About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Learning Curve » Red Hat Diaries


Telephony Armageddon?

Get It

Try It

The iPhone is an incredible technological achievement. Parts of the technology have already been out there but putting it all into such a small device with such amazing screen clarity - and doing it all programmatically without a keyboard - is nothing short of sensational.

And the Apple programmers have outdone themselves in terms of impressive graphics wizardry.

And best of all it comes with the space age OS X finally rid of its Carbon toolbox shackles and architecturally optimised the way it's hoped that 'other' OS X will be built with time.

In fact it's probably inconceivable the dazzle of the iPhone be possible without OS X and the NeXTSTEP technology behind it. The latter jumped way ahead of its day by incorporating vector graphics through the use of Adobe's EPS. Today the successor uses the PDF 'upgrade'. Screen characteristics such as RGBA values are given in floating point and not in clumsy integers as used on other platforms. That all important 'A' - the alpha channel - is there enabling shadowing and what's called 'shared pixels' - giving you customised transparency. No other personal system can offer anything close to this.

Microsoft tried recently - but to achieve a pale copy ended up requiring four times the processing power and accompanying video memory - not exactly practical for a handheld device.

And as it's running OS X and as OS X isn't in this case compromised by 'beige box artifacts' it's principally secure.

It therefore comes as wonder what with all the work that's gone into this dazzler that the system architects should screw up as badly as they have.

Effective UID: 0

1. Apple run ordinary user applications as SUID root - as effective UID 0. This is a total no-no and has been known and understood to be such for a long time. Cocoa programming guru Don Yacktman once delineated the various associated dangers: the input managers, the Services menu, and the relative ease with which the malfeasants can get in. SUID root Cocoa apps are so dangerous it's not recommended to even use the keyboard in them: an input manager can usurp control and do anything and input managers always run in the context of the client process - which in such case is root. Meaning anything is possible - any amount propagation and destruction. Meaning anything can be hidden anywhere - and left lurking to come back at a prescribed date.

And meaning you lose control of your own computer / smartphone and it's no longer yours. So it can start spreading malware, hang out in botnets, send out mail bombs with exploits - and even ready itself to self-destruct on the birthday of Steve Jobs.

Code Type:       0000000C (Native)
Effective UID:   0
Parent Process:  SpringBoard [15]

Date/Time:       2007-06-29 20:27:24.929 -0400
OS Version:      OS X 1.0 (1A543a)
Report Version:  6

Exception Type:  00000020
Exception Codes: 0x8badf00d
Crashed Thread:  Unknown

2. Apple's web applications on the iPhone are already crashing. This is never popular but it becomes especially critical when the applications are running as root. A crash is but a hair breadth away from an exploit. Figure out how to reliably crash an application and the rest's downhill. And as the threats to the iPhone must come from the outside and as the iPhone does not otherwise advertise open ports this becomes the number one sought after attack vector. Visions of the Love Bug, Anna K, and all the rest come to haunt.

Loaded 2 passwords with 2 different salts (Standard DES [64/64 BS])
alpine           (mobile)
dottie           (root)
guesses: 2  time: 0:00:00:16 (3)  c/s: 551883  trying: royour - b1o2w8

3. The iPhone comes with the root account enabled. It doesn't matter the reason given for this blooper: enabling the root account is a Bad Thing™. The only argument ever given for enabling it is for destroying it and changing the sudo requirement to the root password and not that of an admin. But in this case the root account on the over one half million iPhones already sold (and presumably in use) is already compromised.

[The root password is 'dottie'. The admin ('mobile') password is 'alpine'. Smart thinking.]

Put all the above together - the root account enabled (and now wide open) together with Cocoa web apps running as root that also are demonstrably crash prone and therefore exploitable - and you have the makings of a telephony Armageddon.

See Also
Learning Curve: iPhone OS X System Architecture

Thanks to Devon at Pixel Groovy for the excellent artwork.

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.