iPhone Hacker Slams Apple Security

According to Miller, his attack is not an isolated incident, and should not be viewed as the inevitable result of the kinds of bugs found in all software. Rather, he said, it was just one symptom of flawed Apple security practices that have left the entire OS X platform vulnerable on both the Mac and the iPhone.

"Before they released the patch, I couldn't really say that much because I didn't want to give anyone enough to replicate the exploit," Miller told ChannelWeb. "It was really frustrating, because a lot of people leapt to Apple's defense without really knowing the details. Everyone said, 'Oh, everyone gets bugs,' and 'Apple's good on security,' and 'They're better than Microsoft.' When you look at the details of this bug, though, the reality is that Apple's been negligent, I think."

"There's going to be a second exploit like this, and a third, and a fourth," he added. "Those probably aren't going to be public, though. They're going to be found by bad guys, who are going to keep them to themselves and use them, because no one's going to get any press for the second or third iPhone exploit."

Miller, who leads a team of researchers at consultancy Independent Security Evaluators, announced in late July that his group had discovered a way to attack the iPhone through a vulnerability in the Safari Web browser that could give an attacker nearly complete control of the device. Miller withheld technical details until the conference, giving Apple time to issue a patch.

Miller listed a number of what he considers to be specific bad development practices on Apple's part, the most egregious of which is Apple's regular inclusion in the OS X platform of older, outdated versions of open source code, much of which has known security bugs.

"Here's my formula for finding a zero-day [vulnerability] on a Mac; here's what you do," said Miller in his presentation. "First, find an open source package that they use that's out of date -- there's plenty of those. Read through the changelog for the current version of that software, find a usable bug that's been fixed in the newer versions. And you're done. You don't have to worry about static analysis or fuzzing or any of that stuff."

As of late July, for example, the version of the Samba software package used on OS X contained serious, remotely exploitable "root" vulnerabilities, and hadn't been updated since February 2005. While Miller's team located the flaw they used in their iPhone attack through an analysis technique known as "fuzzing," for example, they later learned that it had been publicly disclosed, and fixed nearly a year before; Apple simply hadn't updated the version they used.

Other security experts note that Apple's development team has both strengths and weaknesses when it comes to security. "The MacHack thing, they fixed in like eight days," noted security researcher Dino Dai Zovi. "That's almost a land-speed record for vendor response to a vulnerability. Even when the ANI vulnerability was going on, and it was all over the internet and hundreds of thousands of machines were getting owned, it still took Microsoft 3 weeks."

"One thing that Apple does do that Microsoft doesn't, is they proactively fix vulnerabilities that they find," he added. "Microsoft, only in rare cases will issue a security update for bugs they find internally until someone else finds it and reports it. Apple will proactively fix an entire class of vulnerabilities and issue a security update."

Miller argued, however, that Apple has essentially gotten away with weak security because attackers haven't been particularly interested in the Mac; OS X simply hasn't gotten the kind of scrutiny that Windows has faced for years. That's starting to change, however, and the iPhone's high profile will only speed things up.

"I think they're a couple of years, at least, behind Windows," he said. "You know, Windows has been trying to get their act together for a couple of years. Like them or not, at least they've been trying."

Nevertheless, Miller emphasized that he remains a fan of OS X. "Macs have security problems, but I still like them. I still love my iPhone."