iPhone Security Holes?
Should we be worried about this:
http://rixstep.com/2/1/20070703,00.shtml
http://rixstep.com/1/1/20070703,00.shtml
I don't know a lot about Unix security, so I'm wondering if the concerns raised in the above articles are serious or not.
http://rixstep.com/2/1/20070703,00.shtml
http://rixstep.com/1/1/20070703,00.shtml
I don't know a lot about Unix security, so I'm wondering if the concerns raised in the above articles are serious or not.
Comments
Should we be worried about this:
http://rixstep.com/2/1/20070703,00.shtml
http://rixstep.com/1/1/20070703,00.shtml
I don't know a lot about Unix security, so I'm wondering if the concerns raised in the above articles are serious or not.
I'm not a programmer but these sound serious to me. As a precaution, I sent the links and a message about them to Apple's iPhone feedback page. Below is the link if anybody else wants to email Apple about this.
http://www.apple.com/feedback/iphone.html
Since many (myself included) are clamoring for Apple to open up a bit so we can all provide applications that people want (ePocrates for one) then it will be a BIG DEAL.
Not to say that there is not anything wrong with the browser/e-mail potential for a hacker, but that remains to be seen.
He's primarily talking about applications, which currently cannot be installed on the device.
Not sure about that. MobileMail and Safari both are attack vectors. You don't need to install applications on the device - you deliver the malicious software through a web page or e-mail message. Just like any of those Microsoft worms.
Not sure about that. MobileMail and Safari both are attack vectors. You don't need to install applications on the device - you deliver the malicious software through a web page or e-mail message. Just like any of those Microsoft worms.
Wrong. MacOS X Mail does not execute code within attachments. This ability was not added to Mail's iPhone port. Safari does not deliver malicious software to Mac desktops or laptops. It cannot deliver such software to the iPhone.
Only Apple can add applications to the iPhone. If malicious code could be installed via email, then third-party developers could also use this vector to install useful applications and utilities. Think.
--DotComCTO
This is hardly a threat. It's another bit of disinformation from nay-sayers. I'm getting sick of these people talking out their asses. The last one I heard was it's not really a smart phone because it wont complete words. Bullshit! It not only has a way to complete what you type, but a better way of finding what your misspelled words really are than I have ever seen.
Have to agree entirely!! This must be one of the reasons that the phone is currently locked down! As long as its locked down there is no problem. When they unlock it (and I fully believe they will ) they can change the passwords, turn off root, make the apps rim as a non-root user etc. With a single update!!!
Of course it has security holes. Everything has security holes.
Wrong. MacOS X Mail does not execute code within attachments.Think.
No YOU think. It only does not execute code - and it's got bloody nothing to do with attachments - if it isn't hacked. If someone can get any iPhone web app to crash they can get it to execute rogue code. Period. These web apps are running as root. All bets are off. If they weren't running as root we'd have little reason to worry. But they are running as root. Think yourself.
Have to agree entirely!! This must be one of the reasons that the phone is currently locked down! As long as its locked down there is no problem. When they unlock it (and I fully believe they will ) they can change the passwords, turn off root, make the apps rim as a non-root user etc. With a single update!!!
OMG. Barf.
Well...at least we know why Jobs is concerned about releasing an SDK/iPhone dev kit! Yowzers! Apple will most certainly need to rework the security before they let people develop their own software.
Yes. And they need to explain why running as root was so bloody important. Security is on one side and features the marketing department wants are on the other. The security people might know something about proposed features but the marketing people don't know nothing about security and worse still they don't care. But we care - because we're going to use the devices and we don't want to get hacked. I think they can explain what they're up to. And the bad stuff can already get in if someone puts their mind to it. Fuzz MobileSafari or even the ordinary Safari, find a hole, study it and create an exploit. Lots of work? Of course. Possible? Oh yes.
No YOU think. It only does not execute code - and it's got bloody nothing to do with attachments - if it isn't hacked. If someone can get any iPhone web app to crash they can get it to execute rogue code. Period. These web apps are running as root. All bets are off. If they weren't running as root we'd have little reason to worry. But they are running as root. Think yourself.
Dude that is the biggest bunch of crap I've ever read. Did your little sister tell you web apps run at the root level of OS X? IF that were the case OS X would be seriously vulnerable. Maybe it's time you think for yourself and stop believing every idiots ridiculous unfounded speculation.
Yes. And they need to explain why running as root was so bloody important. Security is on one side and features the marketing department wants are on the other. The security people might know something about proposed features but the marketing people don't know nothing about security and worse still they don't care. But we care - because we're going to use the devices and we don't want to get hacked. I think they can explain what they're up to. And the bad stuff can already get in if someone puts their mind to it. Fuzz MobileSafari or even the ordinary Safari, find a hole, study it and create an exploit. Lots of work? Of course. Possible? Oh yes.
As was said - please engage brain before mouth. There is NO TERMINAL. There is NO ACCESS. As onlooker said on one is saying, nor is there any reason to think, that web apps are not running as root. I agree that this is why no current SDK now. Read the post of the actually people are doing this. They have the root password and name, just like Apple TV, but in this case they can't do anything with them as there is NO TERMINAL, NO ACCESS. Even IF they enable this on their phone, which they will probably figure out eventually, how are they going to get to YOUR phone??? It will require a physical connection just like Apple TV, which I've hacked extensively.
To a certain extent yes. I think it's perfectly OK for security aware people to ask Apple what the F they're doing. Seriously: if you run Unix as root you're not a bit more secure than Windows. Get real.
If they have something to say then let's hear it. But they need to explain. It's called "full disclosure".
Apple are going to have to come out and explain. Period. No way I'm taking one of those gizmos until they do.