Security researchers have discovered a security flaw in Apple's iPhone that could allow miscreants to wreak havoc on users of the highly-revered device, which has been dubbed the Jesus Phone by its more blindly faithful users. A proof-of-concept website that exploits the vulnerability secretly siphons SMS text messages, contact …
And so it begins :)
This shall be fun to watch unfold, I can't wait to join in on the fun.
I am still waiting for my exploits to be found, but I am not sharing with anyone (but if they fix this bug, I may be out of business).
I keep a harmless exploit on hand for parties where there's ALWAYS a fanboy who think he's god...
"Apple representatives didn't respond to a request for comment."
Well of course they bloody wouldn't, not when they tout 'security is our #1 goal lawl'.
And where have all of these exploits come from? All the attention that Apple has been hyping for it's new phone. Can you hear all the security pros and novices out there, Steve Jobs? The reason Windows gets so much flak is because of the so many people trying to break it. And the reason so many people are trying to break it is because it's the most widely used operating system. Since the iPhone is so pushed and hyped, everyone's (term used figuratively) going to have one. And that's going to mean a lot of targets, especially if it can be used in a manner to record things!
Maliciously crafted website?
Isn't that how so many sploits get run? Whatever they're doing (haven't watched the video yet, not going to Blackhat this year) I'm sure it's mostly a Safari vuln.
I for one
am shocked, but not surprised.
Maybe the hackers will be kind enough to release an SDK for the iPhone so people can actually use it.
in related news
in related news... ' apple fanbois ' are goin back in time to revert the errors of steve 'god' jobs and to erase the security team that have found this...
and I guess later they'll erase this post too
Money ok fix that bit, anything else who cares!
If someone can steal your money this needs to be fixed but if it only means you get caught with your pants down or your dress up you probably deserved it anyway. I couldn't care less who reads my texts to girlfriends but then I haven't dreamed of being someone's tampon as prince Charles did that time, ..... ho ho ho!!! Why not sort the bank aspect so anyone who steals your money can be tracked down easily and jailed and leave the I-Phone as intended, open for anyone to look at for any reason.
"In all, about 215 person hours were devoted to the project."
I always considered El Reg to be one of those very few places where political correctness is laughed at. Preferably while clubbing baby seals.
So, what's wrong with "man hours"?
@David Eddleman - [Yawn]
That old chestnut that the quantity of security flaws is related to how many people are looking for them rather than the more logical view that it is related to how secure something is.
I don't care for either windows or macs or the iphone, but i get the impression that there have been some shortcuts taken on the iphone to get it out on time.
The reason its such a revelation is that macs are on the whole pretty secure.
Criticism is good though if they use this info to improve the device.
This story is a complete lie. We all know that Apple products are 100% safe and hackproof while Windoze is 100% open and hacked.
Steve Jobs is a god, and Gates is the devil.
Windows ships with bloatware, while Apple never does (so I never make music or use the photo album, but thats not bloatware, its a feature)
It's OS X
It runs Mac OS X, which is based on FreeBSD. Of course it's possessed by daemons!
In the PR world there is no such thing as bad news.
Apple are probably happy as pigs in muck to have any kind of article written about the iPodophone. Choosing the web browser as the software platform for the device was a bad decision both from performance and securtiy perspectives. If apps all run at a privileged level then that is plain stupid.
They have the mach kernel, an extremely good API with Openstep and with Objective C a highy productive language for developers so they could make the thing secure, fast and open for developers, although they might have as much fun integrating a real time signalling environment with the toys as everyone else has had. But I suspect they just want to shift as many of the things as possible and they're probably enough fanatical customers out there who will just upgrade to the next one which will be "even cooler".
What the article doesnt tell you is just some of the security measures introduced by jobs and co....
Theres no 3G on the iPhone. The GPRS is so slow and the wifi so buggy that hackers are bound to just get bored and go play with something else. I mean if they want your bank details it's gonna take them about half an hour to get the phone to dial up!
Nice move Mr Jobs, now I see your thinking in releasing a phone with last generation networking.
Oh, I can't wait. All those Apple disciples who've spent years in a security bubble caused by next to no-one running their system, happily browsing the web from their iphone at a snail's pace, being turned into jelly by a hacker who turns the iphone's microwave transmitter to 100%.
The Anti-Fanboys are out in Force Today!
Here's your chance for a little self-esteem guys, go get it!
For the first fanboy comment that says "So what if the iPhone's security is utterly broken, because [some windows misfeature exists]", totally missing the point, as usual.
Release/patch/update fatigue anyone ?
And so the Wintel fanboi Apple stirring continues ;)
Although it's quite clear El Reg get a kick out of people reacting to it now, are quite aware of peoples reactions and don't really care either. Boys clubs are good like that!
There's an old saying there's no such thing as bad publicity, so the joke is on El Reg every time they post something, even when it is predominantly negative, it still helps to get the word out about the product.
I'm sure many more flaws/exploits will probably be found with the iPhone too, but that wont stop it selling by the dozen. If this had come out prior to the iPhones release then like the Sony PS3 it *may* have dampened enthusiasm and created some kind of backlash, but by the time it comes to market and a demand is established, you're doing little more than pissing into the wind.
In my opinion, anyone who is actually serious about technology, and is not blind sighted into any particular camp is probably sitting back as I am and evaluating all the technologies on the market before jumping in and being some early adopter who has caught up in all the hype.
There is already anticipation for an 'iPhone 2' for the reason that even though many see the potential of the iPhone, they also see the all the teething problems it is having too, so as the product matures, so will its market most likely (just look at the way the iPod market has developed over time with ever evolving products to make the comparison).
Similar is true for the Zune, with Zune 2.0 looking to be Microsoft's 'real' product for their launch into the EU, despite the many inadequecies of the original Zune design.
Sony's PS3 too has had spectators holding back due to short comings there, but with new firmware updates and a slowly building software library, this too gives them a chance to turn things around there as well.
So yeah, the iPhone is far from flawless, but it's a product which clearly has the right idea, but still needs to mature before it turns into the kind of product which has gained the same level of respect much of Apple's other gear often manages to get.
You state: "... which has been dubbed the Jesus Phone by its more blindly faithful users."
The iPhone has been dubbed 'Jesusphone', before it's released, by it's opponents – the socalled Apple 'Hateboys' – to counter-spin the overwelming iPhone hype.
@ David Eddleman
"The reason Windows gets so much flak is because of the so many people trying to break it. And the reason so many people are trying to break it is because it's the most widely used operating system."
So, then, how come Microsoft IIS, which runs less than 1/4 of all the world's web sites, gets about 20 times more exploits than Apache, which runs over 2/3 of all the world's web sites? That certainly isn't because IIS is the most widely used web server.
Don't forget that the iPhone can (and will) get firmware updates, pushed out through iTunes, so effectively mandatory. Unlike all other phones, which will usually retain bugs and security flaws throughout their lives, as nobody except the most diligent will go to the trouble of finding and installing firmware updates.
Computer in security flaw shocker
We're getting all hot and bothered over this??
Christ.....how many security flaws do they find in Windows each month, and we're getting our knickers in a twist over a single one in the iPhone. Has our sense of perspective gone on holiday? It's a computer. It's gonna have security flaws.
Actually, wasn't it Gizmodo who coined Jesusphone? I don't think it was either malice or blind faith, just some gentle fun. You know, by people who aren't desperate to push their own agenda...
I wait to see this exploit validated; a video is proof of nothing, of course. According to the researchers in question, a fix was provided to Apple, so I'm guessing we won't have to wait too long to find out. Sounds like they're being more responsible than most "security" types, though I suppose noone could resist a bit of publicity.
The real issue here is that the phone apparently allowed unsigned code to run. Processes running as root (and I'm sure there must be a reason for that) are very much a nonissue if you're preventing access.
Joining wifi networks with known SSIDs is obviously not seen as a major security issue. Windows and OS X do it. Don't have different standards for different products.
@Dillon Pyron - according to the video, yes, it's a Safari exploit.
@#1, who left no name: Of course you've got an exploit. You're certainly not some anonymous bloke on the internet full of hot air who tries to wind other people up, are you? :)
any patch/update trackers in here!
I'm NOT a patch/update tracker...does anyone know how many patches/updates have been issued to Vista/os x since Jan-'07?
Excerpts from Computerworld's email interview(found at http://www.macworld.com/news/2007/04/30/daizovi/index.php ) with Dino Dai Zovi, the New York-based security researcher:
Q: From your research on both platforms, is there a winner between Mac OS X 10.4 and Vista on security?
A:I have found the code quality, at least in terms of security, to be much better overall in Vista than Mac OS X 10.4. It is obvious from observing affected components in security patches that Microsoft’s Security Development Lifecycle (SDL) has resulted in fewer vulnerabilities in newly-written code.
@ A J Stiles
"So, then, how come Microsoft IIS, which runs less than 1/4 of all the world's web sites, gets about 20 times more exploits than Apache, which runs over 2/3 of all the world's web sites? That certainly isn't because IIS is the most widely used web server."
What you fail to consider is what proportion of the worlds servers which are maintained by untrained staff, with little or no knowledge of security, patching or good practices run on Windows v Linux. If I was to make a bet, I'd say that the vast majority of people maintaining a server without the required knowledge will be doing so with Windows, therefore that alone makes Windows a better target for the bad guys. After all, logically doesn't it makes sense to target those users / servers which are most likely to have not been properly secured?
I'll admit to not being up to date on the number of Apache exploits out recently, but I do know that there have been very few for IIS in ages. Most patches for some time now have been primarily relevant to client usage, not server. I can only think of a few patches this entire year which have actually been a risk to a properly maintained IIS server.
To any one who says that apple macs are 100% secure....
Just shut up now
I cant wait...
For the commerical release from FIC / OpenMoko, should intensify the debate a bit. Its worth a look by anyone not blindly following Steve. www.openmoko.org
Wish people would get this worked up over a windows flaw.
So it took them 215 hours did it?
Thats 2 to 3 weeks right there.
Why am I not impressed? Because that sounds like they have no life... no girlfriend.. no job... no nothing.
What do I see? A total waste of time and good writing.
<yawns> If people are so obsessed in ruining an apple product..they shouldn't rely on total idiots to cause the infection to be possible.
After all.. it "Does" require a user to visit a malicously coded site dosen't?
Talk about stuipdity from the get go....
Wana impress me? How about bypassing user interaction all together! Now your talking.
Otherwise... I really wish people would just shut up... who gives a flying rip about this stuff... ill even bet its not an root level attack.. total.. waste... of.. time!
And you had to go and spoil it, didn't you?
Here I was, laughing at all the sad sacks posting about the non-existent fanbois and then you had to come out with...
"Exploit? Who cares? It's only a little one"
From the article it would appear that everything runs as root on the iPhone so this exploit would, by extrapolation, be a root level attack. If you are a 'normal' user and value your privacy then this could be quite a serious issue.
What mitigates the situation is that, as the iPhone is treated very much like an iPod, firmware updates should be forthcoming and are likely to be applied to all devices at their subsequent sync with iTunes (in an ideal world).
Re: ‘Jesus Phone needs an exorcist’
Re: the line, "... the highly-revered device, which has been dubbed the Jesus Phone by its more blindly faithful users."
Not to be rude, but even Wikipedia's lame editors would expect you to cite your source for that one.
"If people are so obsessed in ruining an apple product..they shouldn't rely on total idiots to cause the infection to be possible."
Tell that to the phishers, spammers, 419ers, scammers, con-men, etc. who collectively earn billions solely by exploiting stupid people. Human stupidity is still the largest and most easily exploited security hole, and the developer still refuses to release a patch for it.
Try Googling +"jesus phone".
Matthew Sinclair: Not half as clever as he thinks he is. Hell, not even a tenth.
" After all.. it "Does" require a user to visit a malicously coded site dosen't?
Talk about stuipdity from the get go...."
Right, because after all every malicious site is easily idenfitiable just by looking at the URL to a genius like you, yeh?
You're a smug complacent idiot. This is meant to be a mass-market device, hence suitable for less-than-entirely-savvy net users. Anyone can accidentally "browse a malicious site" no matter how fucking clever they're convinced they are, just by getting in the way of a hijacked-and-iframed adbanner.
" ill even bet its not an root level attack "
Woah. That's some pretty abysmal reading and comprehension skills you're showing there for a genius, given that it says very clearly in para. 4 that all attacks are root-level attacks on an iPhone because every single thing on an iPhone runs as root all the time.
ANTI-FALLACY-OF-FALSE-DILEMMA DISCLAIMER FOR THE ENLIGHTENMENT OF FANBOIS: Just because I mock Apple does not mean I like Microsoft, FFS! I laugh at all fanbois of WHATEVER loyalty. It's a consumer product, FCOL, and both Apple and MS are large corporations. They don't love you, they just want your money, and anyone who takes product loyalty seriously is very very sad and thoroughly pwned. Get a life and stop worshipping at the altar of consumerism. Cut off your designer labels. Finally, when you're truly ready to start thinking for yourself, you'll no longer be a fanboi.
"Try Googling +"jesus phone"."
Did. Didn't see it used as an affirmative term by anyone that I would classify as a "fanboy". Or are you classifying anyone who doesn't immediately shout "Apple sux!" whenever the subject comes up as a "fanboy"?
If the former exists, of a rabid Apple fan seriously referring to the iPhone as the "Jesus Phone", then the request for a citation stands; if it's the latter, then get a life, sonny.
Jesus Phone Citation
Not serious, but it made me laugh till it hurt!
(Is that David Beckham to the left of Steve Jobs?)
Give me a break
Wow... its very telling to see all the window$ ppl attempting (in vein) to point out how superior their OS is. Just take a deep breath, and realize how stupid it sounds to suggest that OSX is anywhere close to being as insecure as Window$.
The iPhone will get hacked. Then Apple will patch it. Making $300 profit on each unit gives them quite a bit of coin to spend on this process. Also remember that it is running on *NIX foundations = roxing stability/security.
I don't have an iphone & i won't buy one at that price. But given what i've seen I'd take an iPhone over some POS windows mobile device.
You seem to fail to grasp the idea of a man (or person) hour. Supposing that there were just 4 people working in this team over 3 weeks, 215 hours is actually not very much at all. It just comes out to 4 hours per person per weeknight. And thats if they took weekends off. Add in some weekend work, and we're looking at roughly the amount of time that the average American spends watching TV in.
So yes, they might have gone without some mindless entertainment for 3 weeks, clearly they have no lives. I personally spend at least that much time doing useless things like writing Python bluetooth to CUPS interfaces so that I can print things out from my phone (which is actually quite a worthless thing to attempt,) and I work part time, go to grad school full time, and spend an unreasonably large amount of time with my girlfriend. And I have friends.
I know people that have obscessed for 6+ months to find one Windows local privledge escalation or some such - the iPhone is nothing special in the amount of effort that people will spend to find a flaw.
Re exploiting Apple or Windows flaws: Many hackers just hate Microsoft.
Something to consider:
Every hacker I've ever met (admittedly, they tend to be of the I-want-to-show-how-clever-I-am variety, or the I-want-to-get-back-at-someone variety, rather than the large-scale-con-artists-and-phishers variety) hates Microsoft. In fact, there is a whole community of "artist" hackers that admires stunts sabotaging Microsoft, but they don't admire stunts sabotaging Apple. I'm not saying Apple is 100% secure or invincible; it definitely isn't. Just that there are some motivations out there that you may not realize.
am i doin dis rite?