The organizers of a computer security conference called CanSecWest challenged attendees to break into any one of five smart phones, among them iPhone. Few researchers attempt to hack the devices, especially iPhone, but there was no succeed. Two researchers who have previously found vulnerabilities in the security of the iPhone. And Apple disclosed and issued a patch for dozen such security holes in the device last November. Those two researchers will present a way to run no approved code on Apple’s mobile device at the Black Hat Security Conference. Many of the researchers simply refuse to work on that simply because the flaw has been exploited. Charles Miller, a principal analyst at Independent Security Evaluators who is one of those two researchers, said that “"If you want to attack iPhones, you have to be able to run code to do whatever it is you want to do," Maybe that is grabbing credentials, maybe it is listening into phone calls, maybe it is turning on the microphone. Who knows? But this all requires that you be able to run code.” Miller had found the places where changing permission is allowed on the factory iPhones. These parts give the hacker or researcher more freedom to code generic and reliable second stage attacks. Apple is restricting the data that can be executed in the memory; also requires the program to be cryptographically signed by Apple. One of the security features of code signing is to provide security when deploying. Also every code signing implementation will provide some sort of digital signature mechanism to verify the identity of the author or build system, and a checksum to verify that the object has not been modified. Even though Miller found that how to solve this problem for the programmers or users. “Apple failed to prevent unauthorized data from executing. This means that a program can be loaded into memory as a non executable block of data, after which the attacker can essentially flip a programmatic switch and make the data executable.” The result of the research is not going to be given to outside environment after he was sure that the issues have not been solved in the new iPhone 3.0. He is going to mention the strengths and weaknesses of the security, so cell phone user can make decision to what device we should use and how we should use them. Also his research could make the way for the developer to skip the signature part and distribute the program to the users. I personally as one of the cell phone users will not chose iPhone, because of this issue. I as the programmer will find it much easier to use Windows Mobile.
Source:
http://www.technologyreview.com/communications/22782/page2/
Other Sources:
http://www.macworld.com/article/132675/2008/03/iphone_sdk_jailbreak.html
http://www.windowsecurity.com/articles/Code-Signing.html
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment