Debunk: Yes, Virginia, the iPhone libtiff exploit can also be used for mischief
by Nilay Patel 
posted Nov 16th 2007 at 6:49PM
Filed under: Cellphones
Previous
Palm Pixi review
ASUS UL80Vt review
HP Envy 15 unboxing and hands-on
Motorola DROID review
Crazy-hinged Dell Adamo XPS hands-on!
BlackBerry Bold 9700 hands-on and impressions
HTC's HD2 hands-on
Sony Ericsson XPERIA X10 hands-on
Engadget Podcast 171 - 11.13.2009
Breaking news Feed
- Palm Pre WebOS 1.3.1 update available now
- T-Mobile launching BlackBerry Bold 9700 on November 16 for $199.99
- Dell Mini 3i officially set for imminent launch in Brazil and China
- Samsung Behold II hits T-Mobile on November 18th, unboxed today (now with video!)
- Boxee inks deal with first hardware partner: a 'Boxee Box' is coming
- Palm's Pixi TV spot heads in a new direction, bids adieu to creepy redhead
- Zune HD Marketplace now loaded with free 3D games
- Saygus VPhone to bring video calls and a bit of chub to Android and Verizon
- Kindle for PC app out now, Mac version to soon follow
- Nokia N900 is now shipping!
Featured stories Feed
- How would you change Garmin-Asus' nuvifone G60?
- HP dm3t review
- The Engadget Show: Philippe Starck Q&A bonus round
- The Engadget Show: Inside the mind of designer Philippe Starck
- Editorial: Hey, AT&T -- drop lawsuits, not calls
- Chumby One review
- Ask Engadget: Best multitouch monitor?
- Samsung Behold II hits T-Mobile on November 18th, unboxed today (now with video!)
- BlackBerry Storm2 hands-on and impressions
- Palm Pixi review
- Dream Theater adding even more metal to God of War III soundtrack
- Weekly Webcomic Wrapup is becoming its own worst enemy
- OnLive 'works on cell phones too,' says Perlman
- Swag Saturday: Xbox 360 and PlayStation 3 controllers for all those holiday games
- Darksiders dev diary contains your daily recommended dose of epicness
Resources
Sections
WIN Network
- Autos
- Technology
- Lifestyle
- Gaming
- Finance
- Entertainment on AOL
- Lifestyle on AOL
- Sports on AOL
- Travel on AOL
- Also on AOL
Reader Comments (Page 1 of 2)
Fernando @ Nov 16th 2007 7:15PM
lol @ ipwn
Hypenotist @ Nov 16th 2007 7:24PM
Somehow I'm less afraid of a hacker wire tapping my phone than a government official with a sweeping license to kill and creep via the patriot act...
1.0.2 for life nigga!
Leopard Nimrod @ Nov 16th 2007 7:32PM
And 1.0.2 prevent this how?
Hypenotist @ Nov 16th 2007 8:14PM
because I don't have to use att the fbi and cia favorite source for listening in on every phone convo grandma and every ot her self respecting person has a constitutional right to written in the United States Constitution of America to Privacy! Duh? Need I say more sheepfucker?
Hypenotist @ Nov 16th 2007 8:25PM
and to answer yes 1.0.2 matters because it was the first commercial release of iphone firmware after they announced the 200 amereuro price drop. It is significant because most third party apps worth half a shit were derived during this period also. 1.1.1 procedeed to further break funcionality of these applications to patch a fictional security flaw that this farce of a story covers. i.e. some guy uploading a tiff image through wifi to your phone which is a joke in and of itself to get you stupid fucks to upgrade to a locked state.
This guy is probably hired by apple anyway.
Hypenotist @ Nov 16th 2007 8:39PM
and furthermore he has to have installed ssh on the iphone for this to work...
So this is infact an ad from apple to get you to upgrade to apple due to the new att service where you don't even have to use t-mobile for a good plan. Is it coincidence that they just made available a -$20 for non edge data phones???
No it is not. This is a fear tactic.
Even if this Skeletor looking grey haired buffoon tried to tiff exploit my phone I'd laugh at all the shit he would record. Possibly me taking a horrible dump after a night of heavy boozing and dehydration. Maybe he would install something I can't see (which is nothing because I have access due to 1.0.2 firmware to all process running on my os at anytime)
I've made my case.
This is fear tactics to get people to upgrade and brick phones.
Steve and the rest=full FAIL
thethirdmoose @ Nov 17th 2007 12:31AM
let me guess...
9/11 was planned by Bush
JFK was killed by the Cuban Mafia
The moon landings were staged
Paul is dead
There are aliens at Area 51
Did I miss any?
Kizorblade @ Nov 17th 2007 2:04AM
Oh, they're going to Iraq for liberating the people there. That's a big conspiracy
Grey Acumen @ Nov 17th 2007 9:33AM
@thethirdmoose
The government puts fluoride in my drinking water!
rTwelve @ Nov 16th 2007 7:43PM
The camera angle in the first 8 seconds of this video is incredibly unnecessary.
Dan Parmelee @ Nov 16th 2007 8:10PM
This whole video is unnecessary, lol.
w00fy @ Nov 16th 2007 8:04PM
Because Apples are perfect... duh!!!! All issues are the fault of the ignorant n00b!!!
All kidding aside, all OSes have exploitable and have weaknesses whether it is MS Windows, Apple OSX, or various flavors of *nix. Heck, "unbreakable" Oracle is a rats nest of security issues. There are flaws in OSX but they just have not been exploited or discovered yet.
Big Microsoft security flaws make easy news since many people have at least one Windows based system in their homes and many work on a Windows based system at work. Plus the malware creators want to hit a huge number of systems at once and make an impact when they look for code virii, trojans, and worms.
The iPhone is a victim of its own success. Lots of publicity has put it on the radar of those seeking to gain from the iPhone's popularity. While the TIFF buffer overflow was used for "good," it was only a matter of time before it was used for something bad.
Before the fanboys from various sides swarm and sling their death threats, I am in charge of a network of 500+ *nix, MS Windows, and OSX Servers. There are patches to close security holes for all the above OSes along with the apps that run on top of them
fincan @ Nov 16th 2007 8:04PM
Well Nilay Patel, clearly you are not a infosec person but to say the least, not everyone is updating their phones regularly, and I have just bought and IPhone yesterday and it came with 1.1.1
majortom @ Nov 16th 2007 8:05PM
those eyes scream........ "tox screen"!
GregA @ Nov 16th 2007 8:26PM
Wow, Engadget takes a que from Karl Rove and puts this in their Friday night news drip as to minimize damage to Apple. You guys sure you are not on Apples payroll?
SebS @ Nov 16th 2007 8:40PM
What's up with the recording the guy made? The file he played didn't match what he was saying when he recorded it.
clak @ Nov 16th 2007 9:01PM
You guys are missing the point. Any security on a computer or device can be exploited if the hacker has physical access. That's the most basic principle of computer security. It's not whether an operating system has exploits and security holes, but whether those security holes can be exploited remotely, i.e., over an open internet connection.
With Windows, most hackers found out that yes, it was easy to hack Windows remotely for a variety of reasons, mostly because Microsoft left ports completely open and allowed every user to run as root. Windows also didn't require authentication during installing, opening itself up to mountains of malware. Internet Explorer exposed lots of user to viruses by automatically executing ActiveX plugins.
In OS X, on the other hand, you don't run as root and you need authentication to install anything on the system. And the Mail client does not execute scripts hackers send in e-mails. It has a completely different design architecture.
GregA @ Nov 16th 2007 9:06PM
clak,
The Safari exploit must have happened so fast you missed it. He roots the iPhone with a web link. After that he is in total control of the iPhone, no local access is needed.
clak @ Nov 16th 2007 9:51PM
No, I didn't miss that, but he's using an exploit that has already been patched. That is the whole point of the article here. My point is, you got these Microsoft fanboys coming on here saying that because there was an exploit for the iPhone, there must be an exploits for OS X. While the iPhone runs everything at root, OS X does not. They are completely different animals. And that's exactly why Apple has avoided releasing an SDK for so long. They want to get the security aspect right.
I'm not saying there aren't exploits yet to be discovered on OS X, but the harm you can do once you gain access to OS X is drastically different than the harm you can do on a swiss cheese OS like Windows XP. Most of the security faults in Windows would be nullified by throwing away the registry and incorporating a level of authentication (not Allow/Deny but full password authentication) for critical tasks. Of course, I haven't used Vista yet, so maybe some of the exploits I mentioned have been fixed, but the majority of users still use XP.
GregA @ Nov 16th 2007 10:14PM
clak,
No you are simply mistaken. Once this exploit is run via libtiff or whatever the jailbreak exploit is in the latest flavor, the iPhone is rooted. That is not as bad as XP or Vista, it is worse. Even worse, the iPhone does not have any of the security infrastructure in place to prevent damage. No firewalls, no sandboxs, nothing. This is a complete and total rooting of the operating system, the security in the iPhone is more on par with windows 95, just forget about XP like security for the time being. The guy covers it in very fine detail on his metasploit blog.
clak @ Nov 16th 2007 11:13PM
First of all, the point I have been trying to make is that security problems on the iPhone does not necessarily indicate security problems on OS X, as the MS fanboys immediately try to suggest whenever a story like this appears. OS X has had an open development platform for a while now. The iPhone has not. While I've already acknowledged that the iPhone runs at root, you're mistaken in claiming that the iPhone doesn't have a firewall or isn't sandboxed. No report I have seen backs up that statement (if I am wrong, provide your sources for that assertion).
While it is certainly possible, I personally believe there is no firewall simply because the iPhone has a closed environment, which is incidentally the same reason it runs as root. When the SDK comes out and the iPhone is officially open, that is likely to change. In fact, mark my words, application signing and permission levels will be some of the first features implemented in the SDK.
Jim @ Nov 16th 2007 11:40PM
The misinformation campaign of Apple and its fanboys never stops. Are you comparng Windows 98 with OSX? Besides, application signing originated from Windows.
The Chickening @ Nov 17th 2007 1:56AM
What? A hacker who gets physical access to my iPhone can do damage to it? Say it ain't so!
I believe an idiot with a hammer can also do damage if he has physical access to it, and he'll do it in a lot less steps than this crazy lookin' coot demonstrates.
GregA @ Nov 17th 2007 10:03AM
Clak,
If you had minimally informed yourself about iPhone security you would know it does not have a firewall. Since you seem ignorant of that basic fact, I am forced to dismiss everything else you say. The simple fact of the matter is, the iPhone would not be threatened right now (this exploit would not work) if Apple had taken basic security precautions into consideration when designing the iPhone, and included a firewall. Considering how badly the security on the iPhone is botched (and it is) I think you need to re-evaluate Apples security in general.
For example, Apples recent release of Leopard has some basic security issues with their firewall! Well Duh, without a firewall OSX is vulnerable. Just accept that. Because also included in the last round of patches were privilege level escalation fixes. Which means leopard computers were not exploited only because no one tried.
Is OSX now the lowest hanging fruit? I honestly do not know. However given the lack of hubris on Apple users and Apple its self on this matter I will rue the day it does become the lowest hanging fruit.
It is basically apparent that Apple has managed this exploit news to be released on Friday evening to minimize the impact on their stock. As a self professed OSX security researcher, your hair should be on fire. Apple should be dealing with these issues up front and out in the open. They are not.
Get ready! Because it is comin.
clak @ Nov 17th 2007 2:55PM
Has anyone noticed that GregA finally posted this reply to a comment I made 11 hours ago?
clak @ Nov 16th 2007 9:03PM
You guys are missing the point. Any security on a computer or device can be exploited if the hacker has physical access. That's the most basic principle of computer security. It's not whether an operating system has exploits and security holes, but whether those security holes can be exploited remotely, i.e., over an open internet connection.
With Windows, most hackers found out that yes, it was easy to hack Windows remotely for a variety of reasons, mostly because Microsoft left ports completely open and allowed every user to run as root. Windows also didn't require authentication during installing, opening itself up to mountains of malware. Internet Explorer exposed lots of user to viruses by automatically executing ActiveX plugins.
In OS X, on the other hand, you don't run as root and you need authentication to install anything on the system. And the Mail client does not execute scripts hackers send in e-mails. It has a completely different design architecture.
clak @ Nov 17th 2007 12:51AM
I didn't want to resort to personal attacks, but some of you Windows fanboys are absolute morons. It is a common delusion among fanboys that Microsoft invented everything in existence. Code signing was invented by Verisign, a concept which was heavily encoded into Windows XP for all the reasons I've been talking about. Microsoft has always stunk at security. In fact, Windows Mobile didn't even have code-signing until Microsoft enlisted the help of GeoTrust, a company which, incidentally, was later bought out by Verisign.
At any rate, why are you deflecting to a false premise that has nothing whatsoever to do with what I've been discussing? Who cares who invented it?
And let me ask you a question, Jim: there are millions of Microsoft clones just like you who hate Apple users with a passion and yet not one of you guys have hacked OS X. Why not? Yeah, yeah, I know the old argument about market share and the whole security through obscurity myth, but you would think that at least one hacker would hack into OS X or write a virus for OS X, just to be able to say "I'm s0 1337 taht i pwn ur @ss n00bs!"
The simple fact that it hasn't happened makes me believe that many have tried and failed.
Jim @ Nov 17th 2007 1:37AM
If OSX is truely so secure as you claimed, why does it start to have code signing, a concept first implemented in Windows? The point is, OS exploits do so through poorly implemented third-party applications executed with root privilege. In that sense, OSX is not more or less secure than Vista.
Cormin @ Nov 17th 2007 1:47AM
Jim, you got owned... and I don't even own a mac
I'm pretty much for both of them, Microsoft because the market and everything has shifted in their direction... also I love macs not only for style, but being so damn stable. Woot for both!?
I have to admit, I love the iPhone, Leopard, hell even OS10... yet I don't own either one
I like being able to slowly upgrade my PC part by part, I hate the feeling of buying one system and pretty much only being able to upgrade the hdd and ram (I hope I'm wrong, that that's all you can upgrade)
Jim @ Nov 17th 2007 2:05AM
Cormin, I understand. I have to admit Steve Jobs is truely a marketing genius. He should have been in those late night TV infomericals instead of wasting his life in Apple, being seen by the public only a few times a year.
clak @ Nov 17th 2007 2:14AM
I must of rattled you, Jim, because now you're just blurting out nonsense. You're questioning why Apple incorporates good security design into their operating system, rather than the way Microsoft does it, which always an afterthought?
Unlike XP, Mac users didn't have to wait for to Service Packs for Apple to get it right. And I don't know if you read my last comment, but Microsoft DID NOT invent code signing. Variants of code signing have existed since the seventies and you would have to understand OS X's Unix heritage to fully grasp the subtleties, but something tells me you're not the type of guy that would fully understand, so you'll just have to trust me. LOL.
Jim @ Nov 17th 2007 2:21AM
If you have ever used Vista once (assuming you are smart enough to use it that is), you wouldn't blurting out such nonsense that OSX (or Linux, Unix whatever) is more secure than Windows.
clak @ Nov 17th 2007 2:24AM
Crap, I'm so sleepy that I can't even write straight. Should have read:
I must of rattled you, Jim, because now you're just blurting out nonsense. You're questioning why Apple incorporates good security design into their operating system, rather than the way Microsoft does it, which (is) always an afterthought?
Unlike XP, Mac users didn't have to wait for (2) Service Packs for Apple to get it right. And I don't know if you read my last comment, but Microsoft DID NOT invent code signing. Variants of code signing have existed since the seventies and you would have to understand OS X's Unix heritage to fully grasp the subtleties, but something tells me you're not the type of guy that would fully understand, so you'll just have to trust me. LOL.
GregA @ Nov 17th 2007 10:10AM
Clak,
The firewall did not work on the release version of leopard. Your quality assurance assumptions are way off base.
Caffeine Addict @ Nov 17th 2007 1:35AM
Dudes, chill out. It seems that every time Microsoft or Apple get mentioned, the comments degenerate into a war between the two bases, and it's really starting to get old. It would be nice to come into an article about Microsoft/Apple and see comments about the article and what is in it, rather then people bickering about which is better/worse/more secure/etc.
Just my $0.02 worth.
clak @ Nov 17th 2007 2:31AM
You chill out. This is exactly why we have a comment section, so that people can discuss, real civil like, the intricacies of their favorite computers. I got out of hand a bit, because I abhor ignorance, but I think I've made my point regardless, but thanks for your concern.
I'm sure none of what I just said will make any sense tomorrow morning. I'm tired. Mostly of fanboys. But I'm really, really tired.
Cormin @ Nov 17th 2007 1:50AM
Dear Engadget, I say we make a post only for Microsoft vs. Apple wars...
"Ladies and Gentlemen, Let's get ready to rumble!"
There needs to be a spot for this, it happens a lot.
dave @ Nov 18th 2007 6:37AM
wouldnt happen if engadget asked for it. it has to be in a post with a tiny reference to either os "iphone libtiff exploit...hmmm...the iphone runs mac! lets troll away into the night!" or something like that
mac pwns at most things. the only reason people use windows is because they either a)think they need to or b)play video games or have a task that truly cant be done in mac
i own a 24" imac and it hurts to use windows when i have to. in my opinion there are no "windows fanboys", or at least not very many, there are only those who need it and loathe it and those who know no better. oh and trolls of course. damned trolls. how did they ever figure how to get on engadget?
Jim @ Nov 17th 2007 2:14AM
As for code signing, who is the copycat? And Apple is constantly saying others are copying?
clak @ Nov 17th 2007 2:19AM
Jim, you're just digging a bigger hole for yourself when you keep suggesting that Microsoft invented code signing. Next thing you know, you'll claim that Microsoft invented the longer lasting light bulb.
Jim @ Nov 17th 2007 2:25AM
I am saying, Windows first brought code signing to OS level as a security feature. Cannot you apple fans even read, for god's sake!
clak @ Nov 17th 2007 2:34AM
Oh Geez! Okay, Jim, whatever. Microsoft invented computers, the internet, softcore porn, and Gary Coleman. I would ask you for a source, but why bother. Good night all.
clak @ Nov 17th 2007 3:12AM
I tried to go to sleep, but I just couldn't let it stand. I finally understand what has been lost in translation. You're under the impression, Jim, that Apple stole code signing from Windows. What I have been TRYING to get across to you is that Apple inherited a variant of code signing (look up something called crytographic hash function) when they decided to incorporate Unix (actually NeXT Step, but let's not split hairs), a 38 year old operating system that very secure and stabile.
OS X has always had good security from the ground up. If you look at Microsoft's history, they really didn't get serious about security until 2003, which is the year Service Pack 2 was released.
Okay? Got that? Good. Pleasant dreams.
Jim @ Nov 17th 2007 3:44AM
Crytographic hash is not invented by anybody (just like multi-touch which Apple claims they invented). The idea came from many years of academic research in computer science and mathematics. But just like I recognize Apple brought multi-touch to the public, you should also recognize what Windows did to code signing. Otherwise why OSX is just starting to have it now when the basic functionality has been in the code that OSX is based on for so many years?
Jim @ Nov 17th 2007 3:20AM
OK now we are on the same page. Pre-Vista Windows is indeed less secure. But Apple conveniently ignores the fact that Vista is now as secure as an OS can be and constantly resorts to smear campaign (the one and only tech company that uses this tactic), which sickens me.
clak @ Nov 17th 2007 10:01AM
No, I don't think we're on the same page. You keep saying that Microsoft popularized code signing, when I'm saying that Apple had code signing from the very beginning and for many years BEFORE Microsoft implemented it into Windows. That is one reason (there are many others) why malware and adware has never become an issue with Macs. When Microsoft finally decided to use code signing, they didn't develop it in-house, they simply used a method that was already commercially available on the market.
NeXT, the company that Steve Jobs started when he left Apple, developed an operating system called NeXTstep, which was based on BSD (Berkeley Software Distribution) Unix. Apple bought out NeXT in 1996 and Jobs returned as CEO. During the intervening years, Jobs used NeXTstep as the foundation for OS X, which Apple finally released in 2001 (months before XP, I might add), although the very first version, Mac OS X Server 1.0, was released in 1999.
So code signing on Windows and code signing in OS X, have absolutely nothing to do with each other. And by all accounts, Steve Jobs had incorporated Unix security technology into the operating system that would become OS X a full decade before Microsoft released XP (in 1989).
I also would like to add that the World Web Web, the hypertext markup language that popularized the internet, was developed on a NeXT computer by Tim Berners-Lee. I just wanted to mention that in case you were under the delusion that Microsoft had something to do with starting the internet revolution.
That's one of the reasons I admire Steve Jobs. He single handedly created the personal computer revolution, he revolutionized computer animation with Pixar and he indirectly created the internet revolution, while all Microsoft has done, is copy his innovations. Now with the iPhone, he's set to revolutionize the cell phone market as well.
clak @ Nov 17th 2007 10:40AM
It also seems to me, Jim, that you're confusing basic distributed code signing with application signing, which is fundamentally different. By all indications, Apple is going to use the application signing popularized by Nokia, which involves certificates being issued by a certification authority, which verifies that the application in question has been tested against a commonly accepted test criteria and then certified. The distribution of such a system will no doubt be handled exclusively by iTunes, which will completely nullify attempts to execute code on the iPhone through other means, such as over an open internet connection.
The code signing you're probably referring to would have more in common with authenticode technology that Microsoft has been using in Internet Exploror since version 5 (1999).
Leopard Nimrod @ Nov 17th 2007 1:31PM
GregA wrote, "It is basically apparent that Apple has managed this exploit news to be released on Friday evening to minimize the impact on their stock"
Clak mentioned it several times as did Engagdet. This is NOT new info. Apple did not convince anyone to delay releasing this "news" until a Friday. The hackers exploited this weakness in the iPhone well over a month ago, maybe two.
GregA @ Nov 17th 2007 10:10AM
The chickening,
Physical access to your iPhone is not needed. The hacker only needs you to click on a link with a well designed payload.
clak @ Nov 17th 2007 10:44AM
You seem to be talking about trojans. The guy in the video uses an EXPLOIT to gain access to an iPhone that hasn't been updated with the latest firmware.