Demonstrating proof-of-concept attack that runs arbitrary code on an iPhone gets security researcher Charlie Miller banned from Apple development program for a year.
10 Top iOS 5 Apps
(click image for larger view and for slideshow)
Apple has given security researcher Charlie Miller the boot from its iOS developer program after he publicly demonstrated a proof-of-concept attack that would enable an app creator to execute arbitrary code on any iPhone, iPad, or iPod Touch running iOS version 4.3 or later.
Miller has been suspended from the developer program--which allows people to develop, test, and distribute iOS applications--for one year. "First they give researcher's (sic) access to developer programs, (although I paid for mine) then they kick them out.. for doing research. Me angry," said Miller in a tweet posted Tuesday. In a letter, Apple told Miller that it was kicking him out of the program for breaking its terms of service.
Before distributing any app via the App Store, Apple first vets the app, and if approved, signs the code to ensure that the app can't be changed. But the flaw that Miller discovered essentially breaks the iOS application security walled garden, allowing malware attacks to be launched. "The flaw I found is in the way that Apple handles code-signing. Code-signing is important because that's the way that Apple protects you from malware," he said in an unlisted YouTube video demonstrating the attack. (Unlisted YouTube videos can only be viewed by someone who already has a link to the video.)
To test the vulnerability that he discovered, Miller had created Instastock, a fake stock market app, which Apple accepted. "It doesn't do anything weird or funny, it just checks the stocks," he said. At least, that's what it appears to do. In fact, after being downloaded from the Apple App Store and first run, the app "phoned home" to an attacker's server.
For the purposes of the test, the server in this case was located in at Miller's house in St. Louis, and he didn't have it push any code to the app while it was being reviewed by Apple. But after it was approved, he was able to open a shell with the device and issue remote commands, making the iPhone do everything from listing directories and processes, to making the phone vibrate or download the user's address book for the attacker.
"You can imagine downloading a nice app like Angry Birds, but instead of just being Angry Birds, it actually could download and do anything it wants, and Apple would have no idea that had happened," said Miller in the video.
Miller disclosed the code-signing vulnerability to Apple several weeks ago, although he failed to mention the proof-of-concept app that he'd uploaded to the App Store, and which Apple approved and made available in September. (An earlier proof-of-concept app that Miller had developed, which allowed a user to zoom in on pictures of David Hasselhoff, was rejected by Apple for having no useful value.)
Miller also demonstrated the exploit in his unlisted YouTube video, which was posted in September. But Apple apparently didn't hear about the proof-of-concept attack demonstration until Monday, when Miller detailed the flaw and provided a link to his YouTube video to Andy Greenberg at Forbes.com. Just hours after the story ran, Apple canceled Miller's iOS developer account.
Miller's day job is as a principal consultant at security research firm Accuvant. But the former National Security Agency analyst is probably better known for hacking--in the "take it apart and see how it works" sense--of Apple wares. At the Black Hat conference this past summer, for example, he demonstrated how to hack Apple laptop batteries by reprogramming the firmware, which would allow an attacker to brick the battery, or even make it serve malware. (As noted by Greenberg, it's a wonder that Apple wasn't keeping close tabs on Miller's apps, given his iOS hacking history.)
Miller plans to demonstrate his code-signing attack at next week's SyScan conference in Taiwan, followed by January's Infiltrate conference in Florida.
InformationWeek Elite 100Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
The UC Infrastructure TrapWorries about subpar networks tanking unified communications programs could be valid: Thirty-one percent of respondents have rolled capabilities out to less than 10% of users vs. 21% delivering UC to 76% or more. Is low uptake a result of strained infrastructures delivering poor performance?
Top IT Trends to Watch in Financial ServicesIT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Join us for a roundup of the top stories on InformationWeek.com for the week of September 18, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."