|Home » Learning Curve » Red Hat Diaries
Hacking the iPhone
Never before has the calamity of giving in to fanboys been more apparent.
Certain clichéd expressions spring immediately to mind. Piece of cake. A walk in the park. Easy peasy. Child's play. They all seem to sum up what Charlie Miller must have felt when given the task by his boss Avi Rubin of finding a zero day exploit in the Apple iPhone in a week.
Charlie explained at the Black Hat briefings in Las Vegas on 2 August just how easy it was - and why it was so easy.
- OS X has over fifty (50) SUID root programs and the iPhone doesn't even worry about user privileges - everything runs as root.
- The web interfaces are overly friendly. Safari launches over a dozen other applications and if a flaw can be found in any of these applications Safari can be used as an attack vector to compromise them remotely.
- Crash dumps are very explicit and a lot of the source code is readily available - meaning you can build in debug symbols and get an even better idea of where you want to hack. Available source code is of course not unique to Apple but the following items are.
- No randomisation of load addresses, heap addresses, or stack addresses. Everything is always in the same place. Something like not only setting the table for hackers but actually spoon feeding them.
- Crucial parts of memory are both writable and executable. Meaning hackers can flip control out to other areas where code execution is not expected - and should not be possible. And perhaps most importantly the following.
- Apple 'branch' their open source code. As they have this weird 'beige box' still locked inside their operating system they cannot take open source contributions 'as is' and incorporate them into their updates. They need to retrofit their 'MacOS' into them - with all that means. And above all it means - in this context - time. Which results in Apple falling far behind the rest of the industry in terms of updates.
And as these updates are often security updates it means not only that Apple leave their users wide open but also because the code is originally open source the astute hacker can simply consult the 'change logs' for the real open source variants and see where bugs have been discovered and fixed. And given a few such disparities between open source outside Apple and open source within the hacker has all that's needed to prepare a successful attack.
There's a world of difference between this approach and that used by the authors of Inq.Tana, Opener, and Oompa Loompa: these latter exploits all went after design flaws. The approach of Charlie Miller assumes all code will have flaws, ordinary inspection will uncover many of these flaws, and documentation of these flaws will be made available as soon as the fixes are made available.
But not so at Apple.
Charlie cited one extremely sore spot as an example. Samba had an exploitable root vulnerability - long since fixed in the open source community - that's been open on OS X since February 2005 - two months before the release of OS X Tiger, two and one half years ago.
The exploit Charlie chose to win his iPhone from Avi concentrated on a Perl module fixed a whole year ago - everywhere but in Cupertino. As the change log explained exactly what was wrong and how the flaw was fixed Charlie and his team basically had the table set for them from the outset.
Never before has the calamity of giving in to fanboys been more apparent. But for the clamouring of this unsavoury lot things might be a lot better today. Open source modules could be kept on track with research in the rest of the industry. And hopefully that lackadaisical attitude that 'no one gives a shit about us' would gradually erode. While it may be true that no one does give a shit about hacking OS X that situation can't stand for long.
Hacking has changed completely in only a few years. Once the realm of pranks it's today big business. And business builds on occasionally small margins but with big numbers. The more targets you can find the better the odds of actually succeeding.
Hacking today goes after thin demographics. Has anyone been hit by the Samba hole? Odds are they wouldn't know about it. Hackers aren't after tagging their pseudonyms anymore - they want money. And Charlie demonstrated how easy it was to get that money. With 100% full access to his 'rooted' iPhone he could pick up any data he wanted - bank account numbers, passwords, anything.
The fanboys are going to have a hard time wiggling out of this one. All along they've screamed that they're more secure than IBM mainframes. The most secure system in the world. They didn't really care if it was Unix - they just wanted their precious 'Mac' interface - whatever that was. Yet it's pretty easy to see what would happen if the Fanboy Dream Machine™ were put on the Internet today. If it didn't crash on its own first - which is a distinct possibility - it would be hacked to smithereens. Today's connected world demands Unix - but it also demand proper use of Unix.
When black hats and gray hats and white hats come out and say Microsoft are better today at security than Apple - this is what they mean. Not that Windows is more secure - for it never will be. Windows is hopeless both today and tomorrow. But Microsoft's security procedures are better. They randomise memory; they protect memory; they try to keep all their systems worldwide up to date; and when they discover a flaw they can put the fix into production right away. They don't have to wait until Landon, Arno, and the rest of those graybeards retrofit the HFS multi-link system, Finder flags, COLOURS, resource forks, creator codes, and file types into it.
'How I Hacked the iPhone'
Effective UID: 0
iPhone and Security
iPhone and the Media
iPhone and Full Disclosure
iPhone Hack to be Patched
iPhone OS X System Architecture
Thanks to Devon at Pixel Groovy for the excellent artwork.