justin
Australian
join:1999-05-28
Brooklyn, NY
Host:
IPv6
Business Connectiv..
Home/Office setup ..
Console/Handheld g..
Console Tech
| iphone OS userspace apps run as root
»rixstep.com/2/1/20070703,00.shtml
I bet this potential issue gains traction & speculation over the next few weeks. There haven't been any mac OSX viruses that spread from mac to mac (via email or apple listening ports) that I know of, but if you imagine all the iphones as little macs (no need to imagine, that is what they are) and if they can reach each other "somehow" (poisoned mail messages, or corrupted itunes installs, appear to me to be more likely than open ports) .. then there is fertile ground for an "iphone virus". |
|
nil
Java Geek
join:2000-11-27 | Yikes.. that's dumb. |
|
hpguru
Curb Your Dogma
Premium
join:2002-04-12 | reply to justin
I'm glad I decided to wait on the next generation iphone. |
|
jdong
Eat A Beaver, Save A Tree.
Premium
join:2002-07-09
Rochester, MI
clubs:   | reply to justin
Come on, guys, brighten up! It just means Apple can migrate to Linspire... oops did I say that out loud?
--
UbuntuForums Administrator: try Ubuntu Linux |
|
EGeezer
Summertime -
Premium
join:2002-08-04
Country!
 ·Callcentric
 ·RoadRunner Cable
·AT&T CallVantage
| reply to justin
Well, the deafening silence when one mentions mobile device security is a bit distressing. Only when there is a big, ugly and public exploit will there be a drive to retrofit security. Right now it's a few enterprise ITSEC people who are essentially voices in the desert.
In the meantime, the industry and users will continue on fat, dumb and happy with their cool new phones that they've loaded with sensitive information.
--
The society which scorns excellence in plumbing as a humble activity and tolerates shoddiness in philosophy because it is an exalted activity will have neither good plumbing nor good philosophy: neither its pipes or its theories will hold water.
|
|
Epyon9283
Premium
join:2001-12-26
Dayton, NJ | reply to justin
Do any other operating systems on mobile phones have concepts of file and user permissions? |
|
justin
Australian
join:1999-05-28
Brooklyn, NY
Host:
IPv6
Business Connectiv..
Home/Office setup ..
Console/Handheld g..
Console Tech
| said by Epyon9283  :Do any other operating systems on mobile phones have concepts of file and user permissions? well I don't know how you can have a smart phone without a filesystem, so thats files. As for permissions, since this phone is OSX it is commonly understood that the standard way for the OS to insulate itself from exploitable crashes by common applications is to have them run under their own permission level so that they have no simple way to modify OS files.
Which is why a Mac running OSX needs the administrator password to be provided for patches and so on.
Windows never defaulted to this setup out of the box which is why any windows program appears to be able to write DLLs to any system directory without requesting the administrator password, and probably 99% of the windows users out there run "with full administrative rights".
So if the iphone has no higher level hypervisor built-in, that is watching and blocking key file changes within the OS & if it is true that everything on the iphone runs as uid 0, the iphone is less secure than any standard OSX Mac. If someone finds the right kind of crash in the browser, mail or SMS client then crafting the right web page, mail message or SMS message could install a program that looks for more iphones and we have the first widespread iphone virus.
One would have thought they'd have designed the iphone to be MORE secure than a Mac, first because it is likely to keep the AT&T lock-in alive in the marketplace for longer, and to keep buggy and destabilizing 3rd party applications from being offered all over the net, and second because the iphone, portable as it is from wifi network to wifi network, is potentially more exposed to network risks than a standard home Mac sitting happily behind a secured nat router. I take my evil iphone into a large wifi cafe or airport hotspot and the probabilities are (or will be shortly) that there is another iphone user on 192.168.1.something .. |
|
hirschbuhl
join:1999-11-07
Jacksonville, FL | reply to justin
Couldn't you put the iphone in a Zip-Loc bag until the virus has run it's course? |
|
Khaine
join:2003-03-03
Australia | reply to justin
Well this is apple, the company whose products "just work". I mean look at appletalk, sure you didn't need to configure addresses for any computers in your network, but they were very chatty, and susceptible to many forms of attack. |
|
dave
Premium,MVM
join:2000-05-04
not in ohio
 ·Verizon Online DSL
 ·Verizon FIOS
| reply to Epyon9283
said by Epyon9283 :Do any other operating systems on mobile phones have concepts of file and user permissions? I think Windows CE does not.
(To comment on Justin's interpretation of the question: yes, Windows CE has a file system. No, Windows CE does not have file permissions. As far as I know.) |
|
jdong
Eat A Beaver, Save A Tree.
Premium
join:2002-07-09
Rochester, MI
clubs:
| said by dave :(To comment on Justin's interpretation of the question: yes, Windows CE has a file system. No, Windows CE does not have file permissions. As far as I know.) That's correct -- but a lot of the programs people install on mobile phones come in the form of J2ME MIDlets, which do have some form of permissions/sandboxing system.
--
UbuntuForums Administrator: try Ubuntu Linux |
|
justin
Australian
join:1999-05-28
Brooklyn, NY | Yes I think thats the difference. If iPhone can limit optional programs to sandboxed browser plugins, java applets and flash, then it is probably not much less safe than a windows CE smartphone. |
|
orph4824
I Ate What??
join:2001-04-26
Greeneville, TN
| reply to hirschbuhl
said by hirschbuhl :Couldn't you put the iphone in a Zip-Loc bag until the virus has run it's course? As long as you wrap the iPhone in tinfoil(hmmm tinfoils hats for phones who'da guessed) before placeing it into the condom(plastic bag) 
--
Life's 3 rules: 1. Stuff happens 2. Stuff happens on a regular basis 3. Better get used to the first two... (not the actual saying but you get the drift) |
|
zteardrop
join:2005-12-20
Brooklyn, NY
| reply to justin
said by justin :» rixstep.com/2/1/20070703,00.shtmlI bet this potential issue gains traction & speculation over the next few weeks. There haven't been any mac OSX viruses that spread from mac to mac (via email or apple listening ports) that I know of, but if you imagine all the iphones as little macs (no need to imagine, that is what they are) and if they can reach each other "somehow" (poisoned mail messages, or corrupted itunes installs, appear to me to be more likely than open ports) .. then there is fertile ground for an "iphone virus". Wait, but its an Apple. Apples dont get infected  |
|
justin
Australian
join:1999-05-28
Brooklyn, NY
Host:
IPv6
Business Connectiv..
Home/Office setup ..
Console/Handheld g..
Console Tech
| reply to justin
»www.securityevaluators.com/iphone/
That didn't take long. As a result of the setup detailed by my link at the top of this article, this group found an apple application crash, triggerable by any web page hosting the exploit, that lets them into the entire device. |
|
EGeezer
Summertime -
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
| This makes me wonder if a pwn3d iPhone could be used as an attack vector to Macs, Win machines or networks.
With the potential money to be made in commercial hacking, developers must be digging into the possibilities of scraping information from iPhones connected to devices or networks when they're syncing or storing to/from them.
--
The society which scorns excellence in plumbing as a humble activity and tolerates shoddiness in philosophy because it is an exalted activity will have neither good plumbing nor good philosophy: neither its pipes or its theories will hold water.
|
|
justin
Australian
join:1999-05-28
Brooklyn, NY | It depends how much control of the phone side some "root" code on the iPhone has. How about an iPhone virus that quietly called one of those charge-per-minute numbers and ran up huge bills for the benefit of the ultimate owner of the number? |
|
jdong
Eat A Beaver, Save A Tree.
Premium
join:2002-07-09
Rochester, MI
clubs:
| said by justin :It depends how much control of the phone side some "root" code on the iPhone has. How about an iPhone virus that quietly called one of those charge-per-minute numbers and ran up huge bills for the benefit of the ultimate owner of the number? I'm guessing root has full access to the iPhone's radio, the calling API, and anything else that has to do with the phone, including swapping out the radio drivers for one that can do eavesdropping.
It really shocks me that they don't use some sort of sandbox/jail/partitioner for code that has to run on the iPhone. Heck even the OLPC sandboxes every app that runs on it, and it doesn't nearly have the same security ramifications if something goes wrong..
Is this a case of lazy developers, or limiting hardware?
--
UbuntuForums Administrator: try Ubuntu Linux |
|
norwegian
Premium
join:2005-02-15
Outback
·WestNet Broadband
| You forgot the "sales, profit margins, share holders gains" off the point you made.
----------------------------
They obviously are ingoring some basic principles.
My mobile phone is for phone calls, my computer is for the internet, but then I'm not a businessman with needs at the touch of a button, nor the cofidential data at risk.
Sorry state of affairs. 
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke |
|
