Hack can open up iPhone to push messaging exploit
While a variety of sources have published a story accusing the iPhone 3.0 software of broadcasting instant messages to random iPhones, in reality this exploit affects only users who have hacked their phone and made it vulnerable.
The problem allegedly occurs through AOL Instant Messenger's push feature in phones that have been jailbroken (allowing the use of unauthorized software) and unlocked (allowing the phone to be used on a non-approved carrier). However, it is not yet clear exactly what causes the issue, though Till Schadde, who discovered the exploit, said AOL officials told him the problem is not on their side.
Till discovered the exploit by sending an AIM message to an iPhone using iChat on his Mac OS X desktop. He said his message appeared not only on the iPhone 3G of the intended recipient, but also on the iPhone 3GS of a complete stranger.
But without user tampering, the iPhone's security layer actually prevents this sort of incident from happening.
Apple's PNS Security
As AppleInsider exclusively reported back in February, Apple's Push Notification Service (PNS) is based on XMPP Publish-Subscribe, an open specification for delivering updated feeds of information using Jabber-style instant messages.
In order to secure the delivery of these messages, Apple uses SSL certificates to securely authenticate the client with the service, similar to how HTTPS websites authenticate themselves to visitors to enable SSL-secured banking, shopping, or other transactions. The iPhone automatically generates itself a private and public key pair, and uses these to register itself with Apple's PNS servers and secure all of its subsequent transactions. The private key and public certificate work together to act as identifying credentials, like a user name and password.
Without having such a mechanism for authenticated identity in place, the iPhone would be deluged by marketers sending push message spam to users, just as spammers have long targeted email, SMS, and Microsoft's Windows Messaging popups, none of which included any inherent security in their designs. Apple's security system prevents users from receiving push message notifications from anyone apart from the system and applications the user explicitly approves.
The security layer also prevents malicious users from intercepting messages and it secures users from receiving fake messages to obtain their location or wipe their phone, while enabling users to perform those actions themselves from MobileMe after authenticating. Users don't need to know anything about the underlying certificates used to secure these communications; everything is designed to "just work."
Putting the break in jailbreak
Jailbreaking the iPhone involves working around Apple's security system to enable the device to run unsigned software. The iPhone's applications, just like its PNS communications, are encrypted using security certificates to prevent tampering, spoofing, or spying by malicious third parties.
Destroying the application security layer of the iPhone does not itself automatically break PNS, but (when combined with an "unofficial activation" required to use it with unofficial service providers) results in the system having no legitimate certificates to use in performing push notifications. Essentially, if the phone is not properly activated as intended through iTunes, the user's credentials for signing into Apple's PNS messaging servers (which are generated by the device itself in normal conditions) are broken along with the application security layer.
Dev team hackers trying to get jailbroken, alternatively activated phones to work with PNS allegedly made the mistake of adding an existing certificate to "fix" the problem. The hack simply identifies the new jailbroken phone to Apple as another phone that already exists, enabling messages to be sent to the wrong device.
Users who don't jailbreak their iPhone won't experience any problems with messages being broadcast to random other users. But those who tamper with the iPhone's security system will have to figure out how to generate SSL authentication keys appropriately to enable the phone to work with PNS messages correctly.
The problem allegedly occurs through AOL Instant Messenger's push feature in phones that have been jailbroken (allowing the use of unauthorized software) and unlocked (allowing the phone to be used on a non-approved carrier). However, it is not yet clear exactly what causes the issue, though Till Schadde, who discovered the exploit, said AOL officials told him the problem is not on their side.
Till discovered the exploit by sending an AIM message to an iPhone using iChat on his Mac OS X desktop. He said his message appeared not only on the iPhone 3G of the intended recipient, but also on the iPhone 3GS of a complete stranger.
But without user tampering, the iPhone's security layer actually prevents this sort of incident from happening.
Apple's PNS Security
As AppleInsider exclusively reported back in February, Apple's Push Notification Service (PNS) is based on XMPP Publish-Subscribe, an open specification for delivering updated feeds of information using Jabber-style instant messages.
In order to secure the delivery of these messages, Apple uses SSL certificates to securely authenticate the client with the service, similar to how HTTPS websites authenticate themselves to visitors to enable SSL-secured banking, shopping, or other transactions. The iPhone automatically generates itself a private and public key pair, and uses these to register itself with Apple's PNS servers and secure all of its subsequent transactions. The private key and public certificate work together to act as identifying credentials, like a user name and password.
Without having such a mechanism for authenticated identity in place, the iPhone would be deluged by marketers sending push message spam to users, just as spammers have long targeted email, SMS, and Microsoft's Windows Messaging popups, none of which included any inherent security in their designs. Apple's security system prevents users from receiving push message notifications from anyone apart from the system and applications the user explicitly approves.
The security layer also prevents malicious users from intercepting messages and it secures users from receiving fake messages to obtain their location or wipe their phone, while enabling users to perform those actions themselves from MobileMe after authenticating. Users don't need to know anything about the underlying certificates used to secure these communications; everything is designed to "just work."
Putting the break in jailbreak
Jailbreaking the iPhone involves working around Apple's security system to enable the device to run unsigned software. The iPhone's applications, just like its PNS communications, are encrypted using security certificates to prevent tampering, spoofing, or spying by malicious third parties.
Destroying the application security layer of the iPhone does not itself automatically break PNS, but (when combined with an "unofficial activation" required to use it with unofficial service providers) results in the system having no legitimate certificates to use in performing push notifications. Essentially, if the phone is not properly activated as intended through iTunes, the user's credentials for signing into Apple's PNS messaging servers (which are generated by the device itself in normal conditions) are broken along with the application security layer.
Dev team hackers trying to get jailbroken, alternatively activated phones to work with PNS allegedly made the mistake of adding an existing certificate to "fix" the problem. The hack simply identifies the new jailbroken phone to Apple as another phone that already exists, enabling messages to be sent to the wrong device.
Users who don't jailbreak their iPhone won't experience any problems with messages being broadcast to random other users. But those who tamper with the iPhone's security system will have to figure out how to generate SSL authentication keys appropriately to enable the phone to work with PNS messages correctly.
Comments
Sounds like the hackers know what they are doing, just not the people jailbreaking their phones.
If I read the article correctly it sounds like users are getting the hackers messages. Ought to make it easy to know who created the cracks.
Pish tosh. We all know hackers don't make mistakes. We have all been told that they simply point out the feeb programmers who made the mistake of not anticipating that someone would do some godforsaken thing to their creation that was neither intended or practical. In related news, it's BMW's fault when someone severs those pesky brand-name control arms, inserts tomato stakes and my car heads off in other directions. Poor planning.
Sounds like the hackers know what they are doing, just not the people jailbreaking their phones.
Only if you mean the hackers know that they are making the phone not be able to communicate with The PNS server, and the people jail breaking their phones don't know it will do it.
The fake certificate it created by the hackers not the people jailbreaking. If you just have to jailbreak, you have to deal with it. Its like buying a Sony Play Station and trying to hack it to play X-box games you already have, then Call Sony to complain about it not working out for you. This is just as nuts.
From a hacker's point of view, this looks like a great way to gain entry into private messages from other folks. Pity the plumber-joes of the world with jailbroken phones that don't know any better to install some app designed by these monkeys to get their accounts compromised.
And yet they somehow expect Apple to support their phone??
Jailbreaking is not the issue here, it's what people do with it. Simply jailbreaking the phone is not a guarantee to break the PNS.
I believe that there's a certain level of uncertainty in jailbreaking the phone (i.e. not knowing which software modifications were done) but that should not translate to: do not jailbreak otherwise you will break PNS.
Funny how that all of the reports surrounding the PNS relate to the AIM application, but not the various Twitter apps that support push, Beejive, or any of the others?
How's this? Instead of blaming Apple or people who have jailbroken their phones, I blame AOL.
The problem is not with jailbroken iPhones, the problem is with hacktivated iPhones.
When jou jailbreak your unlocked iPhone or you jailbreak a legally activated iPhone you don't need to use fake certificates, you use you real certificate in iTunes.
FUD, this is your article.
WTF? Who has writed this piece of crap?
The problem is not with jailbroken iPhones, the problem is with hacktivated iPhones.
When jou jailbreak your unlocked iPhone or you jailbreak a legally activated iPhone you don't need to use fake certificates, you use you real certificate in iTunes.
FUD, this is your article.
Amen. People seem to be confusing jailbreaking with jailbreaking + hacktivating
It's getting spooky around here- I'm out!
Apple has made the consequences clear, ignore the idiots who jailbreak and expect support. It should be legal.
Also, this article was a bit misleading. you should update the info AI to explicitely state what is causing this and not just point a finger at jailbreaking as if it's all bad.
I'm sure sooner or later, EU will step in with some stupid requests.
Why should this hurt the EFF case? Jailbreaking should be totally ok. If you want to void the warranty and support for your device and use it how you please, you should be able to.
Except your already able to jailbreak the iPhone. Apple has shown no interest in suing jailbreakers. EFF is simply forcing Apple's hand, so hopefully the EFF's case will be thrown out.
The EFF is not a legitimate authority, just today they derided Apple for patching a hole that allowed third party devices to sync with iTunes by masquerading as iPods.
This article is biased. ... Jailbreaking is not the issue here, it's what people do with it. Simply jailbreaking the phone is not a guarantee to break the PNS. ... I believe that there's a certain level of uncertainty in jailbreaking the phone (i.e. not knowing which software modifications were done) but that should not translate to: do not jailbreak otherwise you will break PNS. ...
WTF? Who has writed this piece of crap? ... The problem is not with jailbroken iPhones, the problem is with hacktivated iPhones. ... When jou jailbreak your unlocked iPhone or you jailbreak a legally activated iPhone you don't need to use fake certificates, you use you real certificate in iTunes. ....
The article explicitly states the opposite of what both of you are stating here.
Since the article has lots of stuff to back it up and since your comments basically amount to "no way!" I'll take what the article says first until you guys come up with an actual argument to the contrary.
If you don't think Jailbreaking necessitates breaking the PNS, why not explain how you know that instead of just saying "does not!"
The article explicitly states the opposite of what both of you are stating here.
Since the article has lots of stuff to back it up and since your comments basically amount to "no way!" I'll take what the article says first until you guys come up with an actual argument to the contrary.
If you don't think Jailbreaking necessitates breaking the PNS, why not explain how you know that instead of just saying "does not!"
I have explained, perhaps you have missed it.
You need a fake certificate only to activate an iPhone in a carrier in which it can't be activated.
If you jailbreak a legally activated iPhone you actually are using your original certificate created when you activated it through iTunes
When you buy a new Mac, and enter your name as "John Smith" the setup assistant names your computer "John Smith's iMac" and then broadcasts that name on WiFi for all and sundry. Apple have never paid much attention to privacy.
Advertising available services on your local network when you TURN ON SHARING is not a privacy issue.
What's interesting is how in a relatively isolated community like AppleInsider these editorials and the respondents, who seem to only get their information from Apple fan sites, create a sort of feedback loop of misinformation. If you always preach to the choir or are a member of the choir, pretty soon any information from the real world looks so bizarre and out of place that you can justify any crazy position, such as "those evil EFF scum, how dare they question our sainted Apple!"
If I read the article correctly it sounds like users are getting the hackers messages. Ought to make it easy to know who created the cracks.
Everyone already knows who the hackers are. One of them is a 16 year old kid who wrote the 3gs jailbreak mentioned. They are just paying homage to SJ who used to hack in his garage and turned his hobby into a business