iPhone vulnerable to remote attack on SSL
Beware of rogue config files
Apple's iPhone is vulnerable to exploits that allow an attacker to spoof web pages even when they're protected by the SSL, or secure sockets layer, protocol, a security researcher said.
The fault lies in a feature that makes it easy to configure large numbers of iPhones so they meet an organization's IT policies, said Charlie Miller, a researcher at Independent Security Evaluators. Not only does the provisioning feature work over the internet, it can be tricked into accepting malicious configuration files.
"If the user accepts, the attacker can make changes to the phone's configuration which can cause harm," Miller wrote in an email to The Reg.
The revelation comes after the hack was discussed in an anonymous blog post over the weekend. It explained how it was possible to sign an XML-based configuration file using a SSL certificate registered to a fictitious company called Apple Computer. Because the iPhone checks only that the certificate was signed by a trusted CA, or certificate authority, the author's rogue update.mobilconfig file was accepted and executed.
The author claimed the hack could be used to change an iPhone's proxy settings, a change that would allow attackers to do much more nefarious deeds such as funnel traffic to servers under their control. Miller said he wasn't sure such an attack was possible, but he didn't rule it out, either.
"It definitely allows them to change the trusted certs which means that you can't trust SSL anymore," Miller wrote. "I don't have the cert the guy generated to really confirm things on my own. I'm very confident that it can do a lot though."
In addition to changing trusted certificates, Miller said, a rogue configuration file could be used to disable Safari or other iPhone apps or block access to particular websites that can be accessed.
For an exploit to work, an attacker would have to apply a fair amount of social engineering. First, a user would have to be tricked into clicking on an email attachment or visiting a website hosting the configuration file. The user would then be presented with a window saying the update has been "verified" and would have to click OK to install it.
The most serious consequence Miller could confirm was the ability to spoof SSL-protected pages, but given the difficulty of the attack, he wasn't sure how useful that would be.
"If you can get someone to install this thing AND go to your phishing site, the guy probably would have fallen for it without SSL," he said. ®