useless, and if Apple required everyone to sign up for a signing cert through them, everyone would be jumping up and down screaming that Apple is being too controlling. It's truly a no-win.

Even if they added an extra check to make sure the signing cert doesn't have /^\s*Apple\s*$/i or /^\s*Apple\s*Computer\s*$/i as the company name, that still doesn't fully solve the problem. Many users would just as quickly tap "OK" for an update that claimed to be from any company they trust---their bank, Google, Yahoo, PayPal, AT&T, etc. And making the warning sterner only helps if people read it and understand it. I'm just not convinced that this problem has a solution short of not trusting incompetent cert providers with a history of issuing certs in the name of other companies.

The real security flaw here, IMHO, is that Verisign issued this company a signing certificate with the name Apple Computer. And this isn't the first time Verisign has done something stupid like that [amug.org] . They've repeatedly shown themselves completely incapable of doing even basic sanity checking before handing out signing certificates, SSL certificates, etc. Thus, IMHO, their code signing certs are inherently no more trustworthy than a self-signed cert or someone typing the name of a company into a field in a plist file. As far as I'm concerned, they should be dropped from the list of trusted roots. If Safari and Firefox both did this, they would eventually shrivel up and die like the inept hack of a company they are.

Re:No danger... (0)

Anonymous Coward | more than 4 years ago | (#31002042)

YES! Oh GOD YES!

Re:No danger... (1)

Nerdfest (867930) | more than 4 years ago | (#31002288)

everyone would be jumping up and down screaming that Apple is being too controlling. It's truly a no-win.

Yeah, because nobody would tolerate that.

Re:No danger... (2, Insightful)

nstlgc (945418) | more than 4 years ago | (#31002604)

Hello, my name is Steve Jobs and I would like to thank you for defending my honour.

Obligatory Blame Part 2 (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31001460)

North Korea or China [youtube.com] .

Yours In Vilnius,
Kilgore T.

Can that be used to sign ipcc and enable tethering (2, Insightful)

darp (181922) | more than 4 years ago | (#31001462)

Wasn't that the problems with tethering non-jailbroken phones?

Don't worry (3, Funny)

CSHARP123 (904951) | more than 4 years ago | (#31001514)

Nortan Anti-Virus software is now available for iPhone too. I was wondering when it will become available. Thanks now my iPhone works the same way as PC with Windows :)

Re:Don't worry (0, Troll)

Anonymous Coward | more than 4 years ago | (#31001526)

Norton is a virus.

Re:Don't worry (1, Insightful)

Anonymous Coward | more than 4 years ago | (#31001556)

Are you sure that's a good thing?

Re:Don't worry (1)

Attherd (1389213) | more than 4 years ago | (#31001624)

I was under the impression that Norton needed more processing power than the iPhone could provide.

Re:Don't worry (0)

Anonymous Coward | more than 4 years ago | (#31001708)

Norton requires processing power in the petaFLOPS, eg HPC or supercomputer. We are unlikely to see viruses that are capable of affecting any system that is actually capable of running Norton.

Re:Don't worry (0, Redundant)

Monkeedude1212 (1560403) | more than 4 years ago | (#31001710)

Norton needs more processing power than any PC could provide.

Re:Don't worry (0, Redundant)

sopssa (1498795) | more than 4 years ago | (#31001728)

Norton needs more processing power than anything could provide.

Re:Don't worry (1)

bjb_admin (1204494) | more than 4 years ago | (#31001904)

As long as the virus database has only one entry in it Norton will be fine.

Re:Don't worry (1)

greyline (1052440) | more than 4 years ago | (#31001934)

Sounds like Norton is the Chuck Norris of AV software.

Re:Don't worry (2, Funny)

silent_artichoke (973182) | more than 4 years ago | (#31002136)

Indeed. Symantec hired Chuck Norris to compile Norton. He glared at the code and it compiled itself out of fear. Chuck Norris can also overflow any buffer.

Re:Don't worry (1)

sbeckstead (555647) | more than 4 years ago | (#31003102)

Closer to the Ron Popeil!

Re:Don't worry (1, Funny)

Anonymous Coward | more than 4 years ago | (#31001766)

Nortan Anti-Virus software is now available for iPhone too.

Buying knock offs again, eh?

Re:Don't worry (1)

CSHARP123 (904951) | more than 4 years ago | (#31002642)

Does it really matter?

Re:Don't worry (0)

Anonymous Coward | more than 4 years ago | (#31002256)

Nortan Anti-Virus software is now available for iPhone too. I was wondering when it will become available. Thanks now my iPhone works the same way as PC with Windows :)

Good thing the iPhone doesn't have user multitasking or backgrounding (yet), or the only way to stop it would be to restore the device from scratch!

Imagine you Android and Palm Pre users with an app you can't kill - you try, and it just restarts itself in the background...

Re:Don't worry (0)

Anonymous Coward | more than 4 years ago | (#31004514)

Too bad you can't run multiple apps. That means you can't run your crappy AV at the same time as your crappy browser. YOU CAN ONLY USE YOUR ANTIVIRUS WHEN YOU DO NOT NEED IT.

That would be effing brilliant.

Now that... (0)

Anonymous Coward | more than 4 years ago | (#31001722)

Now that...

Is a killer app.

expand every post...? (0)

Anonymous Coward | more than 4 years ago | (#31001786)

Wow!! every comment modded down to 2 or below except for 2 posts.Both of them modded informative and interesting because they claimed the iphone was safe. Apple fanboies are out in force today.

Thank goodness... (3, Funny)

metamatic (202216) | more than 4 years ago | (#31001790)

...the iPhone controls what software you're allowed to run, to keep it secure. Otherwise it would suffer from exploits like this one.

2/2/2010 iPhone Patch (1)

kainewynd2 (821530) | more than 4 years ago | (#31001888)

Apple released a security update for the iPhone and iPod Touch [apple.com] today.

Anyone know if this was addressed in that update? There are a few Webkit updates in there (mostly multimedia exploits).

Re:2/2/2010 iPhone Patch (1)

prockcore (543967) | more than 4 years ago | (#31002512)

Son of a... that means another 2.5 gigabyte download to update the SDK. I hope whoever it is at Apple that doesn't believe in binary diffs dies in a fire.

Re:2/2/2010 iPhone Patch (0)

Anonymous Coward | more than 4 years ago | (#31003552)

What are you, on dialup or something?

Click "download" before you go to bed at night, wake up in the morning with the download complete. Sheesh.

and why not... (0)

Anonymous Coward | more than 4 years ago | (#31001956)

There's an app for THAT??

How is this related to the iPhone? (3, Insightful)

icydog (923695) | more than 4 years ago | (#31001968)

The "attack" in TFA doesn't mention anything necessarily specific to the iPhone. The attackers got Verisign to sign a cert with the name "Apple Computer." That is a social engineering problem, not a security implementation flaw of the iPhone.

I bet the headline would get even more pageviews if they claimed this was an iPad flaw instead of iPhone.

Re:How is this related to the iPhone? (1)

WraithCube (1391567) | more than 4 years ago | (#31002388)

The other part of the attack deals with the iphone in that it can change the mobileconfig file and allow the attacker to set the HTTP proxy. Then make is so you cannot remove the new config file.

Re:How is this related to the iPhone? (0)

Anonymous Coward | more than 4 years ago | (#31002640)

Just run your phone on a 3G Femtocell that runs all traffic through your _own_ proxy and use that to remove the config file.

Re:How is this related to the iPhone? (0)

Anonymous Coward | more than 4 years ago | (#31002732)

Are they not supposed to be able to change their proxy settings?

Moral of the story is, if you don't think you clicked anything that could change your iPhone, don't accept it.

Re:How is this related to the iPhone? (1)

WraithCube (1391567) | more than 4 years ago | (#31003214)

I don't really know what the specifics were, but this is the quote from the end of the article (yeah, I guess I never should have expected slashdot users to read the article)

"You can make any part of the phone not work. You definitely don't get to run code, but there's lots of nasty things you can do. You can make applications not work, make it so that you can't remove this config file,"

Of course this does all rely on the user being stupid enough to trust the certificate and install the new config file just to get that far.

Re:How is this related to the iPhone? (1)

exomondo (1725132) | more than 4 years ago | (#31003612)

Of course this does all rely on the user being stupid enough to trust the certificate and install the new config file just to get that far.

So do a hell of a lot of viruses, trojans and malware, and they all perpetuate even without the added assurance of a trusted certificate.

Re:How is this related to the iPhone? (4, Insightful)

exomondo (1725132) | more than 4 years ago | (#31003200)

The "attack" in TFA doesn't mention anything necessarily specific to the iPhone.

Yes it does:

The iPhone by default will trust configuration files that it receives over the air or while connected to a PC, as long as the file is signed by a trusted implementation of the iPhone Configuration Utility, a desktop application used to create config files for iPhones. However, the iPhone also will accept a file that is signed by a signature-only certificate

Is this really an SSL attack? (2, Interesting)

rickb928 (945187) | more than 4 years ago | (#31002174)

I'm getting a little uneasy with SSL. Nothing is safe.

Re:Is this really an SSL attack? (0)

Anonymous Coward | more than 4 years ago | (#31004156)

No, this is not an SSL attack. It has nothing to do with any flaws in SSL, other than Verisign handing out a certificate for "Apple Computers" when they arguably shouldn't have.

Re:Is this really an SSL attack? (1)

BitZtream (692029) | more than 4 years ago | (#31004550)

It has EVERYTHING to do with SSL. It points out the weakness in the system. Root certificate authorities are part of the SSL ecosystem, without root CAs SSL is effectively useless.

With shitty root authorities, like VeriSign, SSL is effectively worthless.

Someone needs to wipe them and network solutions off the face of the Earth.

Too much sensationalism? (2, Interesting)

kryptopath (1736084) | more than 4 years ago | (#31002266)

Initial (anonymous) author of TFA here:

Do not blame Verisign for issuing a temporary signature certificate without verification: this is stated clearly in their Level 1 certificate statuses and will sure be found with many other certificate issuers. The issue is completely on Apple for trusting a certificate of that kind for an over-the-air update. That kind of certificate is issued without any verification so you could have it delivered to any name you wanted, including your target's IT department. As mentioned in the article Apple should not use Safari's keychain to check the trust chain.

As mentioned in one of the posts below, this is a chicken-and-egg issue that has no obvious solutions. While making an OTA update process secure is a really hard problem, I do believe that Apple has not really looked into all the consequences of their choices. They have released a newer OTA protocol version with iPhone OS 3 which may be harder to subvert than this one.

Re:Too much sensationalism? (1)

sbeckstead (555647) | more than 4 years ago | (#31003072)

The issue is completely on Apple for trusting a certificate
Um sorry but how do you figure this? If Verisign is issuing certs that can be trusted without verification then they are the problem. Don't use Verisign any more.
Level 1 certificate statuses
I didn't see exactly what you are talking about here either, but perhaps I mis-interpreted it.

You don't need an iPad, iPod, or iPhone. (0)

Anonymous Coward | more than 4 years ago | (#31002290)

Get a PC already.

MITM (1)

amicusNYCL (1538833) | more than 4 years ago | (#31002898)

enabling him to man-in-the-middle SSL traffic from that phone

So "man-in-the-middle" is a verb now, huh?

Um maybe not Apples problem.... (0, Troll)

sbeckstead (555647) | more than 4 years ago | (#31003016)

the anonymous researchers obtained a signature certificate from VeriSign for a company named Apple Computer.
From the article it looks like Verisign is the problem here.

Re:Um maybe not Apples problem.... (1)

mystikkman (1487801) | more than 4 years ago | (#31003220)

Wrong, the Apple Computer part is to just confuse the user, not to enable the attack. They could've just used Apple 1nc. and some people would still think it's sanctioned by Apple,.

Re:Um maybe not Apples problem.... (1)

sbeckstead (555647) | more than 4 years ago | (#31003318)

Not the point. Apple Computer is a known entity, easily verified by Verisign. But it somehow wasn't. Odd that.

Re:Um maybe not Apples problem.... (1)

mystikkman (1487801) | more than 4 years ago | (#31004064)

Not the point. Apple Computer is a known entity, easily verified by Verisign. But it somehow wasn't. Odd that.

Wrong.. you're looking at Apple Inc.

Wrong title? (1, Informative)

jma05 (897351) | more than 4 years ago | (#31003488)

This is a vulnerability, not an attack that has happened. Vulnerabilities can *potentially* lead to attacks. The title implies that it had already happened. AFAIK, testing vulnerabilities is not termed an attack; only when they are exploited by a malicious third party.

Apple doesn't take certificates seriously (1)

Boltronics (180064) | more than 4 years ago | (#31004722)

I've configured our local office WAP with WPA2-Enterprise and PEAP. I have to support this setup on a variety of machines.

Windows machines (depending on the configuration) typically refuse to connect unless the root certificate presented is trusted first. Unfortunately the error is typically quite unhelpful, but at least it operates in a safe way. It's also not too obvious how to import certificates for non-techies.

GNU/Linux machines running NetworkManager such as Ubuntu IMHO do the right thing - warn if the root certificate is not trusted, but allow you to bypass the warning and connect if for whatever reason you want to. You are prompted to upload the root certificate file right on the connection box, so it's very user friendly and encourages secure behavior.

iPod Touch/iPhones don't offer any obvious way to import the certificate! Upon connection they do present you the certificate and ask if you would like to trust it... however when you scroll down to the fingerprint, half of it doesn't fit on the screen and you can't scroll to the right to see the rest of it! The most important thing you need to see and half of it's missing! What were they thinking?

I'm not surprised by this news at all.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?