Posted by Zack | Posted in Consumer Electronics | Posted on 08-11-2011
Tags: Apple, Charlie Miller, iOS, iOS code-signing, iOS cracker, iOS Developer Program, ipad, iPhone, iPod
Apple is cracking the whip as the company has just banned security researcher Charlie Miller from its iOS developer program. Mr. Miller’s offense? He publicly demonstrated a proof-of-concept attack that would enable an app developer to execute arbitrary code on any iPhone, iPad or iPod Touch that is running version 4.3 of iOS or later.
For this Miller has been suspended from the developer program for one year. According to a recent tweet from Miller, “First they give researcher’s (sic) access to developer programs, (although I paid for mine) then they kick them out.. for doing research. Me angry.” Apple broke the news to Miller via a letter that the company was kicking him out of the program for breaking its terms of service.
Before getting an app to the Apple App Store, Apple first vets the app. If approved, the company then signs the code to ensure that the app cannot be changed. However, the flaw that Miller discovered essentially breaks the iOS application security walled garden, allowing malware attacks to be launched.
According to a statement from Miller in his unlisted YouTube video that demonstrates the attack, Miller said, “The flaw I found is in the way that Apple handles code-signing. Code-signing is important because that’s the way that Apple protects you from malware.” Here is a link to Miller’s video because unlisted videos can only be viewed by someone who already has a link to the video itself.
In order to test the vulnerability he had discovered, Miller created Instastock, a fake stock market app that Apple accepted. “It doesn’t do anything weird or funny, it just checks the stocks,” said Miller in the video. At least, that’s what it appears to do. After being downloaded from the Apple App Store and first run, the app contacted an attacker’s server.
For the purpose of the test, the server (in this case) was located at Miller’s home in St. Louis and he didn’t have to push in any code to the app while it was being reviewed by Apple. However, after it was approved, Miller was able to open a shell with the device and issue remote commands, making the iPhone do everything from listing directories and processes to making the phone vibrate or download the user’s address book for the attacker.
Miller added, “You can imagine downloading a nice app like Angry Birds, but instead of just being Angry Birds, it actually could download and do anything it wants, and Apple would have no idea that had happened.” In addition to that Miller disclosed the code-signing vulnerability to Apple several weeks ago, although he did fail to mention the proof-of-concept app that he’d uploaded to the App Store, the same app Apple approved and made available in September.
Miller also demonstrated the exploit in his video, which was also posted in September. However, Apple apparently did not hear about the proof-of-concept attack demonstration until Monday, the same day Miller detailed the flaw and provided a link to his YouTube video to Andy Greenberg at Forbes.com. A mere hours after the story hit the web, Apple canceled Miller’s iOS developer account.
By day Miller is a simple principal consultant at the security research firm Accuvant. However, it appears as if Miller is now best known for “hacking” Apple wares. At the Black Hat Conference over the summer, Miller demonstrated how to hack Apple laptop batteries by reprogramming the firmware. This would allow a hacker to brick the battery or even make it serve malware.
Miller isn’t letting this ban phase him, however, as he intends to demonstrate his code-signing attack next week at the SyScan Conference in Taiwan and then again at the Infiltrate Conference in Florida in January. Is Apple’s reaction a bit extreme? Especially considering the fact that Miller found a major fault in Apple’s programming and then proceeded to tell the company about it? This writer thinks so, but what do you think? Sound off in the comments.
Source: Information Week – Apple Excommunicates iOS Cracker