By Kim Zetter
With Apple's announcement Monday that it shipped 1.12 million iPhones in
the three months after its launch, the gadget's apparent popularity
rivals some PCs. That has security experts warning of trouble, following
revelations that Apple built the iPhone's firmware on the same flawed
security model that took rival Microsoft a decade to eliminate from
"It really is an example of 'those who don't learn from history are
condemned to repeat it'," says Dan Geer, vice president and chief
scientist at security firm Verdasys.
It wasn't long after Apple released the iPhone in June that researchers
discovered that every application on the device -- from the calculator
on up -- runs as "root," i.e., with full system privileges. As a result,
a serious vulnerability in any of these applications would allow hackers
to gain complete control of the device.
The same problem in Windows played a big role in stoking a plague of
internet malware-production that began with the Melissa virus in 1999,
and continues with the malicious Storm worm today.
With the limited bandwidth of the iPhone, malicious code would be
unlikely to slow portions of the internet. But malware could wreak
creative havoc of a different kind. It might, for example, cause a phone
to call numbers without the user's knowledge, seize text messages and a
list of received and sent calls, turn the phone into a listening device,
track the user's location through nearby WiFi access points, or instruct
the phone to snap photos of the user's surroundings -- including any
companions who may be in view of the camera lens.
Apple announced last week that it plans to release a
software-development kit in February, to open the way for third-party
developers to create applications for the iPhone. More applications,
though, invariably means more attack routes for hackers. Apple CEO Steve
Jobs said in his announcement that the company was taking time to
release the SDK to deal with security issues, suggesting that a future
operating system update to the phone might only run applications
approved and digitally signed by Apple.
But this wouldn't solve all of the security problems.
"As long as everything runs as root, there are going to be bugs and
people are going to find them (to take over the device)," says Charlie
Miller, principal security analyst for Independent Security Evaluators,
who, with colleagues, discovered the first reported bug with the iPhone
earlier this year. The bug, found in its Safari browser, would have
allowed hackers to take control of a phone. The researchers criticized
Apple in their paper (.pdf) for designing iPhone applications to run as
Although Apple issued a fix for the Safari vulnerability in July, the
company never responded to criticism about the root problem with its
phones. Apple also didn't respond to calls from Wired News for this
Last week, H.D. Moore, a security researcher who developed the
Metasploit Framework security and hacking tool, posted information on
his blog about a vulnerability in the iPhone's tiff library that is used
by the phone's e-mail , browser and music software. He also supplied
detailed instructions on how to write code to exploit the bug and
provided an exploit to gain remote control of an iPhone.
Computer security professionals call the iPhone design flaw a
fundamental mistake, and say that Apple should have known better.
"The principle of 'least privilege' is a fundamental security
principle," says Geer. "Best practices say that if you need minimal
authority to do (something on a system), then you don't need to have
more authority than that to get it done."
Microsoft has been roundly criticized for years for releasing early
versions of its Windows operating system with administrative privileges
automatically enabled. This gave hackers who gained access to Windows
machines complete privileges to modify the operating system and take
control of the machine.
It took a while for the company to get the message, but Redmond finally
closed the hole with its Vista operating system this year, which
included a User Account Control feature to control the level of
privileges required for various functions on a Vista machine.
"I guess Apple hadn't learned those lessons and is now going to learn
them the hard way," says Geer.
Miller says that Apple will need to redesign the entire firmware to fix
the problem -- which would require owners to install a pretty hefty
"If you start from the beginning with security in mind and you design
your product thinking about security as you go, it's not really any
harder to design a secure product than an insecure product," he says.
"Once you've already got it out in everyone's hands, it's a little
harder to go back and add security. And that's really what they need to
do at this point."
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com