Well, we were all happy to finally get away from Windows 95 back in the day. But now iPhone users have the privilege of reliving all the security flaws of that OS on their sparkle new iPhone. "It really is an example of 'those who don't learn from history are condemned to repeat it'," says Dan Geer, vice president and chief scientist at security firm Verdasys.
Security experts have discovered that all applications run on the device run as root, which means that any hacker can cause devastation by sending out massive texts, pulling phone lists and sending them via SMS without the user's knowledge or even dialling numbers randomly without the user knowing. I personally do not have an iPhone, and have completely disowned apple after my first iPod disaster. After seeing the bricking and the price slashing, this to me is just another reason why I am happy I did not buy an iPhone.
News source: Wired
Security experts have discovered that all applications run on the device run as root, which means that any hacker can cause devastation by sending out massive texts, pulling phone lists and sending them via SMS without the user's knowledge or even dialling numbers randomly without the user knowing. I personally do not have an iPhone, and have completely disowned apple after my first iPod disaster. After seeing the bricking and the price slashing, this to me is just another reason why I am happy I did not buy an iPhone.
News source: Wired
Last edited by Lasker on 24 Oct 2007 - 17:35
It sounds not like "repeating mistakes", but rather new blunders making poor security choices.
With the browser running as root, if a user accesses a compromised site, an installation can be performed without the user's knowledge
Bro, you're asking WAY TO MUCH!
It is. A malformed URL could cause Safari to run code, which would then automatically run at the root level. Conceivably, the malware could disguise itself as valid code, thus not interfering with iTunes and be practically invisible to the user, and thus provide a way for the author to receive all data from the phone using the Edge network, if necessary. This is just one scenario.
They also spew false information regarding permissions in Windows. The Storm worm requires admin access to install a Windows service - the vast majority of malware requires admin access, especially in IE7, because the capabilities of running in limited user mode are just that - limited. You need admin access to turn off the built-in firewall - how is your computer going to become part of an online botnet without unrestricted Internet access? Even if that problem was solved, the malware wouldn't launch after a reboot. The most malware can do is either delete/modify/corrupt user files and/or encrypt them.
I also like how they needlessly bash UAC and the Zune. Sensationalistic "journalism" at its best.
Is there a phone out there that does not run the applications as "root" (read with administrative access)? Should we go ahead now and bash WM2002, WM2003, WM5, WM6 pocket pc phones and smartphones? How about we have some fun with Nokia and Motorola as well. After all, they all have the same or not more features... contacts, calendar, camera (with which a hacker could take pictures of your companion, lol) SMS, phone, etc.
Moreover, I do not believe running as "root" is a big deal. Assuming the iPhone applications ran under a restricted account, this account would still need read and write access to data and all the other tokens the applications currently running under root have. This includes EDGE access as well. So, potentially, the "code" ran thru Safari would be able to cause as much damage as root. Of course, this would exclude installing itself as a persistent application, or deleting/modifying OS and application binaries (read bricking, to use hot terms), but Zetter's concern is not so. She only cares about mass texting, 1 (900) phone calls, and companion pictures.
I could go ahead and write about how running under a restricted account wouldn't make it any better in terms of installing itself a persistent application, but naaah... got things to do and people to see.
Extremely sensationalistic article. It's sad it made it to the front page.
If WM has the same issue, it should be held to account as well.
Last edited by neufuse on 24 Oct 2007 - 19:11
yet
but i am sure the fanboys will say this is perfectly alright, and the iPhone is the most secure phone on the market
get some up to date news and as above read the roughly drafted report.
Getting more like a tabloid newspaper with this late illl informed sensationalism.
stupid micro-- wait... what? i thought only Microsoft did things like this?
Apple not supporting unsupported software and lowering their prices is a bad thing?
Unsupported software is unsupported for a reason. Apple doesn't want to have to be responsible for making sure all that stuff still works when they release an update. Just like when you go to an amusement park or something and they say "we are not responsible for blah blah blah", they really aren't, and if it happens it's not their fault.
Prices going down is a bad thing? It happens all the time in the technology world. The RAZR used to be a few hundred dollars, then a few months later is was only 99$, and now it's free with a contract. It happens.
Apple not supporting unsupported software and lowering their prices is a bad thing?
Unsupported software is unsupported for a reason. Apple doesn't want to have to be responsible for making sure all that stuff still works when they release an update. Just like when you go to an amusement park or something and they say "we are not responsible for blah blah blah", they really aren't, and if it happens it's not their fault.
There's a big difference between not supporting an unofficial hack and deliberately going out of their way to brick the phone. Believe me, the people that cracked it in the first place knew what they were doing, it's extremely rare in this day and age for any software hack to cause the system itself to become completely bricked, especially in the case of mobile devices where you can completely reinstall the ROM (and there's no reason why you couldn't do that with the iPhone, either). I mean think about it, Microsoft sure as hell doesn't support people cracking XP or vista, but have a single one of those pirated editions ever been even just less stable than their legit counterparts, even with all of the patches released every month? Perhaps it's not the best comparison, but the fact remains - Apple deliberately went out of their way to brick unlocked phones and that's just nasty.
So you were in the room when Steve Jobs told the programmers to brick the unlocked iPhones?
1.1.1 was a pretty huge update, and changed the way some of the stuff on the iPhone worked. It's not that the unlockers didn't know what they were doing it, it's that Apple changed the way they had to do things in order to improve the iPhone. Hell, Apple probably went out of their way to try adding the update to unlocked phones first to see if it would corrupt the phone, and when they realized it would they decided to warn people. But even though they knew, they weren't going to change their own code to make unsupported unlockers happy.
When Apple updates OS X, they don't go out of their way to make sure 3rd party apps still work on the new software. They give developpers a new SDK to work with for the new OS. If people don't update their software to work in the new version and their apps stop working, it's not Apple's fault. Except OS X is an open platform, and the iPhone is a closed platform, but the same logic applies. If Apple changes the underlying structure for the better, it's up to the 3rd party devs to keep up. Apple doesn't have to slow down and wait for them.
1.1.1 was a pretty huge update, and changed the way some of the stuff on the iPhone worked. It's not that the unlockers didn't know what they were doing it, it's that Apple changed the way they had to do things in order to improve the iPhone.
no, it's has already been confirmed by several iPhone Unlockers that Apple deliberately bricked the unlocked phones with the update. The new features or bug fixes included in 1.1.1 could not have bricked the iPhone, only the part of the update which had no other meaning than "punishing" unlocked iPhones.
Why do you think did it only take 2-3 days to unbrick bricked iPhones? Nothing dramatically was changed by Apple, the hackers only had to find out what simple measurements Apple did to brick unlock iPhones and un-do them.
yes
Because - if they allowed them - and there was a bad app, it would be able to take the whole phone down, rather than OS handling the app crash gracefully.
This is indeed very Windows 95 way of programming by Apple.
Fine, Apple has turned off obvious security flawed technology that need wide access due to poor design like Active X (unlike, for example, Java applets). But if I'm going to bash MS for shipping XP with five open ports, I'm certainly going to call Apple out on this one. Call a spade a spade.
The situation will likely be fixed when the iPhone Software Development Kit is released. The fact that all applications run as root on the iPhone might simply be a temporary bug, and was done to reduce development effort.
But we have yet to see a fix. Even if we use the argument that most other phones run as root, the fact remains that we're talking about an industrial-strength, high-security OS on the iPhone - Unix underpinnings . . . breaking a cardinal Unix rule. Even if other phones run as root, it doesn't mean it's a good idea. And, Apple, especially, who tries harder with design, has to do better and should have done better.
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.