Will Apple’s patch be in time to stem iPhone, iPad malicious attacks?
Posted on | August 7, 2010 | add a comment
LastWatchdog has confirmed that Apple has now completed a patch for a milestone security flaw that makes it possible to remotely hack —or jailbreak — iOS, the operating system for iPhones, iPads and iPod Touch.
But company spokeswoman Natalie Kerris told LW late Friday that she could give no hints about when the patch would go into wide public release.
“With regard to what you’re asking about, we’re aware of this reported issue,” said Kerris. “We’ve already developed a fix, and it will be available to customers in an upcoming software update.”
This week or a few weeks? asked LW.
“I don’t have a specific time frame,” Kerris said. “It will be in an upcoming software update.”
What about wider concerns that this vulnerability opens up a new attack vector?
“If you’re talking in general about jailbreaking, with regard to jail breaking Apple’s goal has always been to insure that our customers have a great experience with their iPhones, and jailbreaking can seriously degrade that experience,” said Kerris. “The vast majority of customers do not jailbreak their iPhones. This can violate the warranty, and can cause iPhone to become unstable and not work reliably.”
Apple’s conundrum
While publicly saying very little of substance, it’s clear Apple is wrestling with a difficult security conundrum. The company is suddenly facing the big, nasty elephant Microsoft has somewhat tamed over the past decade — and Adobe has been forced to come to grips with over the past several months: resolving zero-day vulnerabilities before the bad guys can swoop in and take advantage.
Apple may have a patch ready, but that’s just half the ball game. The company must coordinate patching with AT&T in the United States and more than a dozen other mobile phone service carriers s worldwide. That’s not easy, says John Hering, CEO of mobile security firm Lookout.
And Apple’s risk assessment and product liability experts ought to be taking a long, hard look at whether the company’s current protocols for pushing out security patches to iPhone, iPad and iPod users needs a major overhaul. At present, iPad and iPhone users must not only be aware that a security patch is available, they must also manually install the patch via iTunes, says Hering.
That’s a far cry from how Microsoft’s finely-tuned Windows Auto Update service pushes out patches for fresh zero-day flaws quickly to most consumers. And Adobe has done much to streamline its patch issuing methodology in recent months. Now it’s Apple’s turn.
“We’re in a cat-and-mouse game with openness and security at odds, and consumers stuck right in the middle,†says Hering.
Brand new game
Jailbreaking refers to hacking iOS to download Web apps not approved by Apple. This used to be difficult.
And anyone who did so to his or her iPhone risked Apple shutting down service, or “bricking†the device. This spring a website came along called jailbreakme.com that made it trivial to jailbreak your own iPhone or iPad. Next, the Electronic Frontier Foundation won a federal ruling effectively banning Apple from bricking jailbreaked iPhones.
Then last week, a technique for remote jailbreaking appeared on the jailbreakme.com. It is now possible to access the operating system of an iPhone or iPad owned by someone else. An attacker would get “fairly complete control of affected devices,†says Michael Price, McAfee Labs’ senior operations manager, Latin America. No such attacks are known to have happened yet, he says.
For the moment, the most visible concern for Apple has been pranksters going into Apple and Best Buy retail stores and jailbreaking floor display models, according to tech blog Engadget. Yet the security and privacy concerns are acute. And the stakes are elevated because iPhones and iPads have come into high profile use in companies and organizations.
Security experts expect the pattern that has come to dominate the PC world to begin to permeate smartphones. Bad guys continually flush out new security flaws in PCs, then tap into them to launch malicious attacks. Good guys, meanwhile, scramble to patch and block.
Now cybercriminals are rapidly adapting PC hacking techniques to all smartphone platforms, including Symbian, Google Android, Windows Mobile, RIM BlackBerry and Apple.
It’s a brand new game with new rules,†says Dror Shalev, chief technology officer of DroidSecurity, which supplies protection for Google Android phones. “We’re seeing rapid growth in threats as a side effect of the mobile Web app revolution.â€
Shalev agrees with LastWatchdog that iOS is starting off intrinsically more locked down than Windows was 10 or 15 years ago. “Security has come a long way,” says Shalev. “Yet there are many more potential security and privacy threats with the growing use of GPS, cameras and microphones.”
Apple’s singular exposure
iPhones, in particular, have become a pop culture icon in the U.S., and now the iPad has grabbed the spotlight.
“The more popular these devices become, the more likely they are to get the attention of attackers,†says Joshua Talbot, intelligence manager at Symantec Security Response. “Once a device is jailbroken, attackers may try to target these devices by attempting to trick users into installing malicious software. Additionally, attackers may target the software installed after a phone has been jailbroken.”
Talbot says infected iPhones could be used to record phone calls, text messages, emails, and track the location via GPS. Or an attacker could profit by dialing premium rate numbers or purchasing costly apps, in which the attacker has an interest. “Any data stored or entered into the phone could also be stolen,” he says. “This could be sensitive documents, voicemail passwords, passwords to websites such as email and trading sites, etc.”
Apple’s exposure is singular. The company has made a big deal about hiding technical details of iOS, allowing only approved Web apps to tie in. This tight control initially made it easier to keep iOS secure. But now Apple may have to share iOS coding with antivirus firms, says Sorin Mustaca, development manager for antivirus firm Avira.
Windows, Google, Nokia and RIM share such coding to help antivirus firms develop protections. “Apple does not allow this, making it challenging for antivirus vendors to create third-party protection for iPhones and iPads,†says Mustaca.
Leveraging opportunity
Pressure is building. Mikko Hypponen, senior reseacher at antivirus firm F-Secure, says hackers are likely working on a worm to take control of jailbroken iPads and iPhones.
“My guess is we’ll see it within a week,†says Hypponen. “There’s very little users can do to protect themselves beforehand.â€
The Jailbreakme site exploits two distinct iOS vulnerabilities to pull off the hack. The first exploits a bug in Apple software that parses fonts in PDF files. That allows hackers to inject code of their choosing into the document-viewing app. A second bug allows them to break out of a security sandbox built into the devices so the code can access the root of the device.
Even after Apple issues the patch, whenever that turns out to be, it could take weeks or months for most iPads and iPhones to get manually patched. During that gap, McAfee’s Price says there is little hindering opportunistic cyber gangs from launching campaigns to corrupt unpatched iPads and iPhones on a wide scale.
“This type of incident, in which the mobile phone operating system is subject to malware, demonstrates why it’s safer to have a completely separate inner chip with its own operating software and hardware to protect both subscriber and carrier sensitive data,†says Jean-Louis Carrara, vice president for digital security company Gemalto. “This can be done with a UICC, a newer version of the Subscriber Identity Module (SIM card) already found in about half of U.S. mobile phones. The UICC can provide advanced security features and act as a secure storage repository of sensitive personal and financial information that is impervious to malware.â€
By Byron Acohido