Sunday, July 01, 2007

Our first iPhone bugs

Yup. After waiting a day to get the darn thing activated, we found a bug within a few minutes. We are cheating, of course, it's just the same bug we found earlier on Safari. Also, our Bluetooth fuzzer locks up the device, so that's an interesting sign. (As we've said in the past, we'll disclose all our bugs to Apple when they publish acceptable vuln handling guidelines).

The thing that interests us most, though, is that we think the iPhone is inherently more secure than competing smartphones (such as those based on Windows Mobile or Symbian). While Apple is slightly behind Windows on the desktop/server (that Samba bug still appears to be unfixed), it's still light years ahead of the mobile vendors. The mobile market is completely screwed up right now: while carriers know about the widespread vulnerabilities in their phones, the carriers are unwilling to patch them.

Apple is taking a chance. Rather than allowing carriers like at&t/Cingular to control the mobile experience, Apple is controlling the experience through iTunes. Financial analysts on Wall Street are waiting to see whether this strategy will work. Security is an are that can prove Apple right if they respond to security threats better than the carriers.

We think Apple will win that battle. When we activated the phone, iTunes told us it was going to look for updates on July 5, 2007. That's a good sign. We've reported a vuln in a another smartphone 6 months ago that still hasn't gotten patched, mostly because that carrier doesn't want to. If Apple can push a fix for one of our bugs before this carrier fixes their bug, that might convince Wall Street that their strategy is better.

At the same time, Apple is going to have the same problem that Windows has. While they may have better theoretical security, they are going to be a bigger target. Hackers know a lot more about breaking into Mac OS X than they do competing platforms like Windows Mobile or Symbian. Thus, even though Apple will patch sooner, they'll also have more bugs to patch because of increased hacker interest.

We still have more research to do. There are a bunch of questions we'd like to figure out. These are:

- what ports are listening on the device
- what services will it automatically connect to (looks like it automatically connects to known access points)
- what processor are they are running? Samsung? XScale?
- are they running with an MMU?
- is everything running as root?
- how hard is it going to be to get a jtag interface running on that thing?
- can we get a hack going that gives us good access without much knowledge (e.g. a Java for QuickTime bug that would allow us to dump memory contents to the screen)?

- ...and who do we have to sleep with to get our other iPhone activated??


bw said...

From an Engadget comment, it looks like Seth Fogie was able to get some passwords:

Loaded 2 password hashes with 2 different salts (Traditional DES [32/32 BS])
alpine (mobile)
dottie (root)

KiltBear said...

Just FYI, it seems my Jawbone BT headset hoses my connection to AT&T, so don't get too excited. ;)

Unknown said...

From that same Engadget post, it looks like its an ARM processor.

Unknown said...

Hi all,

today I find another great post about iPhone at this forum:

Security CENTRAL Forum

Basseq said...

The processor is a 620mHz ARM.

Anonymous said...

Videos and blogs: Our first iPhone bugs

cranky investor said...

i'm not a techie, but i have to report that the iphone has conditions when it picks up wierd "eruptions" on the browser. i also notice that the browser seems to screw up many of the cookies

Amy-Elizabeth said...

Well, overall, not the reaming that I was expecting. I'm glad to see that you're happy with the iPhone. I'm not sure who you've got to sleep with, but I am certain that it is not me.

Picture of beauty girl 9x said... : iPhone Support, iphone tips, iphone tools

Unknown said...

Very informative. Let your happiness about this iphone increases. Hackers good or bad for us?

Developer4lease-Web Business, Application Development, Android