[Infowarrior] - IPhone's Security Rivals Windows 95 (No, That's Not Good)

[Richard Forno]

IPhone's Security Rivals Windows 95 (No, That's Not Good)
By Kim Zetter Email 10.23.07 | 8:20 AM
http://www.wired.com/politics/security/news/2007/10/iphone_windows

With Apple's announcement Monday that it shipped 1.12 million iPhones in the
three months after its launch, the gadget's apparent popularity rivals some
PCs. That has security experts warning of trouble, following revelations
that Apple built the iPhone's firmware on the same flawed security model
that took rival Microsoft a decade to eliminate from Windows.

"It really is an example of 'those who don't learn from history are
condemned to repeat it'," says Dan Geer, vice president and chief scientist
at security firm Verdasys.

It wasn't long after Apple released the iPhone in June that researchers
discovered that every application on the device -- from the calculator on up
-- runs as "root," i.e., with full system privileges. As a result, a serious
vulnerability in any of these applications would allow hackers to gain
complete control of the device.

The same problem in Windows played a big role in stoking a plague of
internet malware-production that began with the Melissa virus in 1999, and
continues with the malicious Storm worm today.

With the limited bandwidth of the iPhone, malicious code would be unlikely
to slow portions of the internet. But malware could wreak creative havoc of
a different kind. It might, for example, cause a phone to call numbers
without the user's knowledge, seize text messages and a list of received and
sent calls, turn the phone into a listening device, track the user's
location through nearby WiFi access points, or instruct the phone to snap
photos of the user's surroundings -- including any companions who may be in
view of the camera lens.

Apple announced last week that it plans to release a software-development
kit in February, to open the way for third-party developers to create
applications for the iPhone. More applications, though, invariably means
more attack routes for hackers. Apple CEO Steve Jobs said in his
announcement that the company was taking time to release the SDK to deal
with security issues, suggesting that a future operating system update to
the phone might only run applications approved and digitally signed by
Apple.

But this wouldn't solve all of the security problems.

"As long as everything runs as root, there are going to be bugs and people
are going to find them (to take over the device)," says Charlie Miller,
principal security analyst for Independent Security Evaluators, who, with
colleagues, discovered the first reported bug with the iPhone earlier this
year. The bug, found in its Safari browser, would have allowed hackers to
take control of a phone. The researchers criticized Apple in their paper
(.pdf) for designing iPhone applications to run as root.

Although Apple issued a fix for the Safari vulnerability in July, the
company never responded to criticism about the root problem with its phones.
Apple also didn't respond to calls from Wired News for this story.

Last week, H.D. Moore, a security researcher who developed the Metasploit
Framework security and hacking tool, posted information on his blog about a
vulnerability in the iPhone's tiff library that is used by the phone's
e-mail , browser and music software. He also supplied detailed instructions
on how to write code to exploit the bug and provided an exploit to gain
remote control of an iPhone.

Computer security professionals call the iPhone design flaw a fundamental
mistake, and say that Apple should have known better.

"The principle of 'least privilege' is a fundamental security principle,"
says Geer. "Best practices say that if you need minimal authority to do
(something on a system), then you don't need to have more authority than
that to get it done."

Microsoft has been roundly criticized for years for releasing early versions
of its Windows operating system with administrative privileges automatically
enabled. This gave hackers who gained access to Windows machines complete
privileges to modify the operating system and take control of the machine.

It took a while for the company to get the message, but Redmond finally
closed the hole with its Vista operating system this year, which included a
User Account Control feature to control the level of privileges required for
various functions on a Vista machine.

" I guess Apple hadn't learned those lessons and is now going to learn them
the hard way," says Geer.

Miller says that Apple will need to redesign the entire firmware to fix the
problem -- which would require owners to install a pretty hefty update.

"If you start from the beginning with security in mind and you design your
product thinking about security as you go, it's not really any harder to
design a secure product than an insecure product," he says. "Once you've
already got it out in everyone's hands, it's a little harder to go back and
add security. And that's really what they need to do at this point."