iPhone Security Holes?

Posted:
in iPhone edited January 2014
Should we be worried about this:



http://rixstep.com/2/1/20070703,00.shtml

http://rixstep.com/1/1/20070703,00.shtml



I don't know a lot about Unix security, so I'm wondering if the concerns raised in the above articles are serious or not.

Comments

  • Reply 1 of 15
    sc_marktsc_markt Posts: 1,401member
    Quote:
    Originally Posted by DoughBoy View Post


    Should we be worried about this:



    http://rixstep.com/2/1/20070703,00.shtml

    http://rixstep.com/1/1/20070703,00.shtml



    I don't know a lot about Unix security, so I'm wondering if the concerns raised in the above articles are serious or not.



    I'm not a programmer but these sound serious to me. As a precaution, I sent the links and a message about them to Apple's iPhone feedback page. Below is the link if anybody else wants to email Apple about this.



    http://www.apple.com/feedback/iphone.html
  • Reply 2 of 15
    fuzz_ballfuzz_ball Posts: 390member
    He's primarily talking about applications, which currently cannot be installed on the device. Now if apps could be installed on the device, then all those things would be very bad. As it is, they are not good, but probably not a big deal as long as Apple maintains the iPhone as a closed system.



    Since many (myself included) are clamoring for Apple to open up a bit so we can all provide applications that people want (ePocrates for one) then it will be a BIG DEAL.



    Not to say that there is not anything wrong with the browser/e-mail potential for a hacker, but that remains to be seen.
  • Reply 3 of 15
    fairlyfairly Posts: 102member
    Quote:

    He's primarily talking about applications, which currently cannot be installed on the device.



    Not sure about that. MobileMail and Safari both are attack vectors. You don't need to install applications on the device - you deliver the malicious software through a web page or e-mail message. Just like any of those Microsoft worms.
  • Reply 4 of 15
    mr. memr. me Posts: 3,221member
    Quote:
    Originally Posted by Fairly View Post


    Not sure about that. MobileMail and Safari both are attack vectors. You don't need to install applications on the device - you deliver the malicious software through a web page or e-mail message. Just like any of those Microsoft worms.



    Wrong. MacOS X Mail does not execute code within attachments. This ability was not added to Mail's iPhone port. Safari does not deliver malicious software to Mac desktops or laptops. It cannot deliver such software to the iPhone.



    Only Apple can add applications to the iPhone. If malicious code could be installed via email, then third-party developers could also use this vector to install useful applications and utilities. Think.
  • Reply 5 of 15
    dotcomctodotcomcto Posts: 130member
    Well...at least we know why Jobs is concerned about releasing an SDK/iPhone dev kit! Yowzers! Apple will most certainly need to rework the security before they let people develop their own software.



    --DotComCTO
  • Reply 6 of 15
    onlookeronlooker Posts: 5,252member
    This is hardly a threat. It's another bit of disinformation from nay-sayers. I'm getting sick of these people talking out their asses. The last one I heard was it's not really a smart phone because it wont complete words. Bullshit! It not only has a way to complete what you type, but a better way of finding what your misspelled words really are than I have ever seen.
  • Reply 7 of 15
    physguyphysguy Posts: 920member
    Quote:
    Originally Posted by onlooker View Post


    This is hardly a threat. It's another bit of disinformation from nay-sayers. I'm getting sick of these people talking out their asses. The last one I heard was it's not really a smart phone because it wont complete words. Bullshit! It not only has a way to complete what you type, but a better way of finding what your misspelled words really are than I have ever seen.



    Have to agree entirely!! This must be one of the reasons that the phone is currently locked down! As long as its locked down there is no problem. When they unlock it (and I fully believe they will ) they can change the passwords, turn off root, make the apps rim as a non-root user etc. With a single update!!!
  • Reply 8 of 15
    mydomydo Posts: 1,888member
    Of course it has security holes. Everything has security holes.
  • Reply 9 of 15
    fairlyfairly Posts: 102member
    Oh I feel so much better then. Thanks for that!

    Quote:
    Originally Posted by mydo View Post


    Of course it has security holes. Everything has security holes.



  • Reply 10 of 15
    fairlyfairly Posts: 102member
    Quote:
    Originally Posted by Mr. Me View Post


    Wrong. MacOS X Mail does not execute code within attachments.Think.



    No YOU think. It only does not execute code - and it's got bloody nothing to do with attachments - if it isn't hacked. If someone can get any iPhone web app to crash they can get it to execute rogue code. Period. These web apps are running as root. All bets are off. If they weren't running as root we'd have little reason to worry. But they are running as root. Think yourself.
  • Reply 11 of 15
    fairlyfairly Posts: 102member
    Quote:
    Originally Posted by physguy View Post


    Have to agree entirely!! This must be one of the reasons that the phone is currently locked down! As long as its locked down there is no problem. When they unlock it (and I fully believe they will ) they can change the passwords, turn off root, make the apps rim as a non-root user etc. With a single update!!!



    OMG. Barf.
  • Reply 12 of 15
    fairlyfairly Posts: 102member
    Quote:
    Originally Posted by DotComCTO View Post


    Well...at least we know why Jobs is concerned about releasing an SDK/iPhone dev kit! Yowzers! Apple will most certainly need to rework the security before they let people develop their own software.



    Yes. And they need to explain why running as root was so bloody important. Security is on one side and features the marketing department wants are on the other. The security people might know something about proposed features but the marketing people don't know nothing about security and worse still they don't care. But we care - because we're going to use the devices and we don't want to get hacked. I think they can explain what they're up to. And the bad stuff can already get in if someone puts their mind to it. Fuzz MobileSafari or even the ordinary Safari, find a hole, study it and create an exploit. Lots of work? Of course. Possible? Oh yes.
  • Reply 13 of 15
    onlookeronlooker Posts: 5,252member
    Quote:
    Originally Posted by Fairly View Post


    No YOU think. It only does not execute code - and it's got bloody nothing to do with attachments - if it isn't hacked. If someone can get any iPhone web app to crash they can get it to execute rogue code. Period. These web apps are running as root. All bets are off. If they weren't running as root we'd have little reason to worry. But they are running as root. Think yourself.



    Dude that is the biggest bunch of crap I've ever read. Did your little sister tell you web apps run at the root level of OS X? IF that were the case OS X would be seriously vulnerable. Maybe it's time you think for yourself and stop believing every idiots ridiculous unfounded speculation.
  • Reply 14 of 15
    physguyphysguy Posts: 920member
    Quote:
    Originally Posted by Fairly View Post


    Yes. And they need to explain why running as root was so bloody important. Security is on one side and features the marketing department wants are on the other. The security people might know something about proposed features but the marketing people don't know nothing about security and worse still they don't care. But we care - because we're going to use the devices and we don't want to get hacked. I think they can explain what they're up to. And the bad stuff can already get in if someone puts their mind to it. Fuzz MobileSafari or even the ordinary Safari, find a hole, study it and create an exploit. Lots of work? Of course. Possible? Oh yes.



    As was said - please engage brain before mouth. There is NO TERMINAL. There is NO ACCESS. As onlooker said on one is saying, nor is there any reason to think, that web apps are not running as root. I agree that this is why no current SDK now. Read the post of the actually people are doing this. They have the root password and name, just like Apple TV, but in this case they can't do anything with them as there is NO TERMINAL, NO ACCESS. Even IF they enable this on their phone, which they will probably figure out eventually, how are they going to get to YOUR phone??? It will require a physical connection just like Apple TV, which I've hacked extensively.
  • Reply 15 of 15
    fairlyfairly Posts: 102member
    "Should we be worried about this"



    To a certain extent yes. I think it's perfectly OK for security aware people to ask Apple what the F they're doing. Seriously: if you run Unix as root you're not a bit more secure than Windows. Get real.



    If they have something to say then let's hear it. But they need to explain. It's called "full disclosure".



    Apple are going to have to come out and explain. Period. No way I'm taking one of those gizmos until they do.
Sign In or Register to comment.