Friday, July 31, 2009

Epic security fail at Apple

Suppose you were a security guy at Apple. Suppose someone told you that a Bad Guy could take over anyone's iPhone just by sending it an SMS text message:
Researchers have uncovered a bevy of vulnerabilities in smart phones made by multiple vendors, including one in Apple's iPhone that could allow an attacker to execute malicious code without requiring the victim to take any action at all. The iPhone bug allows an attacker to take complete control of the coveted device simply by sending the owner an SMS, or short message service, message, said Charlie Miller, principal analyst at Independent Security Evaluators.
You'd think that someone would have thanked him for pointing this out, and rushed quick-like-a-bunny to get a patch, right? You'd think wrong:
He said he informed Apple's security team of the vulnerability several weeks ago and has yet to receive an official response.
Two words: Bush League.

It's Black Hat time again, as in the Black Hat Briefings, as in the world's premier security conference. Good security news a-comin' for the next bit.

Except from Apple. Even worse, the problem is caused by a rookie mistake in their code:
The bug resides in CommCenter, a service that's responsible for handling SMS, wireless and other functions in the iPhone. By default, it runs as root and isn't limited by an application sandbox. That makes it an ideal vector for taking control of the device. What's more, the messages are delivered automatically and often aren't easy for users to block.
This is why privilege is bad, mkay? Of course, both my regular readers already knew that.

So, your Jesus phone (and mine, too) can be pwned by any old Tom, Dick, or Harry, without me knowing about it or having to do anything, remotely. And Apple won't answer the phone. K3wL.

This says something really, really bad about Apple security. Nobody's home, nobody's listening, and nobody (maybe) will do something if there's a problem. There's an arrogance, and a sense that Bad Things only happen to other people that is really quite extraordinary.

Hey Apple, think different. Than you do right now, I mean.

UPDATE 31 July 2009 08:01: Added link to The Register. That's what I get for doing up the post at 11:30 at night ...

UPDATE 31 July 2009 17:02: Apple has a fix in iTunes 3.0.1. Connect your phone to your PC and click "Check for Update" in iTunes. So well done, Apple.


Another Gun Guy Brian said...

I follow Zero-day and a couple of other net-security related blogs and you actually scoop them by days (if not weeks) sometimes.

You can stop with the whole "2 reader" thing. I've been trolling here for quite some time. That makes at least 3.

Borepatch said...

Brian, thanks. I'm paid to keep up with what's happening, but thanks.