Tiny Deathstars of Foulness

I almost called this article “Aliens Can Listen To Calls on Your iPhone” or “How To Hack Into Every iPhone Ever (Even When They’re Powered Off)”. But then I thought that maybe it would be a bit too much. I’ve been a little melodramatic at times, but that’s when I was younger and needed the rupees. But TechTarget isn’t young (although I don’t know if they need the rupees). I’d like to point out two recent articles of theirs:

I remember reading an article awhile back claiming that the first virus for the iPhone had hit. This was a pretty big site (not TechTarget btw), but they had jumped on Apple and jumped quick, for a lack of good security on the iOS platform. Why? Because Apple’s huge, popular and a frickin’ easy target. But every security researcher knows that if they can hack an iPad or an iPhone that they’re going to be famous. Still, only one has managed to do anything remotely close to cool and you had to download his app, which got him banned, for the “exploit” to work (the “exploit” was actually javascript taxies). Security researchers do most everything they do for fame. Therefore, if there were going to be serious flaws with iOS, they’d have come up by now.

Let’s look at these headlines and vs the content of the articles. The first, Apple iOS Security Attacks A Matter Of When, Not If, IT Pros Say. The title isn’t actually that bad, (although I don’t know that the IT Pros quoted are worthy of punditry). It’s the headers within the article that set me off a little. “A false sense of iOS security” was the first: Here they said that iOS users are going to run something if it comes out because there haven’t been any vulnerabilities to iOS. Counter argument would be that since a vulnerability *will* (or would) be on CNN, MSNBC, NPR, every web site, every magazine and possibly a PSA on flights, I think they’ll figure it out pretty quick… The next header, “Responding to iOS security attacks” goes on to explain that (to summarize) iOS virus protection blows. OK, we should develop more FUD-based apps to check for viruses of data that those apps would actually have no access to due to sandbox controls.

The next header, “Entry points for iOS security attacks” tells us that someone will exploit HTML5 or post an app with a Trojan or Logic Bomb on the App Store in order to destroy your iPhone as if it were a planet slated for demolition. Each app can only communicate with resources outside of that app using an API Apple allows, an API that doesn’t cause combustion of the phone. If the app goes through the app store then that has to be a public, not private API. It is possible that someone could run a fuzzer against every possible variable exposed by every possible method and come up with a way to do something interesting, like cause the phone to reboot. But that kind of thing is going to be true of every platform and isn’t worthy of the pretense that it’s security consulting. I can dig on the possibility of that kind of vulnerability, but the author then indicates that Apple’s security is 7th worse in the IT industry with a 12% growth in vulnerabilities. Thus an insinuation that people are actually exploiting holes in iOS rather than Google monitoring iPhone user data a bit more than they should…

The second headline is much better though: How an iOS virus can infect the enterprise and what to do about it. Reading it, my first impression was that there was an iOS virus; you know, one written for iOS. But no, they’re talking about a virus that someone sends through your corporate Exchange server that is then copied to your Windows XP computer through the magical XP Virus Stream (like Photo Stream but more specific features for XP) and executes the virus that wipes your computer. I like it. I can dig that virus, but regrettably that virus doesn’t exist. And apparently no good anti-virus exists, according to the article. Why not? Because Apple has overly secured the OS and anti-virus has to be invoked manually.

Over-security is what makes iOS so great for phones. I’m one of those people that likes to hack stuff. And iOS isn’t for hacking around in unless you have jailbroken the device. That’s why my phone always works and I’m able to actually get stuff done on a consistent basis. There are certainly things Apple could do better. But iOS security is a hard one to point the finger at. I would like to see security researchers more warmly welcomed and for the Apple community to see those researchers as people who are building a stronger product rather than the enemy. I would like to see some technical features added or centralized control over features added.

It isn’t just Apple. It’s any company big enough to care about. The tech sites are mostly what I look at, and every time there’s something they think they can hop on with Google or any of the other big names in the tech industry they hop right on that to drive readers, whether well founded or not. Not all tech sites/magazines mind you, just some. And when the company is famous enough (Google, Apple, Microsoft) for mainstream media to care about, all the better…

At the end of the day though, the way to get action is to file a feature request with vendors, not to make up crazy headlines aimed at selling FUD as a means of getting someone to go to your website…

February 18th, 2012

Posted In: cloud, iPhone, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, sites, Social Networking

Tags: , , , ,

Sorry, I can’t help it. That whole “iPhone Security Problems” thread I’ve seen on a few sites recently due to that worm. Oh, then there was a second worm that did the same thing. Really? Did these awesome security gurus realize that the device has to be jailbroken? Oh and they have to still have the default password used for SSH? I would hope that if you know enough to jailbreak the device without bricking it that you know enough to change the default SSH password.

Interestingly enough though, an estimated 6 to 8 percent of iPhones are jail-broken… If there have been 21 million sold, that provides an attack surface of around a 1.2 million if you just target jail-broken phones. A PC needs to be running on the same network infected with a totally different worm that tries to log into the phone and steal things. By the way, here’s a huge new security vulnerability I should write – if you leave your LinkSys with the default password AND you allow administration over the WAN then someone can break in over the WAN and mess it up… Of course, in that case you should maybe be with the LinkSys (although the power adapter might cause more damage in terms of hit points), but for some reason people aren’t being beaten over the head with an iPhone but instead so-called security experts find spreading FUD is far more helpful than doing something for a living, like real research.

I just have to reiterate this. There’s a worm out there that scans a subnet and attempts a specific SSH user name and password, if it works then it tries to steal some data, or in a different variant just Rick Rolls ya’. Somehow the fact that in order to put an SSH server on the subnet in the first place you had to void a warranty and forklift SSH onto a device, which took great pains to do, and subsequently forgot to change the password for that SSH server means nothing; nor does the fact that you also need a frickin’ Windows computer to carry the worm to you that’s also infected. Crap, just crap.

November 25th, 2009

Posted In: iPhone

Tags: , , , ,