Took long enough...

No, I'm not talking about how long it's been since our last blog post, I'm talking about the iPhone.

I can't say I'm really surprised, except that maybe it took so long, but the iPhone hacking teams have announced a major remote exploit for the iPhone/iTouch. A file parsing exploit, the way we many of us expected it would happen, this is remotely exploitable via a malicious .tiff file. It appears that this was created to make it possible to remotely unlock iPhones (a dubious prospect at best).

For all the interest that the information security community had in the iPhone before it came out I've been shocked at how little has come out of our community. It's shocking how the majority of the "exploit" activity on the iPhone has been the traditional hackers, those who just seek to expand functionality. These "hacks" have been created to compensate for the lacking API, not those attempting to compromise this information rich device. Maybe good is stronger than awesome.

More info here and the actual malicious tiff here.

Another iPhone Security Perspective

Alright, I promise, last iPhone post, at least from me.

The fine folks over at Symantec's Security Response group are apparently taking a look at the iPhone from a "Wouldn't it be fun to land malicious code on this" perspective and seem to have more confidence than I did initially (See: iPhone sounds atlot like iPwn), and with good reason. It would seem that Apple hasn't been as caviler with their AJAX/iPhone integration as early reports suggested. For now that seems like good reason, but as the iPhone gets opened up further and further, either by Apple or by intrepid hackers, that may change.

So give the Symantec article a read, and enjoy your iPhone. We'll be coming for it soon...

iPh0n3: And so it begins...

From TUAW:

"iPhone enthusiasts over at the #iphone-talk and #iphone-mac channels on irc.osx86.hu have developed iPhoneInterface, a new Windows and Mac tool that allows you to manipulate the iPhone's state, launch services, and interact with the iPhone filesystem. With it, you'll be able to scan the iPhone file structure, create and remove folders, start iPhone services, and more."

I don't think anyone is really surprised that this happened I know many people who believe that Apple actually encourages this type of behavior, evidenced by the easy of cracking into the AppleTV and the numerous enhancements that followed. I don't know if I quite fall into that camp, but I do think it's inevitable that any closed system that gains interest from so many technically inclined people will not stay closed for long. I don't know if that's really a statement about security, or just common sense.

Protection/hackiblity philosophy aside I'm excited to see where this goes as I get ready to throw down my own $600 to Apple/AT&T. Take the already impressive iPhone, throw in a healthy helping of the great features you get in regular OS X, and add in some of the features found in other high end phones, and you really have a be all device. Truth be told I'd actually be reluctant to use such hacks on my main phone, but my real hope is that this kind of thing encourages Apple to open up the iPhone, add the features people have been asking for, and make it a lil hacking pad that I can also get email and make calls on.

That being said I think SSH and the ability to browse the filesystem are a must, but how about a Python interpreter or something? Flash maybe? A Safari view source option? TextMate for iPhone? Are you listening Apple? I want to be able to play next year's CTF qualifier on the Metro.

iPhone sounds alot like iPwn

So as a fairly enthusiastic Apple fan I've been getting asked often how excited I am for the iPhone ("Very"), am I going to get one ("prolly sometime in July"), and if I think it will be that great ("I do"). With someone of a basic technology background this is usually followed by some question about applications, SDKs, and if I think Apple will open it up ("I do") to third party development.

My overall take on it? I've had a number of smartphones and aside from making calls I mostly just used the browser. As for other applications after a few that I tried for experimenting I found I rarely used others, just sticking to the basic software that was included, and even that little enough.

As for the iPhone I truly believe that the killer app will be Safari itself, if it's all that Steve has tried to demonstrate it, may or may not, be cracked up to be. I'm not really sure what applications the developers who are attacking Apple for not providing an SDK think they'll create. In the years of Palm/Windows Mobile/Symbian/Blackberry smart phones I've yet to see an app that overwhelms the function of a phone to make calls, text message, and maybe, if you're lucky, get email or browse the web. All of these are functions the iPhone will do out of the box. Even on my MacBook many of the most important things I do, blogging, reading RSS feeds, getting security news, are all things done in the web browser alone. What app are Apple devs just dying for the chance to make?

Now that multi paragraph rant is not to suggest I'm peachy about the whole thing. This is a security blog after all. By not creating an SDK for creating true applications or widgets, and instead relying on Javascript/Ajax (as though you can have one without the other) you lead to a new problem, web pages can have amazing integration with your personal phone. Let me rephrase that: Advanced applications, running from remote servers, with both instructions and data, that's been shown already to have concerning security issues, will be able to run on your iPhone, and have, in some way, access to your address book, iTunes, and the ability to make phone calls. How was this a good idea?

One of the few inherent security mechanisms built into web browsers is that they, to some extent, exist in a sandbox. Most of the time Javascript can't access the OS file system, it can't control applications other than the browser, it can't access system resources, and all those are only most of the time. There are plenty of side effects to current web technology that make a security researcher pull their hair out, and that's all in the sandbox. Billy Hoffman's Shmoocon presentation discussed many of these, from keylogging to his own technique for web scanning using just Javascript and his particular brand of maniacal thought.

It would seem, based on current information, Apple is deliberately adding such features creating a potential security nightmare, deliberately adding the ability for web applications to circumvent the sandbox. So what will happened? XSS attacks that rewrite your Addressbook? A hidden iframe that calls 911 for you? Who knows really, but when "webapps" can access system functions it's hard to imagine it staying innocent. Now it's very possible, and I'm in fact hopeful, that Apple has considered these things and put protections into place, but even so it is easy to suppose that this would be a thin veil of separation, and the possibility for misuse could easily be close to the surface.

For a company like Apple, who so often touts their security record (no I will not digress into a discussion of Safari now (but yeah, wow, 2 code execution vulnerabilities in a day?)), to not aggressively market that aspect makes me wonder how much consideration that aspect of design received. All of this is obviously speculating the worst, but as Apple has messaged little to nothing about the security features of the iPhone, leaving everyone to evaluate what they see. And based on what we see of the iPhone's design what else are security researchers to assume?

Or maybe I'm the only one who is worried about all this.... well, there's also Billy.

Quick Note

Ivan Krstic is scary smart. That is all.

All the fun of Defcon in the palm of your hand!

No I don't mean a bottle of tequila and a iPod Shuffle filled with the DC13&14 podcasts you can find on iTunes. Nor do I mean holding hands with a stripper or carrying a roll of poker chips.

I mean Dave Aitels latest creation, Silica. Meant to be Pen Testers favorite toy, it's basically a Palm Pilot running Canvas, Aitel's Python based pentesting suite, over a Debian Linux core. Add some bonus wireless trickery, automation, and pretty graphics and you have an interesting little toy.

I'm not really sure what else to say besides the fact that this is an interesting idea. I'd like to believe it's a fairly useful and full featured system, but I'll reserve my judgement until I get hands on with one. Pity I won't be out at the RSA Conference to see it. I even got invited to the InfoSec Blogger meet up.

DMCA revisions go well with left over turkey...

Unlocked cellphones and legal security research that is. I refrained from any Thanksgiving posts (not totally deliberately, partially because my iBook is somewhere in Texas right now getting repaired). Today though I couldn't help but express my gratitude to the US Copyright Office for two things.

First of all it's been a ludicrous notion that unlocking a cellphone from a particular vendor should be illegal. Now I think that the DMCA is largely ridiculous, but I can see logic, though not necessarily merit, in keeping people from reverse engineering devices that took companies time and resources to create. I can see where that would seem that sane to some. But to threaten people over using a device in a manner that it was deliberately constructed, such as to work with multiple carriers, is just asking too much.

More important to me and far bit closer to home for those in my line of work is the newly set precedent allowing at least some leeway in the DMCA for reversing music formats with potential security holes:

The measure permits researchers to circumvent copyright protection measures - "...when circumvention is accomplished solely for the purpose of good faith testing, investigating, or correcting such security flaws or vulnerabilities."

*cough* Sony *cough*

It strikes me that this should just be the beginning. Security research such as this needs to be protected, but not just after a major company abuses user trust. It's a double edged sword I realize, protecting those searching for vulnerabilities. You could get burned, protecting people who want to find 0-days, but you also would protect those searching for vulnerabilities to protect. The best example for this is the Red Database groups two year fight with Oracle over vulnerabilities that they found and attempted to get fixed. In my opinion they were the epitome of responsible disclosure, which is as much about knowing when to force a companies hand as when to give them time. There needs to be protection for groups such as this who are leveraging their potentially damaging knowledge in a way that's meant to protect those using the product, even when companies themselves can't be bothered. There is such a thing as responsible disclosure, and it deserves to be protected, both for the betterment of the software manufacturers and the users.

So thanks copyright office. I hope your turkey was extra tasty this year.