Exclusive Interview: Hacking The iPhone Through SMS

Status
Not open for further replies.

ossie

Distinguished
Aug 21, 2008
335
0
18,780
As usual, mr. Charlie "no more free bugs" just likes to overemphasize his findings - free advertising is always great - but it seems his greediness isn't finding the proper nourishment (read cash from blackmailed manufacturers).
Crashing an equipment is one thing (getting easier in these days of consumerism induced fast paced "innovation"), but taking it over is in a whole different lot.
Why didn't he demo the iPhone takeover code at BH? I'm sure he would have liked to really impress the audience, but, as it needs a lot of very careful setup, the chances for failure would have been way too high. There are a lot of unexpected events which could have taken place in a real environment (read through the network), as opposed to a laboratory environment (frame injection without external disturbance), which would impede the "golden sequence" to reach it's victim in the desired way (out of order message delivery is just one, which comes quickly to mind).
 

downer88

Distinguished
Aug 8, 2008
63
0
18,630
[citation][nom]ethaniel[/nom]Unless he hacks Chuck Norris's iPhone. That would be the end of him.[/citation]
Chuck Norris doesn't use a phone, he uses his "outside" voice!

Seriously, no offense but I though mobile phone exploits were nothing new.
 
G

Guest

Guest
This should be considered a nice and very credible rebuttal to the ridiculous interview with Joanna Rutkowska... Charlie is a real security expert, and he says Mac security sucks. Take note, Apple fanboys.
 

steiner666

Distinguished
Jul 30, 2008
369
0
18,780
[citation][nom]downer88[/nom]Chuck Norris doesn't use a phone, he uses his "outside" voice![/citation]

lol

and of course "jailbroken" iphones couldn't take down a network, how stupid must ppl really be to believe Apple/AT&Ts shit
 

anonymousdude

Distinguished
[citation][nom]Charlie_Fangirl[/nom]This should be considered a nice and very credible rebuttal to the ridiculous interview with Joanna Rutkowska... Charlie is a real security expert, and he says Mac security sucks. Take note, Apple fanboys.[/citation]

The safety of a Mac lies in its market share. Less market share less atacks,viruses,trojans, etc. That's why people using linux hardly ever have a problem with security.
 
G

Guest

Guest
anonymousdude: Linux has all but idiot-proof security, low-level exploits are very difficult, there are package repositories that have everything you could ever need without resorting to potentially untrustworthy 3rd party downloads, and they were doing Microsoft's UAC long before Microsoft, and far better and less annoying. Not to mention, they have a far better scheme for handling execute bits and possible remote execution of arbitrary code. An OS is only as good as the idiot who's using it, but Linux has done by far the best job of idiot-proofing an OS, if it hits 99% marketshare, it will still have a fraction of the problems Windows and OSX do, and there are viruses for OSX, ask Apple who recommend MULTIPLE antiviruses be installed on Macs. Out of tens of thousands of free, open source Linux packages, there are hardly any antiviruses or firewalls even available for Linux, because it is actually for real, not necessary. No shit...

 
G

Guest

Guest
@synonymousdude,

OS X is built on UNIX the same as Linux. Please do some research before you spout about things you obviously no nothing about. Otherwise quite wasting the time of everyone that reads the comments.

Thanks,
 
G

Guest

Guest
rorosdad: Obviously you know nothing about UNIX or Linux or the inner-workings of OSX. UNIX operating systems follow a standard called POSIX. There is quite a bit of room for differences in how they are implemented. The BSD kernel OSX stole is not the same kernel that Linux uses, besides, most of the security doesn't necessarily happen in the kernel, user interaction happens in the desktop and window managers. Is there package managers for OSX like Synaptic or Adept? Is anybody at Apple smart enough to thwart low-level exploits, or do they only hire "trend-settings hipsters" to be developers? You obviously don't know much about OSes, maybe you should try to educate yourself before acting defiant to me.
 
G

Guest

Guest
@rorosdad: So let me see if I understand your logic correctly:

UNIX is an OS standard developed in the 70s

Linux and OSX are both based on UNIX, therefore:

Both must have equally good security, and:

It doesn't matter how much OSX's developers suck, because if they screwed anything up, it wouldn't be UNIX anymore, because UNIX is perfect and unhackable.



If I'm not mistaken, isn't Charlie Miller(subject of this interview) a hacker famous for pwning OSX? Do any of his exploits ever work on Linux? Hasn't he been quoted as saying that Linux and Windows are both much harder to hack than OSX? Isn't Apple's uber-shi.t Safari browser a liability in itself?


 

matt87_50

Distinguished
Mar 23, 2009
1,150
0
19,280
"Charlie: I found the bug by sending in thousands of malformed SMS messages to the device, a process known as fuzzing."

Apple's QA should have done this, this is similar to a Soak test, QA's bread and butter.

oh and i'm sorry, what? "I can't fault them too much, it was hard to find". yes it would be hard to find, but to call it in the first place and not check the return type? to code it in such a way that it will only work if there is no error in the SMS (expected size == actual size).

If i was worried about security at all, I would NOT buy a device coded like this. trusting a hardware buffer overrun protection system to handle all your problems? just pathetic!

Good to see him call BS on the apple jailbreak argument!
while I bet apple was all too happy to take his advice on how to patch the iphone, they will just ignore him on this point.
 
G

Guest

Guest
@Synonymous Dude

"...but Linux has done by far the best job of idiot-proofing an OS..."

Yes, typing "tar zxvf blahblahblah-1.1-x86.gz cd /usr/bin/blah" is so "idiot-proof" that everyone will be doing it.
 
G

Guest

Guest
vitalDude: Last time I checked, most distros come with a WinRAR-esque utility where you can double-click, extract, etc... Just like you would in Windows, although if you're talking about installing stuff with GNU Make, I doubt most Linux noobs would be installing stuff outside of package managers.

Epic fail.
 

sdbryan

Distinguished
Aug 10, 2009
1
0
18,510
[citation][nom]rorosdads_dad[/nom]rorosdad: ... Is anybody at Apple smart enough to thwart low-level exploits, or do they only hire "trend-settings hipsters" to be developers? ...[/citation]
It seems that you have never been to a Mac developer conference. I only bother to make that observation because the comment about "trend-setting hipsters" in reference to Apple's Mac OS team is so comical. It might be true about marketing people at Apple but it was easy to observe that as the api level got lower, the engineer from Apple got larger (wider rather than taller) and more disheveled. [Obviously being a trend-setting hipster was not a criterion for choosing personnel]. Any technology company that has been a significant player for well over thirty years is going to have its ups and downs but it is absurd to dismiss its engineering bona fides.
 
G

Guest

Guest
sdbryan: Apples engineers are so good that they failed at writing their own OS, so they stole BSD because it was literally the only thing they could steal and then make closed-source. As a byproduct of this, they don't even have expertise of their own OS. The Windows API is pretty slick since .NET came out, but since not even Apple properly understands the inner-workings of OSX, they have buggy APIs, which is why nobody can properly port an application to OSX, anything that is cross-platform runs 1000x better on Windows, and much faster.
 
G

Guest

Guest
@Ive_seen_the_promised_land: WRONG! OSX originated from NextOS which was an operation system developed by Steve Jobbs's break-away company called NextStep. The monolithic/micro kernel hybrid and base libraries come from a merged NextOS and BSD. The BSD libraries in use were not stolen and still remain open source. Apple help to maintain these libraries. The rest of the operating system including the UI is based on NextOS. NextStep merged with Apple. Many of the designs by NextStep became the modern day Apple designs. The Windows API is not slick - just look at the object model... hideous. No one ports windows applications to OSX because .NET "point and click" programmers can't program in an environment that is not "Visual" nor can they comprehend Java, Objective C or any other slightly intellectually challenging language like Ruby or Scala that allow you to program in a non-imperative way. Recursion? What's that?
 
G

Guest

Guest
bottoms: If I understand you correctly, you're saying that Visual Studio makes programming entirely too easy? Of course, that kind of pointless elitism is consistent with Macs and their users. I'm a MS-hating Linux fanboy, but I can admit that Visual Studio raised the bar for IDEs, it is hard to use something lesser after you've used VS. Thankfully, there is Monodevelop, so I can still write C#/.NET apps in Linux without having to resort to more archaic IDEs that require ninja-like concentration skills for the entire coding session.
 
Status
Not open for further replies.