iPhone Browser Hacked by Veteran Hacker
August 20, 2007 – 12:33 pm | by J. Rodriguez
Charlie Miller is a veteran hacker at Independent Security Evaluators who turned his attention to the hottest product of the moment: the Apple iPhone. Last month, Miller disclosed he had found a way to hack the Safari Web browser on the iPhone in a way that allowed him to extract a user’s personal information from the music-cell phone hybrid.
Apple spokeswoman Natalie Kerris told the Mercury News that the company issued a fix to deal with the iPhone hack on July 31 and credited ISE for bringing the flaw to the company’s attention.
She also said Apple takes security very seriously and responds quickly to such threats. There have been no published reports of widespread attacks. Kerris said she was not aware of any users having problems because of attacks, and declined to answer all of Miller’s assertions about Apple point by point.
In an interview, Miller talked about the process of finding bugs and a subject of constant wrangling in the industry: how to responsibly disclose vulnerabilities found in devices used by millions of people.
Q Can you tell me about the sequence of events of how you disclosed the iPhone bug to Apple?
A At that point, we hadn’t quite finished all of our research. But we knew there was definitely a problem. I sent Apple an e-mail. They have a particular address that you’re supposed to use to report a bug. I sent them all of our technical details. I sent them a patch they could use to fix it.
I was already scheduled to talk (on Aug. 2) about the Mac OS at the Black Hat conference in Las Vegas. I also told them that I was going to talk about the iPhone bug and release the details on that day. I said please have a patch ready before then. I said I would like to work with you on this. That was it. They had two to three weeks to work on it. They got it done a couple of days before the conference. They did ask me to postpone. I told them sorry, I couldn’t move the time of the talk.
Q So you finished (the iPhone hack) shortly after you told them?
A About two days after I sent it to them. I finished it on a Wednesday and talked to a reporter on a Friday and the article came out on a Monday. So they had about five days’ head start on the rest of the world.
Q That was a reasonable amount of time?
A I thought so. They got it done.
Q And you gave them a fix?
A Yeah. The software patch had worked for the Mac OS, which is used in the iPhone. The usual complaint is we don’t have time to test it. So I said here is a patch and I know it’s been tested for a year. I thought it was plenty of time for them to do it.
Q You err toward responsible disclosure on hacking instead of immediate and full disclosure?
A Yeah. What we did was ideal. The weakest link in responsible disclosure is you give the company the information. They have the option to sit on it for a very long time. During that time, of course, everyone is at risk. By giving them a deadline, we forced them to act a lot faster than they would have liked to. That is good for the users. Maybe it cost Apple more. I don’t feel sorry for them. It’s not like I put the bug in their code. It was their bug.
Q Can you describe the steps involved (in the hack)?
A A program that is well designed should be able to handle any inputs that come into it. . . . With this Safari Web browser program, if you sent it invalid inputs, it didn’t reject it. . . . It wound up crashing and falling all over itself. The result is that by carefully choosing input, you can actually take control of the whole process. That’s exactly what we did.
Q You could pretend to direct people to a Web site where you could take control of the iPhone?
A Right. So what we did with this hack was if you went to a Web site with this bad data it couldn’t handle, the bad data would go into the phone. It would grab a bunch of files with your call history, your voice mail, your text messages, your e-mails, and take all of that information. It would make a second connection and pass all of that information out to us.
Q You had a big head start on exploiting this vulnerability because it was the same thing that was flawed in the Mac OS and Safari Web browser for the Mac?
A Right. In theory, it’s not a bad idea (that) it uses the same operating system. It is tested and runs well. But for me, it was easier than attacking another phone because I already knew the Mac.
Q How old is that vulnerability? Is it something Apple knew but neglected to fix?
A I don’t know what Apple knew. They had code from an open-source library that they hadn’t updated. The open-source library people had updated a year ago. I can’t speculate on why Apple didn’t update it. The fact is they should have and if they had, this wouldn’t have happened.
Q What is your prediction for future iPhone hacks?
A I think there will be more. I like to say there are two problems. One was the vulnerability we found. Another was a deeper issue with the way they designed the iPhone. Any problem you find in Safari leads to a full iPhone compromise. Safari should not be able to dial the phone or read e-mails.
Source: contra costa times
Technorati Tags: iphone, hacks, safari, apple, phone, ipod
