Information Security News: IPhone's Security Rivals Windows 95 (No, That's Not Good)

[InfoSec News <alerts () infosecnews org>]

http://www.wired.com/politics/security/news/2007/10/iphone_windows

By Kim Zetter 
Wired.com
10.23.07 

With Apple's announcement Monday that it shipped 1.12 million iPhones in 
the three months after its launch, the gadget's apparent popularity 
rivals some PCs. That has security experts warning of trouble, following 
revelations that Apple built the iPhone's firmware on the same flawed 
security model that took rival Microsoft a decade to eliminate from 
Windows.

"It really is an example of 'those who don't learn from history are 
condemned to repeat it'," says Dan Geer, vice president and chief 
scientist at security firm Verdasys.

It wasn't long after Apple released the iPhone in June that researchers 
discovered that every application on the device -- from the calculator 
on up -- runs as "root," i.e., with full system privileges. As a result, 
a serious vulnerability in any of these applications would allow hackers 
to gain complete control of the device.

The same problem in Windows played a big role in stoking a plague of 
internet malware-production that began with the Melissa virus in 1999, 
and continues with the malicious Storm worm today.

With the limited bandwidth of the iPhone, malicious code would be 
unlikely to slow portions of the internet. But malware could wreak 
creative havoc of a different kind. It might, for example, cause a phone 
to call numbers without the user's knowledge, seize text messages and a 
list of received and sent calls, turn the phone into a listening device, 
track the user's location through nearby WiFi access points, or instruct 
the phone to snap photos of the user's surroundings -- including any 
companions who may be in view of the camera lens.

Apple announced last week that it plans to release a 
software-development kit in February, to open the way for third-party 
developers to create applications for the iPhone. More applications, 
though, invariably means more attack routes for hackers. Apple CEO Steve 
Jobs said in his announcement that the company was taking time to 
release the SDK to deal with security issues, suggesting that a future 
operating system update to the phone might only run applications 
approved and digitally signed by Apple.

But this wouldn't solve all of the security problems.

"As long as everything runs as root, there are going to be bugs and 
people are going to find them (to take over the device)," says Charlie 
Miller, principal security analyst for Independent Security Evaluators, 
who, with colleagues, discovered the first reported bug with the iPhone 
earlier this year. The bug, found in its Safari browser, would have 
allowed hackers to take control of a phone. The researchers criticized 
Apple in their paper (.pdf) for designing iPhone applications to run as 
root.

Although Apple issued a fix for the Safari vulnerability in July, the 
company never responded to criticism about the root problem with its 
phones. Apple also didn't respond to calls from Wired News for this 
story.

Last week, H.D. Moore, a security researcher who developed the 
Metasploit Framework security and hacking tool, posted information on 
his blog about a vulnerability in the iPhone's tiff library that is used 
by the phone's e-mail , browser and music software. He also supplied 
detailed instructions on how to write code to exploit the bug and 
provided an exploit to gain remote control of an iPhone.

Computer security professionals call the iPhone design flaw a 
fundamental mistake, and say that Apple should have known better.

"The principle of 'least privilege' is a fundamental security 
principle," says Geer. "Best practices say that if you need minimal 
authority to do (something on a system), then you don't need to have 
more authority than that to get it done."

Microsoft has been roundly criticized for years for releasing early 
versions of its Windows operating system with administrative privileges 
automatically enabled. This gave hackers who gained access to Windows 
machines complete privileges to modify the operating system and take 
control of the machine.

It took a while for the company to get the message, but Redmond finally 
closed the hole with its Vista operating system this year, which 
included a User Account Control feature to control the level of 
privileges required for various functions on a Vista machine.

"I guess Apple hadn't learned those lessons and is now going to learn 
them the hard way," says Geer.

Miller says that Apple will need to redesign the entire firmware to fix 
the problem -- which would require owners to install a pretty hefty 
update.

"If you start from the beginning with security in mind and you design 
your product thinking about security as you go, it's not really any 
harder to design a secure product than an insecure product," he says. 
"Once you've already got it out in everyone's hands, it's a little 
harder to go back and add security. And that's really what they need to 
do at this point."


__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com