Hack can open up iPhone to push messaging exploit

[AppleInsider]

While a variety of sources have published a story accusing the iPhone 3.0 software of broadcasting instant messages to random iPhones, in reality this exploit affects only users who have hacked their phone and made it vulnerable.

The problem allegedly occurs through AOL Instant Messenger's push feature in phones that have been jailbroken (allowing the use of unauthorized software) and unlocked (allowing the phone to be used on a non-approved carrier). However, it is not yet clear exactly what causes the issue, though Till Schadde, who discovered the exploit, said AOL officials told him the problem is not on their side.

Till discovered the exploit by sending an AIM message to an iPhone using iChat on his Mac OS X desktop. He said his message appeared not only on the iPhone 3G of the intended recipient, but also on the iPhone 3GS of a complete stranger.

But without user tampering, the iPhone's security layer actually prevents this sort of incident from happening.

Apple's PNS Security

As AppleInsider exclusively reported back in February, Apple's Push Notification Service (PNS) is based on XMPP Publish-Subscribe, an open specification for delivering updated feeds of information using Jabber-style instant messages.

In order to secure the delivery of these messages, Apple uses SSL certificates to securely authenticate the client with the service, similar to how HTTPS websites authenticate themselves to visitors to enable SSL-secured banking, shopping, or other transactions. The iPhone automatically generates itself a private and public key pair, and uses these to register itself with Apple's PNS servers and secure all of its subsequent transactions. The private key and public certificate work together to act as identifying credentials, like a user name and password.

Without having such a mechanism for authenticated identity in place, the iPhone would be deluged by marketers sending push message spam to users, just as spammers have long targeted email, SMS, and Microsoft's Windows Messaging popups, none of which included any inherent security in their designs. Apple's security system prevents users from receiving push message notifications from anyone apart from the system and applications the user explicitly approves.

The security layer also prevents malicious users from intercepting messages and it secures users from receiving fake messages to obtain their location or wipe their phone, while enabling users to perform those actions themselves from MobileMe after authenticating. Users don't need to know anything about the underlying certificates used to secure these communications; everything is designed to "just work."

Putting the break in jailbreak

Jailbreaking the iPhone involves working around Apple's security system to enable the device to run unsigned software. The iPhone's applications, just like its PNS communications, are encrypted using security certificates to prevent tampering, spoofing, or spying by malicious third parties.

Destroying the application security layer of the iPhone does not itself automatically break PNS, but (when combined with an "unofficial activation" required to use it with unofficial service providers) results in the system having no legitimate certificates to use in performing push notifications. Essentially, if the phone is not properly activated as intended through iTunes, the user's credentials for signing into Apple's PNS messaging servers (which are generated by the device itself in normal conditions) are broken along with the application security layer.

Dev team hackers trying to get jailbroken, alternatively activated phones to work with PNS allegedly made the mistake of adding an existing certificate to "fix" the problem. The hack simply identifies the new jailbroken phone to Apple as another phone that already exists, enabling messages to be sent to the wrong device.

Users who don't jailbreak their iPhone won't experience any problems with messages being broadcast to random other users. But those who tamper with the iPhone's security system will have to figure out how to generate SSL authentication keys appropriately to enable the phone to work with PNS messages correctly.

[ View this article at AppleInsider.com ]

[al_bundy]

Sounds like the hackers know what they are doing, just not the people jailbreaking their phones.

[akf2000]

Who the hell wrote this, looks like a Yu Wan Mei press release.

[kresh]

Hack your hardware but don't blame the manufacturer when you screw something up, I hope this hurts EFF's effort to get the DMCA exemption.

[hezekiahb]

Quote:

Originally Posted by al_bundy

Sounds like the hackers know what they are doing, just not the people jailbreaking their phones.

If I read the article correctly it sounds like users are getting the hackers messages. Ought to make it easy to know who created the cracks.

[jpellino]

"Dev team hackers trying to get jailbroken phones to work with PNS made the mistake of adding an existing certificate to "fix" the problem, which simply identifies the new jailbroken phone to Apple as another phone that already exists, enabling messages to be sent to the wrong device, where "wrong" is actually "unexpected," not "incorrect."

Pish tosh. We all know hackers don't make mistakes. We have all been told that they simply point out the feeb programmers who made the mistake of not anticipating that someone would do some godforsaken thing to their creation that was neither intended or practical. In related news, it's BMW's fault when someone severs those pesky brand-name control arms, inserts tomato stakes and my car heads off in other directions. Poor planning.

[genovelle]

Quote:

Originally Posted by al_bundy

Sounds like the hackers know what they are doing, just not the people jailbreaking their phones.

Only if you mean the hackers know that they are making the phone not be able to communicate with The PNS server, and the people jail breaking their phones don't know it will do it.

The fake certificate it created by the hackers not the people jailbreaking. If you just have to jailbreak, you have to deal with it. Its like buying a Sony Play Station and trying to hack it to play X-box games you already have, then Call Sony to complain about it not working out for you. This is just as nuts.

[sflocal]

This only validates Apple's reasoning for keeping the phone locked down. You jailbreak it, fine with me. You d**k around with the code and screw it up, you have no one to blame but yourself.

From a hacker's point of view, this looks like a great way to gain entry into private messages from other folks. Pity the plumber-joes of the world with jailbroken phones that don't know any better to install some app designed by these monkeys to get their accounts compromised.

And yet they somehow expect Apple to support their phone??

[alienvenom]

This article is biased.

Jailbreaking is not the issue here, it's what people do with it. Simply jailbreaking the phone is not a guarantee to break the PNS.

I believe that there's a certain level of uncertainty in jailbreaking the phone (i.e. not knowing which software modifications were done) but that should not translate to: do not jailbreak otherwise you will break PNS.

Funny how that all of the reports surrounding the PNS relate to the AIM application, but not the various Twitter apps that support push, Beejive, or any of the others?

How's this? Instead of blaming Apple or people who have jailbroken their phones, I blame AOL.

[Gwydion]

WTF? Who has writed this piece of crap?

The problem is not with jailbroken iPhones, the problem is with hacktivated iPhones.

When jou jailbreak your unlocked iPhone or you jailbreak a legally activated iPhone you don't need to use fake certificates, you use you real certificate in iTunes.

FUD, this is your article.

[alienvenom]

Quote:

Originally Posted by Gwydion

WTF? Who has writed this piece of crap?

The problem is not with jailbroken iPhones, the problem is with hacktivated iPhones.

When jou jailbreak your unlocked iPhone or you jailbreak a legally activated iPhone you don't need to use fake certificates, you use you real certificate in iTunes.

FUD, this is your article.

Amen. People seem to be confusing jailbreaking with jailbreaking + hacktivating

[teckstud]

Damn - all of a sudden half the posts dissapeared?
It's getting spooky around here- I'm out!

[Quine]

Why should this hurt the EFF case? Jailbreaking should be totally ok. If you want to void the warranty and support for your device and use it how you please, you should be able to.

Apple has made the consequences clear, ignore the idiots who jailbreak and expect support. It should be legal.


Also, this article was a bit misleading. you should update the info AI to explicitely state what is causing this and not just point a finger at jailbreaking as if it's all bad.

[Wowotoe]

I thought this was Microsoft's old strategy. If you use Windows, you must have IE and does not allow other browser to come pre-installed. If you remove IE, your Windows is f**k.

I'm sure sooner or later, EU will step in with some stupid requests.

[ascii]

When you buy a new Mac, and enter your name as "John Smith" the setup assistant names your computer "John Smith's iMac" and then broadcasts that name on WiFi for all and sundry. Apple have never paid much attention to privacy.

[wobegon]

Quote:

Originally Posted by Quine

Why should this hurt the EFF case? Jailbreaking should be totally ok. If you want to void the warranty and support for your device and use it how you please, you should be able to.

Except your already able to jailbreak the iPhone. Apple has shown no interest in suing jailbreakers. EFF is simply forcing Apple's hand, so hopefully the EFF's case will be thrown out.

The EFF is not a legitimate authority, just today they derided Apple for patching a hole that allowed third party devices to sync with iTunes by masquerading as iPods.

[Virgil-TB2]

Quote:

Originally Posted by alienvenom

This article is biased. ... Jailbreaking is not the issue here, it's what people do with it. Simply jailbreaking the phone is not a guarantee to break the PNS. ... I believe that there's a certain level of uncertainty in jailbreaking the phone (i.e. not knowing which software modifications were done) but that should not translate to: do not jailbreak otherwise you will break PNS. ...

Quote:

Originally Posted by Gwydion

WTF? Who has writed this piece of crap? ... The problem is not with jailbroken iPhones, the problem is with hacktivated iPhones. ... When jou jailbreak your unlocked iPhone or you jailbreak a legally activated iPhone you don't need to use fake certificates, you use you real certificate in iTunes. ....

The article explicitly states the opposite of what both of you are stating here.

Since the article has lots of stuff to back it up and since your comments basically amount to "no way!" I'll take what the article says first until you guys come up with an actual argument to the contrary.

If you don't think Jailbreaking necessitates breaking the PNS, why not explain how you know that instead of just saying "does not!"

[Gwydion]

Quote:

Originally Posted by Virgil-TB2

The article explicitly states the opposite of what both of you are stating here.

Since the article has lots of stuff to back it up and since your comments basically amount to "no way!" I'll take what the article says first until you guys come up with an actual argument to the contrary.

If you don't think Jailbreaking necessitates breaking the PNS, why not explain how you know that instead of just saying "does not!"

I have explained, perhaps you have missed it.

You need a fake certificate only to activate an iPhone in a carrier in which it can't be activated.

If you jailbreak a legally activated iPhone you actually are using your original certificate created when you activated it through iTunes

[Prince]

Quote:

Originally Posted by ascii

When you buy a new Mac, and enter your name as "John Smith" the setup assistant names your computer "John Smith's iMac" and then broadcasts that name on WiFi for all and sundry. Apple have never paid much attention to privacy.

Advertising available services on your local network when you TURN ON SHARING is not a privacy issue.

[HipPriest]

One look at the headline and summary and I thought this must be another hack-job by "Prince McLean". And sure enough. He missed his calling as a propaganda writer... Wait, actually he found it.

What's interesting is how in a relatively isolated community like AppleInsider these editorials and the respondents, who seem to only get their information from Apple fan sites, create a sort of feedback loop of misinformation. If you always preach to the choir or are a member of the choir, pretty soon any information from the real world looks so bizarre and out of place that you can justify any crazy position, such as "those evil EFF scum, how dare they question our sainted Apple!"

[al_bundy]

Quote:

Originally Posted by hezekiahb

If I read the article correctly it sounds like users are getting the hackers messages. Ought to make it easy to know who created the cracks.

Everyone already knows who the hackers are. One of them is a 16 year old kid who wrote the 3gs jailbreak mentioned. They are just paying homage to SJ who used to hack in his garage and turned his hobby into a business

[Gwydion]

Quote:

Originally Posted by HipPriest

One look at the headline and summary and I thought this must be another hack-job by "Prince McLean". And sure enough. He missed his calling as a propaganda writer... Wait, actually he found it.

I'm a bit lost and perhaps you will think I'm silly for not knowing that. Is "Prince McLean" = Daniel Eran Dilger?

If so, then I can understand so many thinks

[Prince]

Quote:

Originally Posted by HipPriest

One look at the headline and summary and I thought this must be another hack-job by "Prince McLean". And sure enough. He missed his calling as a propaganda writer... Wait, actually he found it.

What's interesting is how in a relatively isolated community like AppleInsider these editorials and the respondents, who seem to only get their information from Apple fan sites, create a sort of feedback loop of misinformation. If you always preach to the choir or are a member of the choir, pretty soon any information from the real world looks so bizarre and out of place that you can justify any crazy position, such as "those evil EFF scum, how dare they question our sainted Apple!"

Please present what you think is factually wrong in this article.

[yuusharo]

I'm a little surprised by this article. Normally, Appleinsider is a great place for straight-forward news regarding Apple and related industry stories. Its not normally the place for opinion pieces spliced in with some facts.

While I agree that people shouldn't blame Apple when they use their devices in a way that is not intended and find certain features broken, the information in this article implies that *ALL* iPhones that have been jailbroken have the tendency to break the security layers of the handset, and break PNS.

The only affected iPhones that are experiencing these problems are those that were not officially activated through iTunes on Apple's servers. This basically means that "legitimate" customers, anyone who has an active iPhone service plan on an approved network, will be able to generate the proper certificates for their device and activate Push Notification. iPhones that were activated OUTSIDE iTunes, "illegitimate" users, did not generate the proper certificates on Apple's server for their device, and thus cannot utilize Push Notification.

Apple could better solve this issue by allowing "hacktivated" devices the chance to register on their servers regardless of whether or not they have an active iPhone plan. I happened to test whether or not my old iPhone 3G (legitimately activated) would receive notifications if the SIM card were removed, and it DOES effortlessly, similar to an iPod Touch. So the capability is there, and the phone behavior is there.

[yuusharo]

Quote:

Originally Posted by Prince

Please present what you think is factually wrong in this article.

I wouldn't consider the article "factually wrong," however there is a bit of misinformation. Jailbreaking the iPhone doesn't inherently break Apple's security regarding push notification -- Its only if you try to activate the phone outside of iTunes to use an unofficial carrier sim after a fresh restore do you experience the problem.

I am running my old iPhone 3G and the new 3GS jailbroken, and have not recieved any unintended notifications nor am I worried.

[Gwydion]

Quote:

Originally Posted by Prince

Please present what you think is factually wrong in this article.

In Spain there is said "a half truth is worse than a lie".

"Dev team hackers trying to get jailbroken phones to work with PNS made the mistake of adding an existing certificate to "fix" the problem".

Yes this is partially true, but it refers no to jailbroken phones but jailbreaked + hacktivated iPhones.

Si, it's not factually wrong but it's not the true. Perhaps because you didn't know it.

[alansky]

Fug 'em.

[Gwydion]

Quote:

Originally Posted by yuusharo

This basically means that "legitimate" customers, anyone who has an active iPhone service plan on an approved network

And also factory unlocked iPhones like Italian ones on any network with or without service plan.

[badNameErr]

Apple's PR department can defend Apple regarding this issue. AppleInsider doesn't need too.

[Prince]

Quote:

Originally Posted by yuusharo

While I agree that people shouldn't blame Apple when they use their devices in a way that is not intended and find certain features broken, the information in this article implies that *ALL* iPhones that have been jailbroken have the tendency to break the security layers of the handset, and break PNS.

Actually, the article says "Destroying the application security layer of the iPhone does not itself automatically break PNS, but results in the system having no legitimate certificates to use in performing push notifications."

So no, there is no 'implication' that jailbreaking the iPhone breaks PNS automatically, and instead the opposite is true.

Also, jailbreaking = breaking application-signing security. Without that, there is no effective security on the phone. So yes, jailbreaking does "has the tendency to break the security layers," as that is its explicit purpose. You have to break the security system to install your own or third party, non-security signed code. That's what jailbreaking means.

Quote:

The only affected iPhones that are experiencing these problems are those that were not officially activated through iTunes on Apple's servers. This basically means that "legitimate" customers, anyone who has an active iPhone service plan on an approved network, will be able to generate the proper certificates for their device and activate Push Notification. iPhones that were activated OUTSIDE iTunes, "illegitimate" users, did not generate the proper certificates on Apple's server for their device, and thus cannot utilize Push Notification.

If you think this is an important distinction, I can add clarification to the article. The reality is that this issue is being reported almost everywhere else as being a security problem Apple is responsible for. This article is indicating that the issue is related to improperly copied security certificates, rather than those generated as part of a 'normal' activation.

Quote:

Apple could better solve this issue by allowing "hacktivated" devices the chance to register on their servers regardless of whether or not they have an active iPhone plan. I happened to test whether or not my old iPhone 3G (legitimately activated) would receive notifications if the SIM card were removed, and it DOES effortlessly, similar to an iPod Touch. So the capability is there, and the phone behavior is there.

Yes, it requires generating the appropriate certificates, and the installation of a SIM card forces the iPhone to tie activation of push to activation of service. Expecting Apple to develop unique technology to enable push activation separately from service activation is part of the reason why it is not in the interests of the company to support "unanticipated uses." At the same time, Apple has several reasons to support "alternative activation," one being the desire to get grey market phones into China.

[Virgil-TB2]

Quote:

Originally Posted by Gwydion

I have explained, perhaps you have missed it.

You need a fake certificate only to activate an iPhone in a carrier in which it can't be activated.

If you jailbreak a legally activated iPhone you actually are using your original certificate created when you activated it through iTunes

Dude, just asking for clarification you know?

Prince specifically states:

Quote:

Originally Posted by Prince

Destroying the application security layer of the iPhone does not itself automatically break PNS, but results in the system having no legitimate certificates to use in performing push notifications. Essentially, the user's credentials for signing into Apple's PNS messaging servers, which are generated by the device itself in normal conditions, are broken along with the application security layer.

Which I take to mean that the apps installed (AIM etc.) have no legitimate security certificates. This makes sense to me given that the majority of apps on jailbroken phones are illegal apps (not obtained through the app store or by paying for them), so they most likely don't have the right certificates.

So, you are saying that in this situation notifications will still work if the iPhone is not "hacktivated"? Or are you in agreement with this but standing on the hopeful idea that jailbroken phones *aren't* full of stolen apps most of the time?

[Gwydion]

Quote:

Originally Posted by Virgil-TB2

Dude, just asking for clarification you know?

Prince specifically states:
Destroying the application security layer of the iPhone does not itself automatically break PNS, but results in the system having no legitimate certificates to use in performing push notifications.

Which I take to mean that the apps installed (AIM etc.) have no legitimate security certificates. This makes sense to me given that the majority of apps on jailbroken phones are illegal apps (not obtained through the app store or by paying for them), so they most likely don't have the right certificates.

So, you are saying that in this situation notifications will still work if the iPhone is not "hacktivated"? Or are you in agreement with this but standing on the hopeful idea that jailbroken phones *aren't* full of stolen apps most of the time?

Ups, I have missed that part, " but results in the system having no legitimate certificates to use in performing push notifications".

This it's factually wrong, jailbreaking an iPhone to run unsigned code doesn't eliminate legitimate certificates, they're there to use with Apple servers. If you only jailbreak the phone you can't use it. It must be activated through iTunes and then you will have legitimate certificates or you have to hacktivate it outside iTunes and is the latets which will have the PNS problems, not the former.

So, if you jailbreak the iPhone and the you use iTunes to activate it, PNS will work as intended.

Ah, I have jailbroken my iPhone and I don't have any pirated application, I just jailbroken it to use SBSettings.

PS. And yes, anyone who blames Apple for that problem it's wrong or is malicious, it's not Apple fault. If you fake your MAC address and try to jion a network with this address you will have problems, but it's not fault of the device maker, it's youtr fault for faking it.

[mstone]

Quote:

Originally Posted by AppleInsider

However, it is not yet clear exactly what causes the issue,

All speculation aside...

[robb1068]

Quote:

Originally Posted by Prince

Please present what you think is factually wrong in this article.

Any links to articles blaming Apple for this issue? You can usually tell when Dan has his kool-aid hat on when he sites stories or sources attacking Apple and then doesn't provide any links.

I've seen this story published in a variety of places, including the original story at Crunchgear http://www.crunchgear.com/2009/07/21...locked-phones/ and have yet to see anyone suggest this is Apple's fault.

[milkmage]

Quote:

Originally Posted by alienvenom

This article is biased.

Jailbreaking is not the issue here, it's what people do with it. Simply jailbreaking the phone is not a guarantee to break the PNS.

I believe that there's a certain level of uncertainty in jailbreaking the phone (i.e. not knowing which software modifications were done) but that should not translate to: do not jailbreak otherwise you will break PNS.

Funny how that all of the reports surrounding the PNS relate to the AIM application, but not the various Twitter apps that support push, Beejive, or any of the others?

How's this? Instead of blaming Apple or people who have jailbroken their phones, I blame AOL.

biased? how so.. it says "Destroying the application security layer of the iPhone does not itself automatically break PNS, but (when combined with an "unofficial activation" required to use it with unofficial service providers) results in the system having no legitimate certificates to use in performing push notifications. Essentially, if the phone is not properly activated as intended through iTunes, the user's credentials for signing into Apple's PNS messaging servers (which are generated by the device itself in normal conditions) are broken along with the application security layer."

[Gwydion]

Quote:

Originally Posted by milkmage

biased? how so.. it says "Destroying the application security layer of the iPhone does not itself automatically break PNS, but (when combined with an "unofficial activation" required to use it with unofficial service providers) results in the system having no legitimate certificates to use in performing push notifications. Essentially, if the phone is not properly activated as intended through iTunes, the user's credentials for signing into Apple's PNS messaging servers (which are generated by the device itself in normal conditions) are broken along with the application security layer."

The article have been corrected and now it's not biased.

Thanks Prince for modifying it, best regards

[yuusharo]

It appears I've been educated a little about the process. Thank you for the clarification, Prince

Quote:

Originally Posted by Gwydion

The article have been corrected and now it's not biased.

There's no update on the article itself, however. There should be an indication that the title was changed -- there is not. It was just changed.

Edit: For the record, I believe it was originally titled "Hackers open up iPhone to push messaging exploit, blame Apple"

[monstrosity]

Ho hum, im sure I will sleep well

[anantksundaram]

As a pedestrian consumer who does not hack, jailbreak, etc., should I care? Yawn.

[cazlar]

Quote:

Originally Posted by anantksundaram

As a pedestrian consumer who does not hack, jailbreak, etc., should I care? Yawn.

Actually, you should. Any messages you send to someone who has used this "pushfix" hack will possibly be sent to random people - whether you are JB or not. In fact, the person mentioned in the article was sending a message from his mac in iChat to a hackitvated phone, not from it.

That being said, "pushfix" was only ever an alpha release. Once I heard of all the issues (well before this story) I steered clear (I'm on a hacktivated 2G iPhone). I'm sure the dev-team will find a better solution in the future.