Wuh-oh! Considering its popularity and the number of handsets floating around out there compared to the number of security exploits discovered thus far, I’d say Apple has done a pretty good job of keeping things locked down.
As this just-discovered flaw proves, however, nobody’s perfect.
You can read the full technical details of the exploit here, but to make one hell of a long story short: the iPhone allows settings configuration files to be installed over-the-air through Safari, primarily to help enterprise businesses setup a bunch of iPhones as quickly as possible. We’ve known this for a while – it’s a crucial part of easily enabling tethering on jailbroken iPhones. The user must must confirm the installation manually, and the iPhone tells you who it’s from and whether or not it’s a trusted source – which (we hope) most would be smart enough not to do in standard cases.
The particularly nasty part here, however, is that the anonymous hackers reporting the flaw were not only able to make the configuration file report back as “Verified”, but also indicate that it was straight from “Apple Computer” themselves. From that point, a pinch of clever web design and a dash of social engineering would be enough to convince the vast majority of users who stumble across a malicious update that it’s as legit as can be.
So once it’s installed, what harm can be done? In theory, it could be used to reconfigure the iPhone’s proxy settings, allowing hackers to redirect all traffic through a server of their choosing. It could also be used to wreak havoc on WiFi/e-mail settings, and disable the use of Safari, Mail, and a handful of other first-party iPhone apps. Worse yet, it’s possible to set the configuration file so that the user can’t remove it – so once it’s installed, getting it off the handset would require a full wipe.
Let’s hope there’s some way to fix all of this without nerfing the over-the-air configuration process all together, if only for the sake of I.T. guys everywhere. In the mean time: if you see a screen like the one in the screenshot above and you weren’t intending on provisioning your handset with new settings, you should certainly avoid hitting the “Install” button.
[Via ThreatPost]
Seems like a fun way to hijack someone’s iPhone!
It’s fun for some and not fun for others whose iphone has been hacked..
I think has Apple does n’t use Good testing methodology..
First(this week) we had problems with Apple’s iMac and now with iPhone..and next..?? iPad?
Every operating system has bugs. Every company’s products have defects. The iPad will certainly have its fair share of problems, but Apple’s security issues aren’t even close to those Microsoft is dealing with right now.
No no no — Apple does not have problem. Its Ad says that. It has NO problem at all. You most be from Microsoft or something — Let me repeat – Apple has no problem at all. It is a problem free machine. lol
Apple has no problem thats a lie i used stole nokia patents in all of its iphone nokia does alot in phone techonolgy iphone just comes and picks it up that made me hate iphone
Every operating system has bugs but this is a phone operating system. Comparing iPhone OS to MS desktop OS’s is a bit disingenuous. A more accurate comparison would be to Android, WebOS, or Windows Mobile.
How many of those OS’s have had hijacking flaws like this recently? (show your work)
Techcrunch are total apple zealots. If any other company had such a huge security hole, they would be all up in it with an over the top accusation. They just completely lost the last bit of tech credibility they had.
Shan…you post that comment every day about Apple. Did you get fired from Apple or something?
Shan – seriously? Sounds like you own too much MSFT stock and you are looking for a rebound.
Apple defense squad unite!
I think the main problem is why is verisign signing a
“Apple computer” certificate that’s not for “Apple computer”…
Umm, read the link. They aren’t.
err. . yes they are.
Reading fail.
Well that isn’t good. Who wants to be the first startup to create “push” alerts for potential security holes on the iPhone?
That’s payback for all those Apple fanboy who for years claimed that Macs didn’t get viruses, trojans and similar crap.
Ummmm no one claims the Mac is perfect at security just 1000% better than Windows. 10 plus years of OSX_Viruses in the wild A big fat goose egg. How about windows?
Haven’t had a virus since 1995 when I was a wee lad and there was a known virus roaming at the school labs and there was one on my old diskette.
Most viruses and security issues are cause mainly by the user in front of the computer. Put an idiot on a Mac, and they will get viruses too. It’s just that Apple is holding their hands a little bit, but it’s far from being bullet proof.
No one except Apple in its ads.
That is true, assuming you believe in the ‘security through obscurity’ means of protection. MS actually has better security built into its OS than OSX.
That being said, Apple continues to be the safest bet because @ssholes continue to code for the biggest bang-for-buck. Having a 95% worldwide market share makes MS the most ideal target.
If Apple continues to make inroads into that, the tables may turn. For now, being a minority is a good thing.
Too bad this isn’t a virus nor a Trojan. Did you even read the article? Or did you just equate “security flaw” in the title with “virus” ?
Do you have any idea what a virus is?
Well, hopefully a more sane voice than Joey, but pretty much feel the same way.
This does go a long way to making the point that market penetration has more to do with security threats than the software itself.
This is I believe the 2nd if not 3rd vulnerability found in the iphone.
MS put a single user system on the internet. MS used to ship there computers with super user privileges enabled. It’s a lot more than market penetration. MS made a bunch of poor engineering decisions. Windows (whatever) is not UNIX.
http://rixstep.com/1/20100120,00.shtml
From the sounds of it Apple has been just as ignorant to how security works in this iPhone flaw.
http://arstechnica.com/apple/news/2010/02/security-flaw-puts-iphone-users-at-risk-of-phishing-attacks.ars
“The very fact that Apple would confuse a browser keychain and an OTA trust management issue shows that they have not really given any thought about it,” the researcher told Ars.
Our source was able to obtain a temporary, signature-only test certificate from VeriSign with the name “Apple Computer.” Using this certificate, he created a fake mobileconfig file that appeared to come from Apple. A user that downloaded this configuration file OTA might easily believe that it came from Apple and click install. That’s where the really bad stuff can happen.
/endquote
It’s like using a key and lock for your home security but leaving out the lock.
Would this exploit be useful as a way of tricking the iPhone into installing home-made carrier bundles do you think? Could something simple like tethering be enabled on the 3.1.2 software (since Apple now requires these bundles to be signed)?
Until apple patches this flaw of course.
That doesn’t sound too good
There’s a new (-ish) comment within the article linked above re: “details of the exploit” that says:
Edit (2010-02-03): subverting HTTP traffic by setting the APN proxy is far from obvious as it relates to settings active with your phone carrier. This would not work e.g. on a WiFi hotspot.
For anyone who might know the technical side of this: Does this mean that this would only be an issue when I am connected to the Internet via the 3G network, rather than via WiFi ? So that, for example, if at home I connect through WiFi, I am “safe” wrt this particular flaw?
Please be nice, I admit that I am not overly technical (ancient CompSci degree but not much understanding of network stuff). 8^)
No, you’re vulnerable using WiFi as well. What the article states is that the mobileconfig file can be used to change your carrier’s data settings. This would kill your 3G connection, but you’d still be able to use WiFi connections.
Tis is so bogus. there is now “Apple Computer”. Apple changed their name to Apple Inc. 3 years ago, and has never use Apple Computer name since on anything!
That’s exactly why people are getting fooled. They don’t know this and are susceptible to these kinds of things.
It’s fun for some and not fun for others whose iphone has been hacked..
I think has Apple does n’t use Good testing methodology..
First(this week) we had problems with Apple’s iMac and now with iPhone..and next..?? iPad?
Personally, I quite like the fact that the iphone has vulnerability issues. This isn’t because I dislike apple or anything like that, but because it actually demonstrates human error, which proves once and for all that apple products aren’t built by fashionable, sharply dressed aliens (insert sigh of relief here).
In a way I also agree with Perry on the note of security through obscurity, however not so much on the market share side of things. My personal viewpoint is that yes, there are millions more viruses and malware in general for PC than for Mac, but possibly one of the largest contributors to this eventuality isn’t the fact that there are more PC users in the market, but that if you learn how to program (in your own time or through education) then let’s be honest, the most accessible languages are VB and C. Given that most pre-vista windows products tend to be designed in the void that exists between these two, its obvious that there will be more vulnerability issues for anything windows-based. That doesn’t excuse any shoddy workmanship by the guys at Ms admittedly, but take the monkey typewriter theory into account here: if you put a million amateur programmers in one place (er…..earth) with a computer and a fundamental knowledge of how to use one of these languages, eventually they will produce a malware each. The most prevalent reason as far as I can see for a lack of unix based malware is lack of accessibility to it. For example when you go college or university studying computing, most programming is done in vb or c, with a pinch of python and maybe some java, with a bit of unix usually thrown in towards the end. The hoops an amateur has to jump through to get elbows deep in unix code and understand it without any direction from somebody experienced in it are just too far off the ground, which means that tons of malware programmers simply can’t be bothered with unix, and I don’t blame them.
@Ken
Be it apple or Microsoft ,I will be criticising them if the products does live upto the standards they themselves created
Once they are well established they skip the well established procedures for developing/testing the code/device in order to get better of competitor
By this they are doing more harm to the customers than ever who has bought it
As usual, it’s a tempest in a teapot. This security problem only applies if you hand someone your iPhone and let them connect it physically to your computer.
If you give me physical access to ANY computer, I can take it over. Gaining access to an iPhone you’re holding in your hand isn’t much of a threat.
Similarly, phishing and trojans are not something the OS can control. If you’re stupid enough to tell the computer to install something, it’s supposed to do what you tell it to do.
For phishing, trojans, and physical access exploits, all systems are equally vulnerable. For self-replicating viruses, there are ZERO instances on the Mac. None. Zip. Nada. Compare that to several hundred thousand on Windows.
Furthermore, the whole argument is flawed. It is completely unquestionable that Macs have a much lower risk of being infected than Windows machines. You’d have to be a moron to deny that. So if you’re buying a computer and are concerned about security, does it matter whether it’s due to the OS design or obscurity? Of course not, the Mac has a lower risk, no matter what the reason, so it’s a better choice. Sure, you run the risk that 20 years in the future, Mac OS X might reach 50% market share and be just as bad as Windows, but there’s no way that’s going to happen during the life of any computer you buy today. If security is a concern, Macs win hands down. iPhone, too.
There are viruses on Macs, don’t spread desinformation:
http://antivirus.about.com/od/macintoshresource/Macintosh_Viruses_and_Mac_Virus_Resources.htm
I think most of you here are either pro mac or pro MS, if you think as third person then you will see the situation clearly.
Microsoft is a target of most of the virus because viruses are made for windows operating system using same codings by Die hard Linux(Linux) lovers, to bring down MS and make their OS famous among people.
They want to make impression on users that they r more safer then MS.
Do you guys know there are 30000 viruses created everyday, some are modified and some are new and risky.
I have Mac at home, i have Ubuntu on my personal PC and i have MS Os on my work laptop.
out of all i still like MS because it gives me more control over the OS and i feel good about it. viruses Linux and Mac they want to keep things in their hands or make things extra tough for normal users who don’t know pro stuff.
I will never buy mac again, at list till they give me more control and options for my OS. Unix CRAP CRAP CRAP CRAP.
Microsoft is Best.
MS doesn’t give you more control of the OS than Linux. All that means is you don’t know how to really use Linux.
I say this as a Windows user.
Thou knoweth not what thou sayeth.
MS gives u more control than *nix? I think u are high on something or u really don’t know *nix as much as u think u do
I think I can see another ‘macrosoft’ conflict brewing here over something that is not a pc/Mac comparison matter, but here’s my opinion anyway:
The apple consumer base further perpetuates the image that apple customers seem to think that ‘they’re all in it together trying to escape the tyranny of a pc-dominated police state,
Which is quite simply not the case.
Many pc users, myself included, actually have a lot of respect for the technical finesse of apple computers. They are fast, reliable and their Os is, as many apple users will vouch, a very pretty interface without consuming massive amounts of RAM or CPU power.
With this taken into account, many pc users would happily compliment apple’s machines, were it not for one simple fact: this respect is completely one-way.
This is not a fault of apple as a company. In fact, accept this as an official disclaimer: the attitude of most apple customers is not apple’s fault. A great deal of apple users, in my experience anyway, seem to consider themselves as some kind of oppressed people, an image which is completely self-imposed considering the seemingly obligatory sense of superiority that many ‘applistas’ use as a crutch to sustain their justification for existence as soon as they buy an apple product.
Its almost as though their obsession with apple’s devices transforms them into the computing equivalent of a stepford wife, complete with that patronising look of sympathy that they give pc users, as though admitting that you own a pc is like admitting to being a 94-year old virgin or having leprosy. Obviously they’ll try to ‘console’ the pc user, explaining, in intricate and moment-for-moment detail, how owning a Mac or iPhone or iPod has changed their lives beyond all realms of possibility. How since they got a Mac, velvet ropes have parted, footballers have been inviting them to parties, lunch dates with Jesus, all the usual stuff. The fact of the matter is quite simply that apple users – at least some of them – want to be seen to be a certain way. Its like sitting in the window seat of an arthouse restaurant with the specific purpose of being seen by passersby as someone who eats in arthouse restaurants.
As aforementioned, I do not believe this to be all of apples customers, but the fact is that there are a great many of them who are, for want of a better expression, in it for the image. Apple, in all fairness, haven’t helped. Every time they unveil a new product, the deliberately snub the Consumer Electronics Show and book a convention centre so that they can unveil their products privately, among the products are the original ipod, the macbook air, ipod touch, the iphone and most recently, the fabled ipad. This, as far as I can see, serves as a brilliant excuse for apple users to feel ‘segregated’ from the computing world, and in turn, give them enough reason to feel like some kind of freedom fighter against the pc ‘regime’. Much of this shines through in the way that many apple users will jump blindly to the defence of apple, without even being provoked, and then not even mentioning any of their good points as a company that makes excellently engineered products, but rather by making slanderous and ill-informed comments about any and all other companies in the market that could be considered a competitor.
And to set the record straight, this is fact. I know that many Mac users who read this will be offended, and in turn, I implore the pc users who read this to think back to all those times that your friend who owns an imac g4 has:
-said you wasted money on your 3 and a half thousand pound alienware pc, warning you that it would be broken in a month,
-called Bill Gates (who just happens to be one of the most generous entrepreneurs of our time) evil,
-called you a fool for buying a creative zen rather than splurging an extra eighty quid on an ipod, in spite of the fact that creative have been engineering some of the worlds best computer-intergrated audio hardware and DAC chips for the past two decades.
And speaking as a pc user, I do get quite riled by the general consensus attitude of many Mac users. I respect the hardware and the time and effort and finesse and manpower that goes into that machine they hold so dear, so why do they not respect mine? Why is my PC viewed as a blight on a potentially burgeoning era of computing, and in short, why am I met with such elitism at every turn?
everybody remembers the ‘Mac and PC’ campaign that was launched by apple a few years ago, which to me was the most enormous and unwarranted slap in the face to everybody who owned a PC. It portrayed the typical PC as a dull, dumpy, slow-witted middle aged man in a brown suit who only had a mind for mundane tasks such as spreadsheets and databases, whereas the Mac was portrayed as a tall, slim, witty, “easy-goin’-kinda-guy” man who was casually dressed and piously ‘fun’. Considering that the windows PC is yet to be topped in the race for best-selling videogame format of all time, maybe they’re not such dull beige monsters after all.
What’s that Mac? You think games are immature and infantile? How odd, considering that all your adverts say that the PC’s so boring and if we want to do the really fun stuff we should come to you.
However, we all know the end of that story. Microsoft was effectively handed the ammunition on a plate to launch the counter-advertising campaign, which quite simply started “I’m a PC, and I’ve been turned into a stereotype”.
Strangely enough this campaign didn’t stoop so low as to badmouth apple computers like the Mac and PC campaign did. Instead it simply stated that the average pc wasn’t all pie charts and printouts, but for all its failings is just as multi-functional than its apple counterpart, without saying a word against the company that had tried to drag microsoft through the mud a year before.
All I can say is that there is no right or wrong answer. It is all down to personal opinion. Note the word personal, and to any Mac users out there who think you’re better than everybody else or are fighting some kind of war against the PCs, grow up. You are doing little more than a six-year old who brags about how life-changingly amazing his toys are because it costs more than a toy that is very similar.
I admit the Mac is a better machine, and surely is the equivalent of a rare sportscar to the PC’s average everyday road car, but I still don’t want one. I know how much its changed your life, but maybe I don’t want my life to be changed by a computer. And in many ways I agree with the logic of ‘why have a normal everyday car when you can have this rare sportscar instead?’ In short, I know how to fix my everyday car, I don’t need to send off for special parts made thousands of miles away (possibly by aliens). There’s a PC repair shop in pretty much any town you go to, and I can fix a PC myself without having to spend hundreds of pounds doing it. I’m yet to see a Mac repair shop. What’s that? You can just post it back to apple, they’ll fix it and send it back? Actually, that’s quite reasonable…provided that its still under warranty.
Its a fact of life. Politicians lie, prices rise, computers break. I don’t want to be sitting around without a computer for weeks when I could just fix the one that’s broken, and I don’t much appreciate the fact that because my computer breaks a bit more often than yours, you feel the need to try and make me feel stupid as a consumer. I wouldn’t come into your house and say “your TV’s shit, mines better because of x, y and z”, I wouldn’t call you an idiot for buying a Mac either, but I still don’t want one. So stop telling me what I’ve heard a thousand times before and stop acting like you’re so much better than me, or just fuck off and stop being such a smug prick about it.
+1MILLION
For once, a sane and reasoned comment on the Mac vs. PC debate. Thanks for sharing.
For me, Macs are like Amsol syntetic oil – it is somewhat better in mostly intangible aspects, but too pricey to be considered seriously.
Amsol oil has the same army of annoying followers and evangelists, almost to the point of multi-level marketing.
Macs, Amsol oil, pure organic Sumatran coffee, etc are of course very good, no question, but for most people the advantages do not have much utilitarian value.
Brilliant… absolutely brilliant… Hats off to you…. Can’t wait for the fanbois to retaliate to this… lol
Mac user here running both Mac OS X and Windows 7 through bootcamp. Absolutely brilliant. Have I mentioned that I love you? Cuz I do, I don’t know you, but I love you.
No, your Alienware will not break, though if you want a customized desktop, seeing as you can repair the computer, it won’t take much to learn to build one from there. Build one next time and save yourself boatloads of money, I’m sure you can make it awesome. A well-built computer for 2,000 dollars will make 5,000 dollar Alienware desktops red with envy.
Actually, the attitude of mac users versus PC users is Apple’s fault, or haven’t you seen some of the 30 + PC vs Mac commercials? These are vicious attacks by one company against another…
If Apple were a car company, everyone would be saying their reputation is ruined, and the media would be harping on about it for weeks…
I never said anything about windows being easier to use than linux
So lets tell everyone the scoop so more guys can go to work on causing even more issues.
You are a fuc*ing idiot for posting this article.
You are giving the trouble exactly what they want.
Get a life and write about something that wont cause issues and wont get more nasty people to try and replicate what one guy has done.
Learn to shut your trap hole. You As*hole.
Do you have no understanding of vulnerability disclosures? If the Proof of Concept is out in the wild, that means the Bad Guys already know how to do it and have either done it already or are currently tinkering with it anyway.
The blogs always hear this kind of news after the discovery’s been made and possibly even tested – by publicising the flaw it benefits those who would otherwise not know of it, and it doesn’t worsen the problem as it contains no links to PoCs, demos or explanations of how the vuln was put together.
Please shut up and l2p at Internets.
@ Chris woods and zen – thanks guys, I’m just getting sick of the whole rivalry thing, its been going on for like 6 years now and I’m tired of it :s if you guys are on xbox live add me, tags executiv zombie
@executive_zombie, whew! I hope you feel better! ;-) But I’m still not sure what you tried to prove. 8-| I agree that what you or I decide to use is our personal choice, no one size of anything fits everyone. ;-) But, if you publicly list and admit all the faults of your choices, I fail to understand why you think others should follow. But I assure you that I am perfectly happy to let you continue in your ways, just don’t lead others astray because of your lack of logical skill. Oh well, “You can lead a horse to water…” LOL! Have a great day, heck have a great month! :-) Oh yeah, Happy Valentine Day!
VeriSign blogs about the new iPhone vulnerability
http://bit.ly/iPhoneCert
i think some people should go outside a bit more often instead of crying about which OS is better, every1 has different tastes and ability levels on an OS, your all so wrapped up in cyber world u need to get a grip of reality and start sleeping with girls insted of measuring ur depressingly insignificant dick size by shouting at each other about an operating system :S
good night…..much love
Just curious,
Why could it potentially be impossible to wipe the settings from the iPhone? Couldn’t they just be overridden by the user?
What zombie said… Mac seems to be more about buying emotional attachment than buying a product. To me “just works” means the people using them don’t work, and don’t want to work. I am no computer geek… but i do feel competent with my windows PC. Like I have a working knowledge… and can exercise it. Like the difference of gardening and having a gardener. The gardener tells me it’s the best.. he plants it and I believe it’s best cause he said so. He sure won’t like it if I add my personal quirks even if I like my own. And I can always say… “my gardener said” … which some people like to say more than the garden itself. Linux is different… I have used it and those people earned their stripes… and of course for free. Their emotional attachment is at least through contribution. I found the work more like making a rock garden.. very nice but a lot of labor. I think Mac owners feel they deserve respect for being wise… and the more people don’t accept their product as patently wise the more they try to convince themselves and others they are. When you pay someone to think for you… you are definitely set up to be defensive about it. Now it’s being defensive by being offensive… and they look kind of pathetic. I won’t be buying an Apple product until no one wants to make it a topic of dissuasion in my life. Either good or bad. I like turning on my computer and just using it… no comment required. I don’t think it’s a reflection on me one way or the other but Mac people seem to feel theirs is on them. And I guess it is but in my case… not in a good way at all.
All written by Windows fan boys… Simple solution to the problem
Don’t Hack Your Phone. If you want to tether get onto your phone provider, better still, get onto the ombudsman about the outrageous prices charged by Telstra in Australia
LOL… windows fanboys…. they are like left over hippies… all there is is anti-Mac sentiment which doesn’t make a person a fan of anything. People have gotten over Windows a long time ago… it’s just a tool for the job. Mac fans just look like tools…:)
“Security Update – Contains: Web Clip”
?
Hmm… ;)
Love the post Executiv! Couldn’t agree more, and I love my Mac, but I also love Windows 7. Apple has some issues to be sure, one that really comes to mind is the not digitally signing their security updates, so that I may MiTM you and your Mac, send you a “security” update and you just ran what ever piece of pwning code I wanted you to run. And it’s pretty easy to do. I hope all you other Mac users don’t get your updates via open wifi…
Security by obscurity is not security if you don’t take the proper steps to make it secure. Sure it will give you a warm feeling inside but it won’t make it any harder for someone to pwn your machine…..
Hi-Tech Institute of Mobile Technologies, providing technical education, Mobile Repairing Course, Mobile Repairing Course in Delhi. Hi-Tech From our humble beginnings in January 2004, Hi-Tech Institute of Mobile Technologies, providing technical education, has grown by leaps and bounds to be regarded as one of the foremost institutes for mobile technology and research in India.
Mobile Repairing Course