Mobile
News
11/8/2011
11:48 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Apple Excommunicates iOS Cracker

Demonstrating proof-of-concept attack that runs arbitrary code on an iPhone gets security researcher Charlie Miller banned from Apple development program for a year.

10 Top iOS 5 Apps
10 Top iOS 5 Apps
(click image for larger view and for slideshow)
Apple has given security researcher Charlie Miller the boot from its iOS developer program after he publicly demonstrated a proof-of-concept attack that would enable an app creator to execute arbitrary code on any iPhone, iPad, or iPod Touch running iOS version 4.3 or later.

Miller has been suspended from the developer program--which allows people to develop, test, and distribute iOS applications--for one year. "First they give researcher's (sic) access to developer programs, (although I paid for mine) then they kick them out.. for doing research. Me angry," said Miller in a tweet posted Tuesday. In a letter, Apple told Miller that it was kicking him out of the program for breaking its terms of service.

Before distributing any app via the App Store, Apple first vets the app, and if approved, signs the code to ensure that the app can't be changed. But the flaw that Miller discovered essentially breaks the iOS application security walled garden, allowing malware attacks to be launched. "The flaw I found is in the way that Apple handles code-signing. Code-signing is important because that's the way that Apple protects you from malware," he said in an unlisted YouTube video demonstrating the attack. (Unlisted YouTube videos can only be viewed by someone who already has a link to the video.)

[Hackers may have a new attack vector: Smartphone Sensors Pose Security Threat.]

To test the vulnerability that he discovered, Miller had created Instastock, a fake stock market app, which Apple accepted. "It doesn't do anything weird or funny, it just checks the stocks," he said. At least, that's what it appears to do. In fact, after being downloaded from the Apple App Store and first run, the app "phoned home" to an attacker's server.

For the purposes of the test, the server in this case was located in at Miller's house in St. Louis, and he didn't have it push any code to the app while it was being reviewed by Apple. But after it was approved, he was able to open a shell with the device and issue remote commands, making the iPhone do everything from listing directories and processes, to making the phone vibrate or download the user's address book for the attacker.

"You can imagine downloading a nice app like Angry Birds, but instead of just being Angry Birds, it actually could download and do anything it wants, and Apple would have no idea that had happened," said Miller in the video.

Miller disclosed the code-signing vulnerability to Apple several weeks ago, although he failed to mention the proof-of-concept app that he'd uploaded to the App Store, and which Apple approved and made available in September. (An earlier proof-of-concept app that Miller had developed, which allowed a user to zoom in on pictures of David Hasselhoff, was rejected by Apple for having no useful value.)

Miller also demonstrated the exploit in his unlisted YouTube video, which was posted in September. But Apple apparently didn't hear about the proof-of-concept attack demonstration until Monday, when Miller detailed the flaw and provided a link to his YouTube video to Andy Greenberg at Forbes.com. Just hours after the story ran, Apple canceled Miller's iOS developer account.

Miller's day job is as a principal consultant at security research firm Accuvant. But the former National Security Agency analyst is probably better known for hacking--in the "take it apart and see how it works" sense--of Apple wares. At the Black Hat conference this past summer, for example, he demonstrated how to hack Apple laptop batteries by reprogramming the firmware, which would allow an attacker to brick the battery, or even make it serve malware. (As noted by Greenberg, it's a wonder that Apple wasn't keeping close tabs on Miller's apps, given his iOS hacking history.)

Miller plans to demonstrate his code-signing attack at next week's SyScan conference in Taiwan, followed by January's Infiltrate conference in Florida.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Henry Hertz Hobbit
50%
50%
Henry Hertz Hobbit,
User Rank: Apprentice
11/12/2011 | 7:22:27 AM
re: Apple Excommunicates iOS Cracker
Will somebody please pass the hemlock? Charlie Miller, I suggest you put that anger to use by improving the security of the various Linux distros and Android instead. I for one would welcome these other products getting enhanced security. Charlie, if you drop me a line I will tell you what I use personally so you can start making them more secure first. Apple doesn't think their products are practically perfect. Apple thinks their products and the way they do everthing is perfect. Good. Let the black-hats shatter that delusion of invincibility from now on.
Henry Hertz Hobbit
50%
50%
Henry Hertz Hobbit,
User Rank: Apprentice
11/12/2011 | 6:17:43 AM
re: Apple Excommunicates iOS Cracker
It is fair if they do the same thing to everybody else. It is always unproductive to turn down information that can be used to improve your product.
Henry Hertz Hobbit
50%
50%
Henry Hertz Hobbit,
User Rank: Apprentice
11/12/2011 | 6:15:34 AM
re: Apple Excommunicates iOS Cracker
As a former NSA Analyst, Charlie Miller has found a perfectly good home. Meet the Advisory board:

http://www.accuvant.com/about/...

Charlie has top security research billing where he is at which is much better than working for Apple. OTOH, did you mean that "make him an offer he can't refuse" in the same vein as something being offered by the goodfellas? In that case, I think that Apple has already done that.
ANON1237925156805
50%
50%
ANON1237925156805,
User Rank: Apprentice
11/10/2011 | 12:36:03 AM
re: Apple Excommunicates iOS Cracker
Miller does all of us real service. He's done it for awhile, alerting Apple and others to potential flaws. Apple has clearly not been closed to that; it has maintained its relationship with him. It has continued to approve and publish his apps.

A distinction has to be made between describing flaws and offering proof of concept on request perhaps in a test environment vs introducing a potential portal for malware in a production app whilst doing the publicity circuit to describe how it works. That's clearly in violation of his contract with Apple, which presumably he signed without a gun pointed at his temple.

What's more, since a curated environment is part of Apple's branding, they have to defend it. If they had not responded firmly to this breach of protocol there would have been complaints from the other direction. Google can get away with backing out 50 apps with malware after the fact. Its users prize so called openness and assume such risks. Apple cannot afford to take that approach at this point.

So Miller's out of the app store for one year. That's enough to show they mean business. Hopefully they will encourage him to continue looking for flaws and reporting them. Hopefully a full relationship can resume after a year. Hopefully others with Miller's interests will find a more effective way of handling such situations in future.

Hey Apple, while you're at it, close that loophole. . .
Tom LaSusa
50%
50%
Tom LaSusa,
User Rank: Apprentice
11/9/2011 | 8:58:35 PM
re: Apple Excommunicates iOS Cracker
Whew...thank goodness someone got the reference! ;-)

Tom LaSusa
InformationWeek Community Manager and lifelong Whovian
RayfromNH
50%
50%
RayfromNH,
User Rank: Apprentice
11/9/2011 | 7:41:24 PM
re: Apple Excommunicates iOS Cracker
Miller is showing the kind of thinking outside the box that is required to find and expose security flaws. Accuvant is lucky to have him as a consultant. Apple on the other hand is showing the kind of stick to the policy thinking that will turn them into the next big company that puts stockholders and company policy before customers and innovation.
PJONES773
50%
50%
PJONES773,
User Rank: Apprentice
11/9/2011 | 3:24:33 PM
re: Apple Excommunicates iOS Cracker
Bow ties are cool.
RJF19
50%
50%
RJF19,
User Rank: Apprentice
11/9/2011 | 2:25:55 PM
re: Apple Excommunicates iOS Cracker
So, the guy finds a flaw that could potentially hurt Apple where it really matters and they punish him? Steve, you left too soon...
YMOM100
50%
50%
YMOM100,
User Rank: Apprentice
11/9/2011 | 1:06:58 AM
re: Apple Excommunicates iOS Cracker
Agree to some extent, but as a professional you need to speak up when it is on topic and the company's policy or decision is plain wrong. And a good company will thank you for it, admit that you are right, and give you a good position where you can put your skills to better use. Why do you think other companies pay bounties for bug hunters?
But Apple is run by morons who are so far from reality that this idiotic move is no surprise.
Bprince
50%
50%
Bprince,
User Rank: Apprentice
11/8/2011 | 11:40:23 PM
re: Apple Excommunicates iOS Cracker
To TheUO's point below, how many readers think this will have an impact on research into iOS bugs/malware by legitimate researchers? What do you think that impact will be?
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Page 1 / 2   >   >>
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.