Advertisement

NYT reports on first announced iPhone vulnerability

michael rose
Editor
Updated ·6 min read

Happy Monday, everyone; are you done reading Potter yet? Here's a somewhat less magical story for you. Today's New York Times includes an article with the utterly un-sensational headline "IPhone Flaw Lets Hackers Take Over, Security Firm Says" (yes, Times-style requires that even the 'i' in iPhone be capitalized in a headline), discussing the discovery of a buffer overflow exploit in Mobile Safari. The exploit, which can be triggered by browsing to a malicious page in Safari from the phone, claims to allow the execution of arbitrary code, and could expose personal information to an attacker. The exploit is not in the wild and has been reported to Apple; full details are at the Independent Security Evaluators site.

Is this a very bad thing? Not necessarily; it's not a zero-day vulnerability, the research team is communicating with Apple, and there is no released exploit code out there in the big bad Internet that can currently zombify your iPhone. Unlike many smartphones, which may not have a frequent firmware update mechanism, the iPhone is syncing to iTunes constantly and can be updated at any point, so one would hope this gets patched rapidly. If you use some basic precautions (don't click mystery links, don' t use unfamiliar wireless access) you should be covered if something like this ever sees general distribution.

Is this, on the other hand, an top-notch opportunity for some iPhone and Mac OS X security FUD from the Grey Lady? You betcha. Let's take a look at some of the assertions in the article, and compare them with both the claims of the vulnerability discoverers and the reality on the ground.


In the second paragraph, the Times story states that the exploit "could take control of iPhones through a WiFi connection or by tricking users into going to a Web site that contains malicious code." If you read that they can hijack iPhones through a WiFi connection, that's pretty worrisome, right? Here's the real deal: if your iPhone connects to a malicious wireless network, and you surf to a web page (which the black hats replace with a poison page), you'd get the malware. Erica calls this the "Panera Bread" problem, where the bad guys set up an access point with the same name as a popular, trusted point. This exploit does not allow an attack from a remote machine on a shared WiFi network that is uncompromised; you'd have to connect to a WLAN specifically configured and owned to catch iPhones. If you use WiFi only when you have access to a trusted WLAN, you're in the clear on that score (if you click a mystery, malicious link, you're potentially affected regardless of your connectivity).

The exploit allows running arbitrary code, so both the Times and the exploit page suggest that this could theoretically be used to record and transmit room audio to an attacker. Only one problem with that plan: the iPhone's recording capability is itself theoretical at this point, and no application or sample code to do this is available.

You might think from reading the article that this vulnerability isn't only the first for the iPhone but the first ever reported on any smartphone anywhere. The Times quotes CS prof Steven M. Bellovin of Columbia University: "This looks like a very genuine hack." Bellovin goes on to mention that he "suspected that phones based on the Windows mobile operating system would be similarly "attackable," though he had not yet heard of any attacks." Dr. Bellovin must be unfamiliar with a technology called Google, which revealed reports of vulnerabilities both in IE for Windows Mobile and in MMS, which could be exploited simply by the recipient opening a malicious message. Even the corporate-friendly Blackberry platform has a security problem, where the Blackberry Enterprise Server could open a back-channel for evil Java apps to target internal systems. The only thing extraordinary about an iPhone vulnerability is the publicity to be gained by discovering one.

It's also interesting to read the comments of ISE founder Aviel Rubin (who, to his credit, also insists that he's keeping his iPhone: "You'll have to pry it out of my cold, dead hands to get it away from me") about the relative security of Apple products.

[Rubin said] the research was not intended to show that the iPhone was necessarily more vulnerable to hacking than other phones, or that Apple products were less secure than those from other companies. "Anything as complex as a computer - which is what this phone is - is going to have vulnerabilities," he said.

There are far more viruses, worms and other malicious software affecting Windows systems than Apple systems. But Mr. Rubin said that Apple products have drawn fewer attacks because the computers have fewer users, and hackers reach for the greatest impact.

"Windows gets hacked all the time not because it is more insecure than Apple, but because 95 percent of computer users are on Windows," he said. "The other 5 percent have enjoyed a honeymoon that will eventually come to an end."

Never mind the fact that an article about the iPhone as a malware target has suddenly turned the corner into discussing Mac OS X vulnerabilities (and apparently Dr. Rubin has a bad case of "Can't Remember That Apple's The Company And Mac OS X is the OS" disorder), although that's certainly a bit of journalistic whiplash. The real problem here is that he's stating a theory of Mac OS X security that has been thoroughly discredited.

I could go on and on about the "Mac OS X has security by obscurity" argument; many security researchers who are otherwise clever folk but apparently not experts in population statistics continue to repeat this canard. One would think, however, that the Times could at least run that quote by their own computer columnist, who disavowed the argument back in 2003 and again last year (comparing OS X and Windows XP at the time; the malware score is still something on the order of 3 to 200,000+). Plenty of other reputable sources have debunked the myth of security by obscurity, so no need to repeat that here. We can summarize by paraphrasing Mr. Rubin himself: Windows XP gets hacked all the time not only because it is more insecure than Mac OS X, but because malicious parties can profit by the exploitation. The Mac OS X and iPhone honeymoon may come to an end, but it would take a lot of malware to get even close to the stuff that Windows XP users have to put up with.

Anyway, let's be careful out there. Bring extra pinches of salt for your morning paper.

Thanks Nick