Yup. After waiting a day to get the darn thing activated, we found a bug within a few minutes. We are cheating, of course, it's just the same bug we found earlier on Safari. Also, our Bluetooth fuzzer locks up the device, so that's an interesting sign. (As we've said in the past, we'll disclose all our bugs to Apple when they publish acceptable vuln handling guidelines).
The thing that interests us most, though, is that we think the iPhone is inherently more secure than competing smartphones (such as those based on Windows Mobile or Symbian). While Apple is slightly behind Windows on the desktop/server (that Samba bug still appears to be unfixed), it's still light years ahead of the mobile vendors. The mobile market is completely screwed up right now: while carriers know about the widespread vulnerabilities in their phones, the carriers are unwilling to patch them.
Apple is taking a chance. Rather than allowing carriers like at&t/Cingular to control the mobile experience, Apple is controlling the experience through iTunes. Financial analysts on Wall Street are waiting to see whether this strategy will work. Security is an are that can prove Apple right if they respond to security threats better than the carriers.
We think Apple will win that battle. When we activated the phone, iTunes told us it was going to look for updates on July 5, 2007. That's a good sign. We've reported a vuln in a another smartphone 6 months ago that still hasn't gotten patched, mostly because that carrier doesn't want to. If Apple can push a fix for one of our bugs before this carrier fixes their bug, that might convince Wall Street that their strategy is better.
At the same time, Apple is going to have the same problem that Windows has. While they may have better theoretical security, they are going to be a bigger target. Hackers know a lot more about breaking into Mac OS X than they do competing platforms like Windows Mobile or Symbian. Thus, even though Apple will patch sooner, they'll also have more bugs to patch because of increased hacker interest.
We still have more research to do. There are a bunch of questions we'd like to figure out. These are:
- what ports are listening on the device
- what services will it automatically connect to (looks like it automatically connects to known access points)
- what processor are they are running? Samsung? XScale?
- are they running with an MMU?
- is everything running as root?
- how hard is it going to be to get a jtag interface running on that thing?
- can we get a hack going that gives us good access without much knowledge (e.g. a Java for QuickTime bug that would allow us to dump memory contents to the screen)?
- ...and who do we have to sleep with to get our other iPhone activated??