Apple Excommunicates iOS Cracker - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Apple Excommunicates iOS Cracker

Demonstrating proof-of-concept attack that runs arbitrary code on an iPhone gets security researcher Charlie Miller banned from Apple development program for a year.

10 Top iOS 5 Apps
10 Top iOS 5 Apps
(click image for larger view and for slideshow)
Apple has given security researcher Charlie Miller the boot from its iOS developer program after he publicly demonstrated a proof-of-concept attack that would enable an app creator to execute arbitrary code on any iPhone, iPad, or iPod Touch running iOS version 4.3 or later.

Miller has been suspended from the developer program--which allows people to develop, test, and distribute iOS applications--for one year. "First they give researcher's (sic) access to developer programs, (although I paid for mine) then they kick them out.. for doing research. Me angry," said Miller in a tweet posted Tuesday. In a letter, Apple told Miller that it was kicking him out of the program for breaking its terms of service.

Before distributing any app via the App Store, Apple first vets the app, and if approved, signs the code to ensure that the app can't be changed. But the flaw that Miller discovered essentially breaks the iOS application security walled garden, allowing malware attacks to be launched. "The flaw I found is in the way that Apple handles code-signing. Code-signing is important because that's the way that Apple protects you from malware," he said in an unlisted YouTube video demonstrating the attack. (Unlisted YouTube videos can only be viewed by someone who already has a link to the video.)

[Hackers may have a new attack vector: Smartphone Sensors Pose Security Threat.]

To test the vulnerability that he discovered, Miller had created Instastock, a fake stock market app, which Apple accepted. "It doesn't do anything weird or funny, it just checks the stocks," he said. At least, that's what it appears to do. In fact, after being downloaded from the Apple App Store and first run, the app "phoned home" to an attacker's server.

For the purposes of the test, the server in this case was located in at Miller's house in St. Louis, and he didn't have it push any code to the app while it was being reviewed by Apple. But after it was approved, he was able to open a shell with the device and issue remote commands, making the iPhone do everything from listing directories and processes, to making the phone vibrate or download the user's address book for the attacker.

"You can imagine downloading a nice app like Angry Birds, but instead of just being Angry Birds, it actually could download and do anything it wants, and Apple would have no idea that had happened," said Miller in the video.

Miller disclosed the code-signing vulnerability to Apple several weeks ago, although he failed to mention the proof-of-concept app that he'd uploaded to the App Store, and which Apple approved and made available in September. (An earlier proof-of-concept app that Miller had developed, which allowed a user to zoom in on pictures of David Hasselhoff, was rejected by Apple for having no useful value.)

Miller also demonstrated the exploit in his unlisted YouTube video, which was posted in September. But Apple apparently didn't hear about the proof-of-concept attack demonstration until Monday, when Miller detailed the flaw and provided a link to his YouTube video to Andy Greenberg at Just hours after the story ran, Apple canceled Miller's iOS developer account.

Miller's day job is as a principal consultant at security research firm Accuvant. But the former National Security Agency analyst is probably better known for hacking--in the "take it apart and see how it works" sense--of Apple wares. At the Black Hat conference this past summer, for example, he demonstrated how to hack Apple laptop batteries by reprogramming the firmware, which would allow an attacker to brick the battery, or even make it serve malware. (As noted by Greenberg, it's a wonder that Apple wasn't keeping close tabs on Miller's apps, given his iOS hacking history.)

Miller plans to demonstrate his code-signing attack at next week's SyScan conference in Taiwan, followed by January's Infiltrate conference in Florida.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Apprentice
11/8/2011 | 9:53:04 PM
re: Apple Excommunicates iOS Cracker
From the few details given in the article, he only made one mistake by failing to disclose the proof-of-concept app that he made and had passed through to the marketplace. Otherwise, he, apparently, disclosed the bug to Apple which should, in my mind, be paying him and giving him job offers for finding it. Sure, he didn't keep it "under wraps" like they always want, but hey, they can now address this serious bug, which in the wrong hands could have really made Apple look bad given their persona of it always working flawlessly all the time with no vulnerabilities. Treating him like this will probably just make things worse for them, should he get disgruntled and turn malicious. He already has a good history of finding seriously fatal flaws, what if he's upset enough to take the black hat route next time he finds one? Sometimes it's better to take the "high road" and admit your deficiencies as opposed to always attacking those that bring them to light like they are the ones in the wrong.

Yes, he could have probably handled it better and disclosed what he was planning before he did it, but in that case, I'm sure they would have just shut him down before he could have had a chance to test and release it, which is typical Apple. They would rather squash and silence it than admit there's a bug. This would have left it open for more malicious people/groups to find and exploit it for real, with real world repercussions. So, they'll just punish him instead of taking the time to learn from him or offer to let him teach them a thing or two because, God forbid, something bad is disclosed to the public about anything Apple related.

In addition to that, public disclosure of bugs should keep Apple's programmers from becoming complacent with the idea that everything they make is bug free. As a programmer, I know that the majority of code out there has vulnerabilities, I find them in mine, and if you're confident that your code doesn't contain any, that's when your most likely to introduce them or let one slip through...

My personal opinion: Give that man a medal and tell your QA department to make him an offer he can't refuse.
Tom LaSusa
Tom LaSusa,
User Rank: Apprentice
11/8/2011 | 8:42:09 PM
re: Apple Excommunicates iOS Cracker
I can understand Miller's frustration to a degree, but he also has to realize that's the contract he signed with Apple. If I went to work for a company that enforced a policy of no bow ties and Fez hats, and I wore them because I thought the policy was dumb, I don't get to gripe when I get the call from HR to pack up my stuff.

You go to work for a company, you agree to their rules. If he wants to show people that Apple devices have a myriad of security holes (a noble thing to do) then he should stop working for them.

Tom LaSusa
User Rank: Apprentice
11/8/2011 | 6:08:50 PM
re: Apple Excommunicates iOS Cracker
Hmm, piss off a hacker that was trying to help......
<<   <   Page 2 / 2
The State of Chatbots: Pandemic Edition
Jessica Davis, Senior Editor, Enterprise Apps,  9/10/2020
Deloitte on Cloud, the Edge, and Enterprise Expectations
Joao-Pierre S. Ruth, Senior Writer,  9/14/2020
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
White Papers
Register for InformationWeek Newsletters
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
Flash Poll