Thursday, November 10, 2011

Security Researcher Misjudges How To Demo Exploit

Forbes' Andy Greenberg interviewed Charlie Miller ahead of Miller's SysCan presentation on an iOS 5 bug that can be exploited to permit developers to have unsigned code downloaded to and run on an iPhone.

Code signing is Apple's technique to ensure that hostile programs aren't used to replace trusted ones, and to ensure that only trusted code is permitted to run on users' iOS devices. Apple's code-signing policy is a major differentiator of Apple's devices from those running Google's mobile operating system. Apple's relatively superior security record with respect to Trojans and viruses results directly from Apple's platform's refusal to run software not bearing a valid signature from an Apple-authenticated developer (available only through the App Store).

In order to demonstrate this flaw to Greenberg, Miller didn't show him an iPhone side-loaded with a developer demo app to prove it worked. Miller never explained why he didn't use his development tools to make a non-distributable demo. Other developers use this to test apps prior to submission, to ensure they perform as expected on actual running hardware. It's a natural fit for this kind of display: it's a test, and doesn't require making a known security risk available for public download.

What Miller did was to submit to Apple an app that pretended to be a garden-variety stock tracking app, but which surreptitiously phoned Miller's server to see if Miller had any unapproved code Miller wanted to run on the phone. Miller's server was set to "innocuous" mode when the app was approved, and he cheerfully set it to malicious mode and took remote control over the phone during the Greenberg interview. Greenberg's article was published November 7 at 2:38 PM. At 8:15 PM the same day, Greenberg was already publishing that Miller's app had been removed from the App Store and Miller removed from Apple's developer program for violating the developer program license agreement through a scheme to "hide, misrepresent, or obscure" material features of the fake stock ticker program.

Apple has already released an update resolving the code-signing workaround.

Since Miller didn't deploy the app using a non-distributable signature generated by a dev testing key, but actually persuaded Apple to approve an app that allowed Miller to take remote control of strangers' iOS devices, Apple didn't have much of a choice in how to handle Miller. Miller did exhibit a certain amount of humor: “I miss Steve Jobs,” he says. “He never kicked me out of anything.” Perplexingly, Greenberg seems to miss the critical difference between Miller's conduct and that of security crackers with whom Apple has extended friendlier treatment (to crackers whose work is expressly permitted by regulations promulgated by the Librarian of Congress under the authority of the DMCA).

The rule seems pretty easy: don't lie to anyone who relies on your code. Like, say ... Apple.

This leaves us with two questions --
(1) What will Miller demo at SysCan?
(2) What will Miller have ready when he's allowed to re-enter the developer program next November?

No comments: