AppleInsider › Forums › Mobile › iPhone › iPhone Security Holes?
New Posts  All Forums:Forum Nav:

iPhone Security Holes?

post #1 of 16
7/3/07 at 9:32am
Thread Starter 
Should we be worried about this:

http://rixstep.com/2/1/20070703,00.shtml
http://rixstep.com/1/1/20070703,00.shtml

I don't know a lot about Unix security, so I'm wondering if the concerns raised in the above articles are serious or not.
Reply
Reply
post #2 of 16
7/3/07 at 12:25pm
Quote:
Originally Posted by DoughBoy View Post

Should we be worried about this:

http://rixstep.com/2/1/20070703,00.shtml
http://rixstep.com/1/1/20070703,00.shtml

I don't know a lot about Unix security, so I'm wondering if the concerns raised in the above articles are serious or not.

I'm not a programmer but these sound serious to me. As a precaution, I sent the links and a message about them to Apple's iPhone feedback page. Below is the link if anybody else wants to email Apple about this.

http://www.apple.com/feedback/iphone.html

- Mark

http://www.gmu.edu/departments/economics/wew/index.html
Reply

- Mark

http://www.gmu.edu/departments/economics/wew/index.html
Reply
post #3 of 16
7/3/07 at 1:49pm
He's primarily talking about applications, which currently cannot be installed on the device. Now if apps could be installed on the device, then all those things would be very bad. As it is, they are not good, but probably not a big deal as long as Apple maintains the iPhone as a closed system.

Since many (myself included) are clamoring for Apple to open up a bit so we can all provide applications that people want (ePocrates for one) then it will be a BIG DEAL.

Not to say that there is not anything wrong with the browser/e-mail potential for a hacker, but that remains to be seen.
Reply
Reply
post #4 of 16
7/4/07 at 12:02am
Quote:
He's primarily talking about applications, which currently cannot be installed on the device.

Not sure about that. MobileMail and Safari both are attack vectors. You don't need to install applications on the device - you deliver the malicious software through a web page or e-mail message. Just like any of those Microsoft worms.
Reply
Reply
post #5 of 16
7/4/07 at 6:24am
Quote:
Originally Posted by Fairly View Post

Not sure about that. MobileMail and Safari both are attack vectors. You don't need to install applications on the device - you deliver the malicious software through a web page or e-mail message. Just like any of those Microsoft worms.

Wrong. MacOS X Mail does not execute code within attachments. This ability was not added to Mail's iPhone port. Safari does not deliver malicious software to Mac desktops or laptops. It cannot deliver such software to the iPhone.

Only Apple can add applications to the iPhone. If malicious code could be installed via email, then third-party developers could also use this vector to install useful applications and utilities. Think.
Reply
Reply
post #6 of 16
7/4/07 at 7:18am
Well...at least we know why Jobs is concerned about releasing an SDK/iPhone dev kit! Yowzers! Apple will most certainly need to rework the security before they let people develop their own software.

--DotComCTO
Reply
Reply
post #7 of 16
7/4/07 at 7:21am
This is hardly a threat. It's another bit of disinformation from nay-sayers. I'm getting sick of these people talking out their asses. The last one I heard was it's not really a smart phone because it wont complete words. Bullshit! It not only has a way to complete what you type, but a better way of finding what your misspelled words really are than I have ever seen.
onlooker
Registered User

Join Date: Dec 2001
Location: parts unknown




http://www.apple.com/feedback/macpro.html
Reply
onlooker
Registered User

Join Date: Dec 2001
Location: parts unknown




http://www.apple.com/feedback/macpro.html
Reply
post #8 of 16
7/4/07 at 8:58am
Quote:
Originally Posted by onlooker View Post

This is hardly a threat. It's another bit of disinformation from nay-sayers. I'm getting sick of these people talking out their asses. The last one I heard was it's not really a smart phone because it wont complete words. Bullshit! It not only has a way to complete what you type, but a better way of finding what your misspelled words really are than I have ever seen.

Have to agree entirely!! This must be one of the reasons that the phone is currently locked down! As long as its locked down there is no problem. When they unlock it (and I fully believe they will ) they can change the passwords, turn off root, make the apps rim as a non-root user etc. With a single update!!!
Reply
Reply
post #9 of 16
7/4/07 at 9:28am
Of course it has security holes. Everything has security holes.
Reply
Reply
post #10 of 16
7/4/07 at 11:52pm
Oh I feel so much better then. Thanks for that!
Quote:
Originally Posted by mydo View Post

Of course it has security holes. Everything has security holes.
Reply
Reply
post #11 of 16
7/4/07 at 11:55pm
Quote:
Originally Posted by Mr. Me View Post

Wrong. MacOS X Mail does not execute code within attachments.Think.

No YOU think. It only does not execute code - and it's got bloody nothing to do with attachments - if it isn't hacked. If someone can get any iPhone web app to crash they can get it to execute rogue code. Period. These web apps are running as root. All bets are off. If they weren't running as root we'd have little reason to worry. But they are running as root. Think yourself.
Reply
Reply
post #12 of 16
7/4/07 at 11:56pm
Quote:
Originally Posted by physguy View Post

Have to agree entirely!! This must be one of the reasons that the phone is currently locked down! As long as its locked down there is no problem. When they unlock it (and I fully believe they will ) they can change the passwords, turn off root, make the apps rim as a non-root user etc. With a single update!!!

OMG. Barf.
Reply
Reply
post #13 of 16
7/5/07 at 12:00am
Quote:
Originally Posted by DotComCTO View Post

Well...at least we know why Jobs is concerned about releasing an SDK/iPhone dev kit! Yowzers! Apple will most certainly need to rework the security before they let people develop their own software.

Yes. And they need to explain why running as root was so bloody important. Security is on one side and features the marketing department wants are on the other. The security people might know something about proposed features but the marketing people don't know nothing about security and worse still they don't care. But we care - because we're going to use the devices and we don't want to get hacked. I think they can explain what they're up to. And the bad stuff can already get in if someone puts their mind to it. Fuzz MobileSafari or even the ordinary Safari, find a hole, study it and create an exploit. Lots of work? Of course. Possible? Oh yes.
Reply
Reply
post #14 of 16
7/5/07 at 3:02am
Quote:
Originally Posted by Fairly View Post

No YOU think. It only does not execute code - and it's got bloody nothing to do with attachments - if it isn't hacked. If someone can get any iPhone web app to crash they can get it to execute rogue code. Period. These web apps are running as root. All bets are off. If they weren't running as root we'd have little reason to worry. But they are running as root. Think yourself.

Dude that is the biggest bunch of crap I've ever read. Did your little sister tell you web apps run at the root level of OS X? IF that were the case OS X would be seriously vulnerable. Maybe it's time you think for yourself and stop believing every idiots ridiculous unfounded speculation.
onlooker
Registered User

Join Date: Dec 2001
Location: parts unknown




http://www.apple.com/feedback/macpro.html
Reply
onlooker
Registered User

Join Date: Dec 2001
Location: parts unknown




http://www.apple.com/feedback/macpro.html
Reply
post #15 of 16
7/5/07 at 6:58am
Quote:
Originally Posted by Fairly View Post

Yes. And they need to explain why running as root was so bloody important. Security is on one side and features the marketing department wants are on the other. The security people might know something about proposed features but the marketing people don't know nothing about security and worse still they don't care. But we care - because we're going to use the devices and we don't want to get hacked. I think they can explain what they're up to. And the bad stuff can already get in if someone puts their mind to it. Fuzz MobileSafari or even the ordinary Safari, find a hole, study it and create an exploit. Lots of work? Of course. Possible? Oh yes.

As was said - please engage brain before mouth. There is NO TERMINAL. There is NO ACCESS. As onlooker said on one is saying, nor is there any reason to think, that web apps are not running as root. I agree that this is why no current SDK now. Read the post of the actually people are doing this. They have the root password and name, just like Apple TV, but in this case they can't do anything with them as there is NO TERMINAL, NO ACCESS. Even IF they enable this on their phone, which they will probably figure out eventually, how are they going to get to YOUR phone??? It will require a physical connection just like Apple TV, which I've hacked extensively.
Reply
Reply
post #16 of 16
7/8/07 at 2:09am
"Should we be worried about this"

To a certain extent yes. I think it's perfectly OK for security aware people to ask Apple what the F they're doing. Seriously: if you run Unix as root you're not a bit more secure than Windows. Get real.

If they have something to say then let's hear it. But they need to explain. It's called "full disclosure".

Apple are going to have to come out and explain. Period. No way I'm taking one of those gizmos until they do.
Reply
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
AppleInsider › Forums › Mobile › iPhone › iPhone Security Holes?