Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Flaw Found That Allows Control of iPhone

Zonk posted more than 7 years ago | from the there's-always-a-catch dept.

Security 176

i_like_spam writes "The NYTimes is running a story about an iPhone flaw that has been found and documented by researchers from Independent Security Evaluators. Attackers were able to gain full control of the iPhone either through WiFi or by visiting a website with malicious code. The exploit will be demonstrated at BlackHat on Aug. 2nd at 4:45pm. Until then, 'details on the vulnerability, but not a step-by-step guide to hacking the phone, can be found at www.exploitingiphone.com, which the researchers said would be unveiled today.'"

cancel ×

176 comments

Sorry! There are no comments related to the filter you selected.

Gawd bless the US of TFU! (0, Troll)

Adolf Hitroll (562418) | more than 7 years ago | (#19953985)

I, GEORGE W. BUSH, President of the United States of America, find that, due to the unusual and extraordinary threat to the national security and foreign policy of the United States posed by acts of violence threatening the peace and stability of Iraq and undermining efforts to promote economic reconstruction and political reform in Iraq and to provide humanitarian assistance to the Iraqi people, it is in the interests of the United States to take additional steps with respect to the national emergency declared in Executive Order 13303 of May 22, 2003, and expanded in Executive Order 13315 of August 28, 2003, and relied upon for additional steps taken in Executive Order 13350 of July 29, 2004, and Executive Order 13364 of November 29, 2004."


As seen here [indymedia.org] ...

So, will some clever amuritan (if such a thing does exist) explain me how the US of TFU is a democracy... If he's allowed to, of course.

Excellent! (5, Funny)

TheRaven64 (641858) | more than 7 years ago | (#19954003)

Now users of the iPhone can control their own device!

Of course, the down side is that so can everyone else...

Re:Excellent! (1)

Xiph (723935) | more than 7 years ago | (#19954031)

I guess that's a trick that's usable by all that requires signed code.
Find a weakness in something that's signed, and have that execute your code.

Makes me think about the dvd player in my kitchen.

Re:Excellent! (0, Troll)

Ohreally_factor (593551) | more than 6 years ago | (#19954631)

I was also thinking about the dvd player in your kitchen.

Actually, I was wondering if this exploit had anything to do with having to drag your call to the trash to hang up.

Re:Excellent! (0, Troll)

Bentov (993323) | more than 7 years ago | (#19954045)

Wow the apple haters are up early this morning! +3 insightful for that? Funny maybe, but insightful. The line starts at the left for all Nomad and Neo1973 comparisons and jokes...

Re:Excellent! (5, Funny)

thedeadswiss (573599) | more than 6 years ago | (#19954073)

Perhaps they should rename it yourPhone.

Re:Excellent! (5, Funny)

Don_dumb (927108) | more than 6 years ago | (#19954135)

I prefer the iPwn.

Re:Excellent! (4, Funny)

kai.chan (795863) | more than 6 years ago | (#19955131)

Or better yet: iPhwn.

Re:Excellent! (1)

Cpt. Fwiffo (42356) | more than 6 years ago | (#19954443)

yourPhone it was, MyPhone it is!

Duke University (1)

cybermage (112274) | more than 6 years ago | (#19954359)

Maybe Duke [miamobi.com] can use this exploit to shut off iPhones before they bring their entire wireless network to its knees this fall.

I cannot image the hole will last long or anyone will really care all that much. I've seen a number of exploits demonstrated to hack into bluetooth enabled phones and do malicious things like delete contact lists. This is only a hot story because of the phone's popularity.

Re:Duke University (1, Informative)

Anonymous Coward | more than 6 years ago | (#19954429)

Under a rock the last few days, I take it? Better check back in on that "Duke idiot admin goes to the media with half-baked iPhone theory" story.

Re:Duke University (2, Funny)

kannibal_klown (531544) | more than 6 years ago | (#19954607)

They already admitted that the problem wasn't with the iPhone, but Cisco's routers. I found the whole thing kind of funny.:

Dan: Our network is flaking out then crashing. We need to find the problem before the Spring semester kicks in and we're really in trouble.
George: Hmm, the iPhone just came out the other day. I doubt that's a coincidence, it must be a faulty product.
Dan: Are you sure? I haven't heard about any of these issues on other campuses or companies. I think we should look into this further.
George: Nah, it's not our problem, it's Apple's. Let them figure it out.

Duke WAS NOT Apple's fault (4, Informative)

LKM (227954) | more than 6 years ago | (#19954917)

Yeah, I can see how you're confused, because all the news outlets reporting about how the iPhone destroyed Duke's network did not bother to report that it was all made-up crap.

Last week: [macworld.com]

"I don't believe it's a Cisco problem in any way, shape or form."

This week: [duke.edu]

Cisco worked closely with Duke and Apple to identify the source of this problem, which was caused by a Cisco-based network issue. Cisco has provided a fix that has been applied to Duke's network and there have been no recurrences of the problem since.

Maybe at least /. could bother to retract the story?

Nah, who cares, it's just your usualy weekly Apple bashing.

Re:Duke WAS NOT Apple's fault (4, Informative)

jeffasselin (566598) | more than 6 years ago | (#19955201)

You mean like posting an updated story?

http://hardware.slashdot.org/article.pl?sid=07/07/ 21/1212217 [slashdot.org]

Re:Duke WAS NOT Apple's fault (2, Interesting)

LKM (227954) | more than 6 years ago | (#19956283)

I stand corrected :-)

Re:Duke WAS NOT Apple's fault (1)

hpavc (129350) | more than 6 years ago | (#19956153)

Or how the 'pwn imacs with simple wifi trick' was?

Re:Excellent! (0)

Anonymous Coward | more than 6 years ago | (#19955367)

OMG! Security flaws! Sacraledge!!!! Drag the programmers and engineers responcible out front of the apple development labs for a public flogging!

Re:Excellent! (1, Insightful)

twiggy (104320) | more than 6 years ago | (#19955829)

What I find most interesting about this is that it lends much more faith to the argument that viruses, trojans and security exploits show up not because a device or operating system is necessarily less secure, but because there's a big enough target audience to make it "worth doing."

Mac zealots have long argued that windows sees way more viruses / malware and therefore macs are more superior.

The truth is that all devices and operating systems are hackable - it's motivation to do so that's required, and a large userbase is a huge part of that motivation.

Rut roh... (5, Funny)

EveryNickIsTaken (1054794) | more than 7 years ago | (#19954037)

Sounds like someone's going to be getting Apple Fanboy death threats tonight....

Re:Rut roh... (1)

arivanov (12034) | more than 6 years ago | (#19954311)

There is an easier way to do that.

Instead of looking for exploits just suggest that Steve Jobs and JK Rawlins should marry as this will be a meeting of alike souls. Extra bonus points could have been had for doing that on Saturday, 21st of July 2007 (provided that you had enough ammo to defend yourself after that).

Though, the magic day has passed, this is still a good treat if you want to observe how an otherwise normal looking person suddenly morphs into something out of a nightmare horror movie.

Re:Rut roh... (1)

reddburn (1109121) | more than 6 years ago | (#19954383)

Who the hell is JK Rawlins? Is that what illiterates call J. K. Rowling?

Re:Rut roh... (2, Funny)

Ash Vince (602485) | more than 6 years ago | (#19955117)

Nah, it is the illegitimate love child of Henry Rollins and J K Rowling

Re:Rut roh... (1)

adrian727 (968395) | more than 6 years ago | (#19954717)

Are the death threats sent by iPhone? So we have iBulletBury.

Re:Rut roh... (5, Funny)

Odin's Raven (145278) | more than 6 years ago | (#19955401)

Sounds like someone's going to be getting Apple Fanboy death threats tonight....

I can see the commercials now...

Mac and PC walk in from opposite sides of the screen. Mac is dressed as a ninja - custom-tailored silks, authentic-looking swords, the works. PC wears his typical clothes, but in a disheveled fashion reminiscent of Michael Douglas in "Falling Down", complete with briefcase in one hand and machine gun in the other. (Although it's painfully obvious that PC's "gun" is a cheesy plastic model acquired from the local toy store.)

  • Mac: Hi, I'm a Mac Fanboy death threat.
  • PC: And I'm a PC Fanboy death threat.
  • Mac: The other day someone claimed an Apple product was less than perfect.
  • PC: Every day people say I'm no good. Every...damn...day.
  • Mac: I hear ya, PC. In my case, I've assembled a multimedia production based around video clips taken while discretely stalking the person responsible, as text seamlessly scrolls past detailing the inherent superiority of the product in question and Mozart's "Dies Irae" from his "Requiem in D minor" plays in the background. (Pulls out iPhone and shows to PC - we catch glimpses of the movie and hear a snippet of music.)
  • PC: I have a powerpoint slide I send the offending party. (Opens briefcase and pulls out a tattered piece of paper, hands to Mac).
  • Mac: (Reading paper) Hmmmm, "U r a lozer and yu is teh suckz. Im gona hurtz u 4 ur makking fun of me. Micrsfort rulez!" Yes, that should certainly make an impression. Nice use of the WingDings font for the dagger.
  • PC: Thank you. Some people think I'm limited to boring text, but I do have access to some pretty snazzy graphics.
  • Mac: Yes, I've never seen anything quite like it. Oh well, I'm off to infiltrate the home of the person who offended me, silently scaling the outside wall, entering through an open skylight, and performing a triple-backflip as I drop to the floor, where I'll leave my threat nestled in a bouquet of lotus flowers.
  • PC: (Rolls eyes, clearly unimpressed.) Whatever. I'm going to catch the midtown bus, and nail my threat to the person's front door. And if they give me any lip, I've got this!
  • (PC brandishes toy gun, pulls trigger. Gun plays a few seconds of 80s-era laser sounds, which trail off as the batteries die.)
  • PC: Darn, why does this always happen? Now I've got to get a new weapon.
  • Mac: Do you want to call a few places, see what's in stock? (Offers iPhone to PC)
  • PC: Thanks, I ... (starts to reach for iPhone, changes mind.) Ummm, no, actually I'm good. Everything's just fine. Okay, gotta go.
  • (PC shuffles dejectedly offscreen. Mac watches PC leave, then does a backflip out of frame.)

The technical paper is the article (4, Informative)

nmoog (701216) | more than 6 years ago | (#19954077)

Have a read of the technical paper [securityevaluators.com] from the article - Quite interesting. They used fuzzing to find a heap overflow vulnerability. They go on to talk of "Blackbox Exploitation", which I later realise has nothing to do with the cinematic genre.

Re:The technical paper is the article (4, Interesting)

iluvcapra (782887) | more than 6 years ago | (#19954291)

Most interesting pieces of information from the article:

Additionally, no address randomization was used in by the operating system.

the filesystem accessible to iTunes is chroot'ed such that only a small set of the filesystem is visible over this [USB] connection.

it is possible to modify the iPhone in such a way that the applications will dump core files when they crash. This is accomplished by adding the file /etc/lauchd.conf containing the line limit core unlimited to the iPhone using iPhoneInterface. Core files can be retrieved off the iPhone from the /cores directory, again using iPhoneInterface.

Under their suggestions:

Install applications such that they run as an unprivileged user. This would result in a successful attacker only gaining the rights of this unprivileged user.

I don't see how that'd help on a single-user computer., tho (another of their suggestions) chrooting all the running apps would be a step in the right direction. The researchers are politicians, too:

This limited access to the filesystem doesn't particu- larly serve a security role from the perspec- tive of a remote attacker. Instead, this serves as an example of design intended to protect the exclusivity of the iPhone to AT&T. If more thought had gone into protecting the applica- tions from remote attack and less on prevent- ing the unlocking of the device, the overall security of the device might have improved.

Translation: Running iTunes in a chroot jail makes the iPhone insecure, because my unicorn says anything done for the sake of AT&T is insecure.

Re:The technical paper is the article (0)

Anonymous Coward | more than 6 years ago | (#19954643)

d00d, ur talking unicorn is smart.

Re:The technical paper is the article (1)

Joe The Dragon (967727) | more than 6 years ago | (#19954837)

and what will happen with the EU I-phone that must be able to be unlocked by law?

Re:The technical paper is the article (1)

Ash Vince (602485) | more than 6 years ago | (#19955265)

You will be banned from exporting it outside the EU?

Re:The technical paper is the article (1)

Teckla (630646) | more than 6 years ago | (#19954415)

They used fuzzing to find a heap overflow vulnerability.

As someone who has spent a few decades programming computers in the C programming language (with a sprinkle of C++ and Objective-C), even I have to admit it's probably time to increasingly retire low level programming languages that are prone to these kinds of exploits (buffer overflows).

I wonder if there are "safer" languages than C with similar performance and memory usage characteristics.

Re:The technical paper is the article (3, Insightful)

ThosLives (686517) | more than 6 years ago | (#19954655)

<rant>

*sigh* I hate this argument.

Why not just disallow anyone not capable of not programming a buffer overflow from ever programming a device? It's not a language issue. I'm sure that unqualified folks will figure out how to cause all sorts of new vulnerabilities in "safe" languages. (Hint: there is no such thing as a "safe" language.)

I guess maybe I'm just in the "old school" camp that thinks that unqualified people shouldn't be allowed to do things. There's a reason why, for instance, amateur carpenters aren't allowed to construct public buildings.

Maybe we should actually require people to be licensed programmers...while that would weed out some of the problem, though, we all know that professional engineering licenses or whatever don't guarantee competence...

</rant>

Re:The technical paper is the article (3, Insightful)

SatanicPuppy (611928) | more than 6 years ago | (#19954899)

You can't just say, "Only super-leet programmers should be allowed to program C, because we never make mistakes."

First off, it's not true. Even experienced programmers make mistakes, and I've had issues where the API I was writing to was incomplete, and my implementation and the other guys implementation were just different enough that, in the right circumstance, you could have a problem. That stuff happens. It's always going to happen.

Second, in my experience, no C programmer ever thinks that they make these mistakes, it's always crappy programmers from somewhere else. At some point, you have to own up to the fact that it's a problem of the language and that, as long as you use the language, you're going to have the problem.

Now, if we could find something that ran with the performance curve of well programmed and tuned C, but without C's baggage of errors, leaks, and overflows, this would be a no-brainer. Unfortunately, that language does not exist, and hardware hasn't gotten to a level yet to make language performance irrelevant for consumer applications.

So we have to put up with C's issues. But if a new language is developed, or if processors keep increasing, the day will come when C will join Fortran as one of those languages that really only academics need to know, and it's because of crap like this.

Re:The technical paper is the article (3, Insightful)

Bill_the_Engineer (772575) | more than 6 years ago | (#19955903)

Your post highlighted all the dangers of ad-hoc programming.

Personally, I've seen a lot of "experienced" C programmers but only met a few good C programmers. I don't blame the language, instead I blame the programmer who gives into temptation and think they could just quickly code an application on-the-fly without any planning. A decent analogy would be that while a large number of people are familiar with the english language, only a small percentage of them can write a decent novel.

I am a C/C++ programmer, and I believe that I am capable of making even the dumbest mistakes when coding (especially during an exceptionally long programming session). This is why I test! I make my unit tests with the intent of making sure my procedures error out correctly, as well as verifying that it works correctly. I put special effort in data objects that are prone to buffer allocation errors.

I also design the overall program ahead of time, define the interfaces between modules, and go over expected application behavior with the test engineer.

I go through this because (1) the only true way to make quality software is to put forth the effort to design, test, and maintain the code from the beginning, and (2) I never expect any language to handle errors correctly.

Number 2 is important, since even if a higher language does handle out-of-bounds conditions, does it handle it in a way that doesn't cause a problem somewhere else in the data chain?

For (off-the-top of my head) example, if I had a string buffer that automatically grew to 518 bytes to handle an erroneous data entry and it stored it in a database record that only held 512 bytes, does it truncate the data or does it posts a warning. Remember this error wasn't caught by the programmer, so are we to assume that the programmer would check for this error when it came time to place it in the database? Or what if the application simply threw an out-of-bounds exception? If it wasn't tested for this in production, then this means it could happen in the field. In my line of business, it must be caught in production.

The reason *I* use C and C++ is because I need the speed that comes from not having the language doing all my thinking for me. If *you* think C has issues then maybe *you* need to use another language more appropriate for your requirements and your skill set. BTW, my colleagues would have issues about your Fortran comment too!

I am not saying C/C++ is the best language for every situation. I am just saying that I use C/C++ because of performance and space requirements. I am also saying that no high level language is a good substitution for good programming practices.

The issues related to this story require even more effort in testing. We are not trying to catch simple runtime errors, we are trying to prevent someone who has the intent to break the security of a program. This falls outside of the realm of high level languages even with the issue that caused this particular "breach."

For (another off-the top of my head) example, even the best programs can fall victim to a compromised configuration file. So effort must be made to give an application the minimum amount of security privileges necessary to do its task *and* make sure that the configuration files are not modifiable without higher privileges.

Re:The technical paper is the article (1)

dctoastman (995251) | more than 6 years ago | (#19956103)

You do realize that C's flaws are inherenet to C's strengths?

C is essentially a portable assembler. For C to function as it should, it needs to be able to do potentially bad things.

I've not seen one (usable) operating system not written in an "unsafe" language. Because eventually, we must get down there.

Re:The technical paper is the article (1)

SatanicPuppy (611928) | more than 6 years ago | (#19956497)

I'm not disputing that C has its strengths. The problem is its weaknesses cause problems all the time. While ideally we would have super-tight, super-quick code everywhere to squeeze the most out of our hardware, you have to ask yourself whether it is or isn't worth it to be dealing with the inevitable buffer overflows.

There are places where performance demands C, where the inevitable buffer overflow patch cycle is an acceptable trade off for speed. But there are a lot of other places where it's not the best choice but it creeps in anyway, because people are wedded to the idea that one tool really is all you need.

Re:The technical paper is the article (1)

LKM (227954) | more than 6 years ago | (#19954937)

Why not just disallow anyone not capable of not programming a buffer overflow from ever programming a device?

Because then nobody would ever program a device.

Re:The technical paper is the article (2)

VGPowerlord (621254) | more than 6 years ago | (#19955843)

Here's a tip: Your rant would be easier to follow if you failed to not use less negatives.

Re:The technical paper is the article (2, Informative)

VGPowerlord (621254) | more than 6 years ago | (#19955877)

For example: "Why not just disallow anyone not capable of not programming a buffer overflow from ever programming a device?"

would be easier to read as
"Why not just disallow anyone who has a history of programming buffer overflows from ever programming a device?"
although that changes the meaning slightly.

Re:The technical paper is the article (2, Insightful)

Teckla (630646) | more than 6 years ago | (#19956089)

Why not just disallow anyone not capable of not programming a buffer overflow from ever programming a device?

Because that's not realistic.

It's not a language issue. I'm sure that unqualified folks will figure out how to cause all sorts of new vulnerabilities in "safe" languages.

If you were to group bugs into two categories, "buffer overflow bugs" and "other bugs", the C programming language makes it possible for developers to code both kinds of bugs. If, by using a safer programming language, you can at least eliminate "buffer overflow bugs", why wouldn't you want to do that?

(Hint: there is no such thing as a "safe" language.)

(Hint: I never said there was such a thing as a "safe" language. I said "safer".)

I guess maybe I'm just in the "old school" camp that thinks that unqualified people shouldn't be allowed to do things. There's a reason why, for instance, amateur carpenters aren't allowed to construct public buildings.

Yeah, right. That'll happen, right after every little girl on the planet gets her very own pony, and we all slide down rainbows to work, instead of commuting.

As an experienced C programmer, I'm not just sitting around bashing C for fun. I'm just recognizing the fact that as our world becomes increasingly networked, security becomes increasingly important. If we can use alternative languages that minimize whole categories of severe bugs such as buffer overflows, we need to consider using them.

Re:The technical paper is the article (2, Insightful)

GooberToo (74388) | more than 6 years ago | (#19955281)

These failings are generally not a core issue with the programming language. Lazy or inexperienced programmers, lack of budget, and wide spread ignorance seem to lead the way with these types of issues. Then there are the problems caused by arbitrary release dates (get it done, we'll fix it later) and the total indifference of those which make the release decisions. Changing the language, at best, is attempting to hide the root cause.

Re:The technical paper is the article (1)

Fahrenheit 450 (765492) | more than 6 years ago | (#19955685)

But if these problems can be largely fixed at the language level, then it is indeed a core issue with the programming language, no?

Re:The technical paper is the article (1)

GooberToo (74388) | more than 6 years ago | (#19956131)

If these problems can be fixed by people taking software development serious, then it is indeed a core issue with people, no? ;)

Considering most languages these days (include C/C++; C++ much more so) already have facilities available to avoid most of these pit falls, I do not believe your comment has legs. Let's be honest here, the a huge chunk of these problems pop up because of complete indifference to the problems at hand. In these "safer" languages, different types of problems become more common, simply shifting the problem domain, because the root cause is still poor programming standards and practices. If the later is addressed the former is drastically reduced, regardless of the language. So it seems to me, without regard for the programming language, requiring higher standards and procedures addresses a broad range of programming associated bugs; exploitable or not.

Frankly, I've found programmer working on projects I wouldn't trust to wash my car and have no concept of the most basic of algorithms or best practices. So which is at fault, the super cheap bottom feeders or the language at hand? To be clear, problems extend well beyond just the bottom feeders as its held in place by a mass of consumers which are more than happy to buy buggy software. IMO, this is a standard squarely established by Microsoft as most simply have no idea they should have higher expectations.

Re:The technical paper is the article (1)

Fahrenheit 450 (765492) | more than 6 years ago | (#19956425)

If these problems can be fixed by people taking software development serious, then it is indeed a core issue with people, no? ;)

Fixing the language requires one thing to change, fixing the people requires an ungodly amount of changes.

And the problem with the "the languages have these facilities already" argument is that those facilities are not available as the default and are rarely used even when they would be essentially transparent. Make it so one has to expend effort to turn the safety features off, rather than on and people will start to use them.

Finally, with the bad programmer argument, yes, 90% of everything is crap. And bad programmers will be bad programmers in most languages. However, if you eliminate the most common mistakes that a bad programmer can make, you've saved yourself from having to find those bugs as well as the more complex bugs that they will make whether they're programming in C, Haskell, Ruby, assembler, or Erlang.

Re:The technical paper is the article (1)

GooberToo (74388) | more than 6 years ago | (#19956681)

Just as security is a process, so is programming. No change in language is going to cure a bad programmer. Period. Sure, a buffer overflow may now be addressed but they will simply be replaced with other critical bugs. This is the nature of inexperienced and low-end programmers.

To be clear, I believe languages like perl and python, so on and so on, are simply great! But I've seen some real crappy and buggy code which enables completely arbitrary execution of native perl, python, and even allowed SQL injection written in these languages. The only real cure is to fix the root cause. Anything else is either hiding or attempting to move the problem domain elsewhere in the code. Ultimately, the root cause is always the finger on the keyboard.

You'll also find the "most common" mistakes are made by the least experienced coders. You seem to be suffering from the approach that anyone should be able to code and the tools need to defend against idiots. No matter what, you must have quality *professionals* if you want professional quality code; without regard for the language in which it is written.

Re:The technical paper is the article (1)

TheLink (130905) | more than 6 years ago | (#19956521)

Yeah, C is still too hard for everyone except maybe 5 people in the world? Just a single scerw up and "attacker can execute arbitrary code of his/her choice". If you write in a safe language if you screw up bad things still happen, but it takes extra effort to do the "arbitrary code thing" ( e.g. SQL injection is harder in a safe language with safe libs - since the easy method is a safe method: use prepared statements and bound variables).

What has amazed me is the x86 only has one stack that's used by many popular programming languages for both addresses AND data. It is bad "hygiene" to have data pushed onto the same stacks as addresses. They should be kept separate. Sure there'll still be heap overflow problems and problems when you intentionally copy data from the data stack into the address stack, but the data got clobbered.

The performance may not be that bad because the CPU will know that addresses are always in the address stack - it's never random data - so that may help lookahead and branch predictions.

If that can be done then CPU manufacturers could also look into hardware support for a "taint mode" (like in perl). So if you try to copy data from a tainted area and use it in critical areas without untainting, stuff stops working instead of being "exploited".

Dear Author of Malicious Code (4, Funny)

chuckymonkey (1059244) | more than 6 years ago | (#19954169)

As a loyal Mac user and iPhone user I have to kill you.

Signed,
Mac Zealot

My life for Aiur!....errr Steve Jobs!

Re:Dear Author of Malicious Code (2, Funny)

elrous0 (869638) | more than 6 years ago | (#19955123)

[as I dowse myself with gasoline] It's all for you, Steve! IT'S ALL FOR YOU!!!

Stop waving that damn thing around (1, Funny)

pzs (857406) | more than 6 years ago | (#19954205)

Does that mean I can take control of an iPhone remotely and deliver a brisk shock to those smug b*stards proudly brandishing their "new baby" on the train?

Peter

Re:Stop waving that damn thing around (0)

Anonymous Coward | more than 6 years ago | (#19954217)

No. However, your time would be better spend getting some anger therapy counseling so that you don't get angry at somebody just for having nicer things than you. Get over it.

Re:Stop waving that damn thing around (1, Flamebait)

pzs (857406) | more than 6 years ago | (#19954381)

Dude, I couldn't give a rusty f*** if somebody has "nicer things" than me. I have the cheapest phone available because, shock horror, I just want to use it to make calls and not to act as a mixture between a fashion accessory and an invitation to get mugged.

I have no problem with people paying top dollar for an over-hyped PDA. I just find the endless fanfare over this incremental advance extremely irritating.

Go ahead, mod me flamebait again. Stinking iPhone users, the lot of you.

Peter

Re:Stop waving that damn thing around (0)

Anonymous Coward | more than 6 years ago | (#19954531)

Actually, according to your first post, you /could/ give a rusty fuck (whatever that is)

what exactly about using a phone on a train makes you 'smug', except that you aint gots you one?

Re:Stop waving that damn thing around (5, Funny)

riffzifnab (449869) | more than 6 years ago | (#19954541)

Should we be getting off your lawn now or is it almost time for your nap? d:

Re:Stop waving that damn thing around (1)

Wiarumas (919682) | more than 6 years ago | (#19954559)

While I also have no desire to own an iPhone (or a top of the line phone for that matter), I still view the iPhone as an excellent push by Apple (who even Linux fans have to admit control a large portion of the media industry) for a more mobile/PC device. Let's be realistic... while the iPhone is technologically in style and whatnot, you have to admit it is a pretty nifty device and is useful. Furthermore, with the amount of influence Apple has on its customers (half the friggin population owning iPods... even my mother asked me if I heard about the iPhone), pushing a device like this will make even the technologically unsavy wired to our ever growing technological bubble.

Re:Stop waving that damn thing around (0, Flamebait)

sholden (12227) | more than 6 years ago | (#19954609)

Wowsers you get irritated easily - other people being pleased with their purchasing decisions is "extremely irritating" when those decisions differ from yours.

Sure if they are using said iPhone to play loud music, or to reflect the sun into your eyes, or something. Hope you're taking your blood pressure meds.

Re:Stop waving that damn thing around (1, Funny)

Ohreally_factor (593551) | more than 6 years ago | (#19954737)

I'll make you a deal. I'll stop waving it around if you go put some pants on, grandpa.

Re:Stop waving that damn thing around (0)

kestasjk (933987) | more than 6 years ago | (#19954813)

Maddox's take on the iPhone [thebestpag...iverse.net]

Re:Stop waving that damn thing around (0)

Anonymous Coward | more than 6 years ago | (#19955451)

an invitation to get mugged
When and where?

Update Deployment (4, Interesting)

da_matta (854422) | more than 6 years ago | (#19954207)

It's interesting to see what the response to this will be and how long it will take to for Apple to to release and deploy a patch. Mobile phones don't typically the "fast background patching"-systems like PC's (mobile data typically costs so you can't keep checking for updates). And everyone remembers from "pre sp2"-XP what it means if it's up to the user to check and deploy patches (e.g. iTunes).

Re:Update Deployment (5, Informative)

jrumney (197329) | more than 6 years ago | (#19954231)

iPhone patches will be delivered automatically through iTunes, the same way iPod ones are. So while you won't get them OTA, it is still better than most cellphones which require you to go out and find patch installers, and in some cases these can only be obtained from official servicing agents, not over the web.

Re:Update Deployment (1)

clonmult (586283) | more than 6 years ago | (#19954657)

Can't comment for other manufacturers, but both Nokia and Sony Ericsson have been doing user/PC based firmware updates for a few years now.

Re:Update Deployment (1)

iluvcapra (782887) | more than 6 years ago | (#19954727)

When they do them.

Re:Update Deployment (1)

LKM (227954) | more than 6 years ago | (#19954975)

Updating my P990i is an absolute pain in the ass. I can't even do it on my Mac. Well, better than the P800, I guess. To update the firmware on this one, you had to go to a shop, and they'd delete all the data on your phone.

Re:Update Deployment (1)

Firehed (942385) | more than 6 years ago | (#19954785)

Let's not forget that there's OS X underneath as well, which is certainly more patchable than most phone operating systems. Which is probably for the better, as it'll be one of the most-targeted phones given its initial popularity and notoriety. Plus, we can probably assume that any OS X exploits found, or at least for Safari, would exist on Macs and iPhones alike.

Re:Update Deployment (1)

suv4x4 (956391) | more than 6 years ago | (#19955445)

Let's not forget that there's OS X underneath as well, which is certainly more patchable than most phone operating systems. Which is probably for the better, as it'll be one of the most-targeted phones given its initial popularity and notoriety. Plus, we can probably assume that any OS X exploits found, or at least for Safari, would exist on Macs and iPhones alike.

I dare you explain why would OSX be more patchable than other phone operating system.

And if you start explaining it's because they based it off of a full-blown desktop OS, I'll smack you in the head with a Windows Mobile brick.

Re:Update Deployment (1)

suv4x4 (956391) | more than 6 years ago | (#19955403)

iPhone patches will be delivered automatically through iTunes, the same way iPod ones are. So while you won't get them OTA, it is still better than most cellphones which require you to go out and find patch installers, and in some cases these can only be obtained from official servicing agents, not over the web.

Reminds me of the Flash 2004 fiasco - see, they didn't have time to actually finish the documentation. So they thought: we'd just spend less time on making it super easy to UPDATE the help after the fact, and we have all the time in the world to deliver updates!

Said, done. 2004 shipped with unfinished but update-able manuals. Then we waited for update... waited.. waited. A tiny updated was delivered at some point, but the never update never came. Instead, they shipped Flash 8 (next version), which came with equally crappy, but *updateable* manual.

Long live updates, for they mean we can shit in a box and deliver it as a complete product!

Re:Update Deployment (0)

Anonymous Coward | more than 6 years ago | (#19956219)

I have a Sanyo phone with Sprint. There is a menu option on the phone to get updates. No PC required. I click "check for updates", if there is an updates, it downloads it and installs, if not it states to check back later. My last several Sanyo phones have had this ability. I assume other carriers and other brands of phones have something similar?

Re:Update Deployment (1)

jrumney (197329) | more than 6 years ago | (#19956519)

The only OTA upgrades I was aware of was Windows Mobile 6 (for which phones are only just starting to appear). My Sony Ericsson requires you to go to their website, hunt down the support section for that particular phone model, follow promising looking links in a circle for a while, then click through a huge warning message that it might brick your phone and misleads you into thinking that you might need a special service cable (in fact you just need special USB drivers, which should be activated by the installer, but you have to hunt those down and install them separately too).

Re:Update Deployment (1)

aluminumcube (542280) | more than 6 years ago | (#19954279)

I think that a user wide field update is going to go smoother for the iPhone then any other PDA/Smartphone. The nature of the device - i.e. how deeply it is tied to iTunes - means that people are far more likely to synk with their main computer on a regular basis. iTunes is continually checking for updates and appears to download them automatically, even when the iPhone isn't connected. On the next sync, it makes sense that users would install the update (though it might just do that automatically, we don't really know yet).

Re:Update Deployment (1)

cybermage (112274) | more than 6 years ago | (#19954399)

mobile data typically costs so you can't keep checking for updates

With the AT&T/Cingular plans, you have to take data and I believe it is unlimited. Still, as another poster suggests, I believe the updates will come via iTunes.

I wonder, however, if iPhone users will be prompted on the phone to seek the patch through their iTunes. My wife has an iPod which she hasn't sync'd since right after we bought it eight months ago. It would be nice if they had an app on the phone that tells you that you have a security update waiting.

Re:Update Deployment (1)

cyberworm (710231) | more than 6 years ago | (#19954469)

" (mobile data typically costs so you can't keep checking for updates)"

Typically, you'd be right, but with the phone, they do require the unlimited data plan, so checking for updates once a day, isn't really costing. As someone else has mentioned though, updates are delivered via iTunes. :)

Re:Update Deployment (1)

Swift2001 (874553) | more than 6 years ago | (#19954933)

This is where iTunes shows its mettle, I predict. You have to plug the thing in every night to recharge. One night, you get a patch when iTunes opens.

no wonder they don't allow programming the thing (3, Insightful)

oohshiny (998054) | more than 6 years ago | (#19954209)

Systems like Symbian have mobile security built in from the ground up; for example, the system asks before any new application can access phone data or the network (similar to capabilities-based UNIX security).

Evidently (and, I suppose, not surprisingly), an OS X-based phone lacks these safeguard. I guess that's the real reason Apple has been refusing to permit third party phone apps on the iPhone, even though they don't cause problems on other phones: the iPhone software architecture just doesn't seem designed for it.

Re:no wonder they don't allow programming the thin (0)

Anonymous Coward | more than 6 years ago | (#19954463)

Systems like Symbian have mobile security built in from the ground up
It's a pity that they're so bug ridden and the APIs are so fussy about inputs, and there is no proper memory protection, so it's trivially simple to make a symbian app that breaks the security completely, reboots the phone, records phone conversations, stops the phone starting up at all, reads phone numbers etc. And that because symbian never really had any trusted source of software, anyone who installs symbian apps is used to installing unsigned apps left right and centre, and ignoring security warnings! Oh not to mention that they have 3 major versions and multiple minor versions of each of the sdks, which are all incompatible depending on which phone you are developing for, and only sometimes backwards compatible.

Re:no wonder they don't allow programming the thin (1)

dmpyron (1069290) | more than 6 years ago | (#19955297)

Symbian has been cracked. Every mobile OS has been cracked.

Re:no wonder they don't allow programming the thin (0)

Anonymous Coward | more than 6 years ago | (#19954679)

What the hell are you talking about?

If I find an exploitable buffer overflow in a default Symbian application, no amount of fancy security models can prevent me from owning your phone. As the security issue resists in an already trusted application!

Re:no wonder they don't allow programming the thin (4, Interesting)

brilwing (659717) | more than 6 years ago | (#19954791)

I don't know the newer Symbian versions 8 and 9, but till version 7 there was no security in Symbian at all. Every program could do everything. I have programmed an installation program that opened a GPRS connection, downloaded a SIS file and installed it on the Symbian phone without user interaction!!!
This was a bit tricky but it worked fine on Nokia Series 60 phones an on Sony Ericsson P800 and P900.

I don't think that Symbian managed it in version 8 and 9 to build in a ground up security, because the SDK is huge with thousands of classes.

Re:no wonder they don't allow programming the thin (5, Funny)

PolarIced (119874) | more than 6 years ago | (#19956401)

Here are some more examples of Symbian security (apparently their first priority):

1. The phone randomly locks up and/or turns off - this fools 3v1L hackers.
2. Won't connect to most Bluetooth devices - keeps hackers out. Very clever!
3. When syncing contacts, it mixes up all the fields so that an 3l33t hacker won't be able to make sense of them. You won't either, but at least you're safe.
4. Apparently has a built-in function to slow all operations to a C...R...A...W...L... - this prevents hackers from using high speed automated systems to hack your phone. Ingeneous!

Signed,
A proud owner of a Cingular Nokia (Swedish for moose dung) phone.

PS - Hack my phone. I dare you! Whoops . . . wait a minute. Let me reset it first.

Re:no wonder they don't allow programming the thin (1)

diamondsw (685967) | more than 6 years ago | (#19956449)

similar to capabilities-based UNIX security...Evidently (and, I suppose, not surprisingly), an OS X-based phone lacks these safeguard.

Damn, mod parent down. Mac OS X is a UNIX-based system, and has exactly those capabilities.

The Difference is Responsibility... (5, Interesting)

iMouse (963104) | more than 6 years ago | (#19954227)

Apple iPhone users should be content with the finding of an exploit by responsible security researchers. Unlike InfoSec Sellout (who is likely blowing smoke up his as*), Charles Miller and the rest of the Independent Security Evaluators team should be applauded for their work. They responsibly reported the vulnerability (and a potential fix) to Apple for investigation.

The Apple community should not in any way, shape or form, harass this group like they harassed InfoSec Sellout. I.S.E. are the good guys and as a 15-year Apple veteran, I give my best to those who are out to help Apple keep security at its tightest on their products and services.

Re:The Difference is Responsibility... (-1, Flamebait)

oohshiny (998054) | more than 6 years ago | (#19954297)

Why didn't Apple find this vulnerability themselves?

In fact, why didn't Apple build their iPhone on top of systems that are intrinsically robust against buffer overflow vulnerabilities, instead of keeping to push and perpetuate intrinsically unsafe technologies like Objective C?

Re:The Difference is Responsibility... (1)

iluvcapra (782887) | more than 6 years ago | (#19954385)

Explain the intrinsic unsafeness of Objective-C, as opposed to C or C++, and watch us laugh at you. Why doesn't Linus find all the vulnerabilities in the Linux kernel, after all, or the Apache guys in Apache, or the NT guys in NT kernel, or...

Explain the intrinsic unsafeness of the C dialects as opposed to Java, and watch us fall asleep while waiting for the Conway's Life game embedded on your home page to load up.

Explain the intrinsic unsafeness of the C dialects as opposed to C#, and watch us run screaming :D.

Re:The Difference is Responsibility... (1, Insightful)

squiggleslash (241428) | more than 6 years ago | (#19955267)

Explain the intrinsic unsafeness of Objective-C, as opposed to C or C++, and watch us laugh at you.

What a bankrupt argument. He never mentioned C or C++, and it would be entirely in opposition to what he's proposing if he argued that C or C++ should have been used instead of Objective C.

The GP argued that using an unsafe language like Objective C was a mistake. It was. Languages like C, C++, and Objective C, are increasingly difficult to justify while the increasing efficiency of safer alternatives such as Java and C# makes performance issues increasingly irrelevant.

Apple's problem is that it's inherited a lot of bad legacy technologies from NeXT. It's not alone, a huge amount of the problems we have with modern computer security have to do with our continued dependence upon 1970s OS and language designs, and the legacy issues related to the degree we relied upon those designs when building pretty much everything until the mid-nineties. That, and the poor rep systems like Java suffered due to initially poor implementations and marketing that promoted "platform independence" ahead of security issues, has made it difficult to get everyone on board with the idea of efficient, managed, operating systems and languages.

We can move away from environments like ObjC, but it takes the will to look at the alternatives and take them seriously.

Don't be silly! (3, Insightful)

hotsauce (514237) | more than 6 years ago | (#19955743)

Apple's problem is that it's inherited a lot of bad legacy technologies from NeXT.

Java did not exist when NeXT chose Objective C as their development language. Objective C was arguably the technically most superior language for applications development. It was (is!) cleaner and more object-oriented than C++.

C-like languages may increasing have less merit for appsdev today, but they certainly still have their place. You and I know little about the iPhone. It may indeed be the case that running a JVM on it for all apps is a poor choice.

Re:The Difference is Responsibility... (1)

fermion (181285) | more than 6 years ago | (#19956775)

The safeness of a language, at least for the basic code like the OS, should be the responsibility of the developer and not the language. The people who developed the iPhone code should know what they are doing, and developers who know what they are doing can use any language and make it relatively safe. It is a mistake that safety can imposed in every situation. Sometimes one needs to code without a spotter. This is particular true in code that provides basic functionality.

Now, for higher level applications, which have a completely different economic model, it is often justifiable to start introducing spotters, and sandboxes, and the like. This code is often written by unknonwn agents with unknown capabilities and motives. At the very least, it is often not feasible to put these developers to fully comprehend the security model and assumptions. Therefore, the ideal situation is to give them a fixed set of APIs to the OS, which are a compromise between access and security, and then provide appropriate language support. It is indeed the case, at this point, that Java is an ideal language for the random developer, providing the developer can write efficient enough code for the application to run tolerably. As an aside, on of the criticism of the MS DOS was that, allegedly, MS would not allow access to some internal APIs for security reasons, but did allow internal development using those APIs, thus breaking security.

So, under these assumptions, the OS is written in a language that is efficient, by known competent developers. For applications, some safer language is provided with APIs. On MS this is obviously Basic and C#. For cross platform, this is Java. For Macs, this is the Xcode environment with a choice of languages, which can be dangerous as unknown developers can choose an inappropriate language. In todays GUI environment, the key is the API, so the actual language becomes less important as most people are just going to string library calls together.

But here is the rub. iPhone is an embedded device. Embedded devices are not GPCs, and require that code is very effecient and compact as one cannot expect a abundance of cycles or memory. Common applications tend to be written in a low level unsafe language, and there is limited support for add on applications. This is why we see the MS PC with many applications, but I have not seen as much as address book hacked on the Zune. Anyone even suggesting that common applications on an embedded device be written in a very high level language really has little concern for performance. This is what Apple has done with the iPhone. Common applications seem to be relatively fast, and they do have problems. We are in for a long game of cat and mouse, and the only hope is that the Apple developers do know what they are doing and there are no fundamental flaws.

But what about the addon applications. Are they allowing unknown developers to code in C. No. Objective C. No. Java. No. To maintain security, exactly as this thread suggests, they are forcing these unknown developers to use a very high level scripted language. This cause problems for developers, but is the exact security model that this thread proposes.

Re:The Difference is Responsibility... (2)

tgatliff (311583) | more than 6 years ago | (#19954433)

Here is a better question... Why didnt then limit the Safari user account that it was running under... Please tell me that they were not running the browser on a root enabled account... Alla M$ Windows style.... (Excluding version 7 of course)

Re:The Difference is Responsibility... (1)

Graff (532189) | more than 6 years ago | (#19954921)

Unlike InfoSec Sellout (who is likely blowing smoke up his as*), Charles Miller and the rest of the Independent Security Evaluators team should be applauded for their work. They responsibly reported the vulnerability (and a potential fix) to Apple for investigation.
I totally agree. This is a clear-cut example of responsible investigation. They reported the bug to Apple and gave them a decent amount of lead time to work on the problem. It's no big surprise that Apple has already responded and the two groups are communicating to solve the issue.

People wonder why Apple doesn't respond to a group like InfoSec well the answer should be obvious: InfoSec is not in the investigation business to help solve problems, they are in it to cause problems. A lot of these groups are either in it to try to cause embarrassment to companies or to sell their findings to people who have nefarious intents. Many "security analysts" are simply greedy trolls who no sane company would give any sort of recognition.

There are still some decent researchers out there and the Independent Security Evaluators team appears to be among them. Thanks for doing the right thing guys!

Re:The Difference is Responsibility... (1)

Swift2001 (874553) | more than 6 years ago | (#19954953)

Yeah, you read the story, and you say, "My God! Actual 'security researchers', not snot-nosed hackers!"

haha (0, Redundant)

Bazman (4849) | more than 6 years ago | (#19954299)

You have been iPwned!

Neat - the interesting thing will be the response (4, Interesting)

jht (5006) | more than 6 years ago | (#19954387)

Now let's see how long until the first iPhone patch comes out, and if any of the other glitches will be fixed at the same time or if it's strictly for security. Obviously Apple's already been working on iPhone patch #1 and is probably just about ready to push it out after a month.

One functionality change that _should_ come out of this, though - I would turn off the default behavior of scanning for open networks and asking to join them. It wastes battery power, and the pop-ups for new networks are intrusive. In its place I'd put the AirPort icon in the display full-time (instead of just replacing the EDGE "E" when you are on a WiFi network) and allow quick access from there. I think, altogether, iPhone will be a pretty secure device after the initial flushing out of bugs, but this is a little different from traditional devices. iPhone has a classic desktop OS stripped down into a cellphone, whereas mainstream other devices (Palm, Windows CE, and Symbian) were designed more as cellphone systems (or PDA systems) and scaled up.

(not replacing my iPhone with a Razr anytime soon!)

It's not the OS, it's the application. (1)

argent (18001) | more than 6 years ago | (#19955989)

Windows CE as used in 'Windows Powered' devices is pretty much a desktop OS. The WinCE API is derived from Win32, cleaned up and modularized and with its own set of libraries and a real-time kernel. It does support a traditional embedded OS model where code is executed in place from whatever file system is wrapped around it, but the "Windows Powered" handhelds don't work that way.

The first WinCE-based handhelds were pretty much "laptop replacements" with stripped down versions of Windows applications that run by copying them from a file system to RAM, explicitly use an open/read/write/seek/close mechanism to access files, and so on. There's a set of database calls for PDA applications that run on top of this. Microsoft subsequently stripped down the applications, removed the more desktop-like ones, and repurposed Windows Powered handhelds as "Palm Killers". By the time Palm lost the plot and sent haring off trying to port BeOS to the Palm in a quixotic attempt at fighting Microsoft on a field Microsoft was already abandoning they'd done a good enough job at "cloning" enough of Palm's look and feel that their current character recognizer is a better clone of Graffiti than Palm's current offering... but under the hood they're very "desktop-like".

I haven't worked with Symbian devices, so I can't say if they're more like a stripped down desktop or a classical embedded system like Palm, but the older high-end devices certainly looked more like a desktop.

The OS isn't the problem, here. It's Safari. The comments about finding crashes in Safari make me suspect that this is probably a stack/buffer overflow attack. If it's easy to crash Safari on the iPhone then they've got problems in the implementation of Safari on the iPhone... especially in the extensions to webcore that are unique to the device. If Pocket Internet Explorer had the same problems, then Windows CE would have the same exposure (luckily for Windows CE users, Pocket IE seems to be the most secure version of IE out... probably due to the fact that it doesn't include the same kind of "active content" support as the desktop version).

And the original article is right, the presence or absence of an official dev kit has very little to do with this... it just makes it harder to switch from Safari to another browser while Apple is easing Safari on the iPhone through its birth trauma.

Perfect Timing! (1)

yamamushi (903955) | more than 6 years ago | (#19954475)

I'll be ariving in Vegas on the 1st for Defcon this year, so sneaking into Blackhat to see this presentation will definitely be on the top of my list of things to do.

Kind of ugly though (2, Informative)

gelfling (6534) | more than 6 years ago | (#19955719)

Isn't this the same Safari exploit that's been known for a while?

iPhone owner is not surprised (4, Informative)

goodmanj (234846) | more than 6 years ago | (#19955729)

From TFA:

[Fuzzing] involves sending malformed data to the device in an effort to cause a fault and make it crash. The vulnerability we discovered and exploited was found in MobileSafari using fuzzing.
Since MobileSafari crashes every ten minutes or so for me with *well*-formed data, I'm not surprised to hear that this is possible. Apple *seriously* needs to push out a Safari bugfix asap, not just for security, but for usability.

Just open it up already, Apple! (0, Flamebait)

Lethyos (408045) | more than 6 years ago | (#19955825)

This has reached the point of silliness. Efforts to “crack open” the iPhone have been met with large degrees of success. As has been reported elsewhere, a developer tool chain is in the early stages [fiveforty.net] . The iPhone has been owned and the genie is out of the bottle. Apple, why not just open it up officially? Face up to the obvious fact that it is a hand-held computer with decent horsepower that many technology geeks will want to use creatively and constructively. Releasing official development tools will give a segment of the market what it clearly wants anyway (look at the rapid progress hackers have made) and give incentive for us hold-outs to buy-in. How much simpler does this have to get?

Re:Just open it up already, Apple! (1)

MachineShedFred (621896) | more than 6 years ago | (#19956855)

You don't think it's possibly because of contractual obligations to AT&T do you?

No, I'm sure that Apple wants to limit functionality everyone wants, because telling your customers what they want rather than listening to them and giving them what they want is a great business strategy.

I'm quite sure that if Apple could unlock it and make it 5x more useful to everyone, they would. It would only sell MORE units, not less.

An iPatch? (5, Funny)

Anonymous Coward | more than 6 years ago | (#19955851)

If Apple releases an iPatch, does that mean they support piracy? Arrrrrr, avast ye LAN-lubbers!

Good job there's no SDK, eh? (3, Insightful)

metamatic (202216) | more than 6 years ago | (#19956311)

It's a good job there's no SDK for the iPhone, otherwise there might be security problems with the device, eh Steve?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>