Wednesday, November 11, 2009

Worm News Leaves Foul Taste

Apple, which has traded on a reputation for immunity to the cyberinfections that plagued Microsoft's products since even before Apple sold an operating system with protected memory, has been predictably targeted by security-illiterate nitwits eager to proclaim that Apple has a serious security problem in the iPhone following a recent spate of attacks in Australia. Of course, the vector leveraged in the Australian attacks is not new, having been seen previously when demonstrated in the Netherlands.

So, what is this attack vector? It turns out that it runs only on jailbroken phones, and exploits a root password that is apparently left in a known state by at least certain jailbreak kits. To attack an iPhone with this technique, therefore, one must:
  1. Find an iPhone that has been "jailbroken" – prepared by the phone's user in advance of the attack in order to allow applications not approved by Apple to run on the phone;
  2. Discover that (a) the particular jailbreak technique used by the specific victim in advance of the attack involved permanently enabling an OpenSSH server, a tool for remotely accessing Unix machines for a command-line interface (note that the fact that OpenSSH can be run on phones isn't itself a security problem – OpenSSH is designed for secure remote access, so the rest of the idiocies decribed herein are absolutely essential to the attack's success); (b) the intended victim's OpenSSH server is configured to allow login by the user "root" (the administrative or "super" user, whose user ID is "0"; even if typical users did need their phones to offer a remote shell access -- and they manifastly don't -- why can't the jailbreak kit vendors at least script for the use of low-privileged users?), and (c) the password of the enabled root account is already known to the attacker (and I stress here that it is well publicized to OpenSSH users that OpenSSH is easily configured to prohibit login by the user "root", making this whole scenario impossible if only one cares a little about what one is doing, even if one wants for some reason to leave an OpenSSH server running on a phone), because the user's jailbreak kit made no effort to induce users to employ a hard-to-guess password and simply left every affected phone with the exact same, easily learnable, password for root;
  3. login as root and execute any application one wants, including file transfer applications and applications that try to replicate this attack on other machines in the hope the other machine is a jailbroken iPhone with a braindead root password.
Reading this list, it's clear the problem isn't Apple's really at all: Apple offered a platform designed to make it impossible for a virus or work to propagate because all applications required a digital signature from Apple. (A virus in the wild can't create a valid-seeming Apple digital signature authorizing use on unknown-in-advance users' phones; Apple's app security infrastructure seems fairly proof against viruses and worms unless delibertely dismantled by users.) The fact some users modified their phones to allow unapproved apps to run without so much as a pop-up window for user permission can hardly be laid at Apple's feet.

Purveyors of jailbreak kits have at least as much blame to bear. Why on Earth need jailbreak kits fail to demand users enter a strong password, or else refuse to proceed? In fact, why on Earth bother to leave an OpenSSH server running at all on a phone? Getting a remote shell on another machine doesn't require one run the server, just the client -- and who interacts with their own iPhone via a command line interface?

Lastly, we wonder why it is that Apple gets blamed for these shennanigans. Perhaps the certainty that Apple would be blamed despite fault explains Apple's decision to create a system that makes worms impossible unless users dismantled it on purpose.

No comments: