Rixstep
 About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Industry Watch

iPhone Hacked Again

The 'heck run it as root' karma boomerang whacking Steve Jobs upside the head. Patch now available.


Get It

Try It

It's not been a good week for Apple. The autumn of 1996 was almost better.

First they grew horns and lost crucial popular support by nixing Google's telephony killer app and now they're hacked again - not by a radically new methodology but by the same thing people have been nagging about and worried about for over two years.

Running stuff as root.


Collin Mulliner and Charlie Miller - 'M&M' - alerted Apple several weeks ago about the bug. Typically they've received no response.

Android Too

Google's Android also got hit by M&M - and in some ways the bugs found there are even worse. M&M are also fuzzing Windows Mobile but haven't finished their research yet.

CommCenter

The most interesting bug M&M found in the iPhone concerns the CommCenter module that manages SMS amongst other things. And - shock and horror - it runs as root and is not sandboxed..

The 'run as root' iPhone debacle has been ongoing ever since the iPhone came out. Of course there are militants who've aggressively attacked security experts who've questioned this curious move but the fact remains that when all processes run as root then there is no security advantage over Windows - none.

And it doesn't take a degree in QuarkXPress to figure that out.

Versions & Consequences

iPhone OS versions tested were were 2.2 and 2.2.1; Android versions tested were 1.0, 1.1, and 1.5.

The Android bug kills the telephony process com.android.phone, breaking all ongoing communications and taking the device off the network. And the phone is permanently off the network if the SIM card has a PIN set: when com.android.phone restarts the modem is reset, clearing the PIN.

Oops.

The iPhone bug is somewhat more merciful but no less devastating. When doctored data is received, CommCenter crashes - and as with Android, ongoing communications are broken and the device goes offline. M&M point out this exploit can be used for 'serious' denial of service attacks.

Flak

M&M's revelations coming right on the heels of the Google Voice scandal meant comments have been particularly cruel. The following come from the thread at El Reg. But none of this was necessary. The hardware and software of the iPhone is brilliant and has never been anything less than brilliant - but the 'engineers' deciding how the device is to be run and what security it's to implement should perhaps go back to school and learn to listen a bit better.

Brilliant engineering.
 - 'Olivier'
Terrorists, the lot of them. Send them to Gitmo I say. That'll teach them a lesson or two for proving telco security is trash.
 - Nick Hilliard
What is it with businesses that don't bother to respond to people? How bad can Apple be if they can't be arsed closing a security flaw when it is so easy to exploit? Apple are so stupid.
 - 'Head'
Let's hope the jailbreaking terrorists never find about this flaw and end up crashing high ranking officials' daughters' iPhones. We all need those drunken facebook photos to start the day.
 - Charlie Wallace
Apple in my view actually believe the 'security through obscurity' argument that many of its users tout. They seem to be so enamoured by their own software that they assume it can't be hacked. This assumption then leads to making stupid decisions like running the iPhone's SMS client with root privileges outside of a sandbox.
 - 'Doc Spock'

PostScript: Patched

'Security researchers have apparently motivated Apple to kick out a patch that plugs an SMS hole in the iPhone's operating system', writes Richard Adhikari of MacNewsWorld. 'As demonstrated in a Thursday presentation at Black Hat, an iPhone flaw allowed hackers to launch malicious attacks through text messages. On Friday Apple served up a fix.'

See Also
Black Hat 2009: Fuzzing the Phone in your Phone (PDF)
The Register: Hijacking iPhones and other smart devices using SMS

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.