Taking a bite out of Apple

The Baltimore Sun

Avi Rubin had just bought himself a new toy, an Apple iPhone. As he showed it off to his colleagues at his Baltimore company, Independent Security Evaluators, he issued a challenge.

He gave them a week to see if they could find any glitches in the phone. And he'd sweeten the deal by buying each member of the three-man team an iPhone - whether they discovered anything or not.

"We told Avi we'd have a 40 percent chance of success," said Charles A. Miller, 34, the principal security analyst for the firm. "We just wanted to see how secure these things were. Should people feel safe with them? People are carrying their whole life around on them."

Within two or three days, the team found a way to take advantage of a flaw in one application that allowed access to the whole phone. But it would take a little more time to see whether that weakness could be used to gain information.

Once Rubin agreed to an extension, the three worked for another week to see whether they could exploit the weakness to tap into personal information stored in the phone - sometimes putting in 12-hour days.

"It can be hard to stay away when you're close," said Jake Honoroff, 27, a security analyst who used to work as a cryptologic mathematician at the National Security Agency.

Honoroff, Miller and a third employee, Joshua Mason, found that they could obtain e-mail, text messages, phone numbers - a wealth of personal information - through WiFi connections or by tricking users into going to a specific Web site that could take control of the phone. Potentially, hackers could make phone calls and run up large bills.

Miller, who was a global network exploitation analyst at the NSA, said he promptly e-mailed Apple to tell them of the glitch, with all the technical details he knew and even provided a software patch in the form of two lines of computer code.

"This is almost exactly what we'd do if Apple had paid us," Miller said. "They should be very grateful, because this is one less bug for the bad guys to find."

The Baltimore researchers' lark is a glimpse into the world of test hackers, who try to find the kinks in technology before they become security issues for consumers and companies. These hackers, who often are hired by companies to find vulnerabilities in their products or services, are distinct from the rogue hackers whose intent is typically malicious and may involve having control of large numbers of computers so they can send mass e-mails.

Apple's products have a reputation as being close to virus- and hack-proof. That reputation for security is partly due to Apple's computer design, coupled with the fact that so many more people use Microsoft's Windows operating system. Hackers have concentrated more attention there than on Apple products, said Ashok Agrawala, a professor of computer science at the University of Maryland, College Park.

Still, the findings of the Baltimore analysts are not surprising, he said.

"It is very difficult to make the complex software so there are no security holes," Agrawala said. "The iPhone is not as large as a major desktop, but it is a fairly complex system which has lots of software in it, so there is the possibility that it has security holes."

Apple is "looking into" the report submitted by the Baltimore researchers, according to a spokeswoman. The researchers' findings were reported yesterday in The New York Times.

The Baltimore company published a summary of its findings at www.exploitingiphone.com yesterday but did not provide technical details of how it did its work. Miller is scheduled to discuss the vulnerability in more detail at Black Hat, a computer security convention, in Las Vegas in August.

"We take security very seriously," said Lynn Fox, a spokeswoman for Apple. "We have a great track record of addressing potential vulnerabilities before they affect users. We always welcome feedback on ways to improve our security."

There is no evidence that this flaw has been exploited or any users affected.

Independent Security Evaluators was launched in February 2005 by Rubin, a Johns Hopkins University professor and technical director of the university's Information Security Institute. He previously had garnered widespread attention for announcing that widely used electronic voting machines manufactured by Diebold Election Systems were vulnerable to various forms of hacking that could change vote counts.

ISE has taken part in Consumer Reports evaluations of anti-virus programs and has assessed point-of-sale credit card terminals for MasterCard. Its clients include multinational banks, Fortune 500 corporations, e-commerce vendors and venture capitalists, according to company documents.

A large part of Independent Security Evaluators' work is to test computer security for clients by trying to hack into it.

Texas Instruments felt the sting of Rubin and his team when they broke the encryption on wireless gas payment cards and car keys and publicized their findings - revealing a potential threat to millions of consumers.

"You would hope that anything Apple or anyone else would make would be able to withstand a week and a half of analysis," Miller said. "It's a little scary. We're not the only people in the world capable of doing this. Bad guys could do the same thing."

The security consultants know that they are at risk just like everyone else who owns an iPhone until Apple makes the fix. But they follow their own advice for steps a consumer can take to minimize the threat of hackers.

They recommend not visiting Web sites you don't completely trust, not clicking on any links that you receive in e-mail messages, because they can masquerade as something they are not. They also avoid using wireless connections unless they are confident that they are secure. Home, work and hotel wireless connections should be fine, but beware of free access points available at airports and other locations, they warn.

Taking those kinds of steps reduces the risk of hacking to a manageable level, they said.

"This is not the last problem that will be found in the iPhone," Miller said. "There's going to be problems. It's just the nature of the complexity. You take a complex phone and a complex computer and you put them together and it's even worse."

Normally, the firm's price tag for the week and a half of work they did on the iPhone would be in the tens of thousands of dollars, Miller said. Analysts at the firm, which has about 16 employees, can bill between $250 and $350 and hour, he said.

Miller acknowledges that even though hunting for the glitch got tedious at times, he enjoyed it.

"It was fun," he said. "We like technological things, and I love my iPhone."


Copyright © 2019, The Baltimore Sun, a Baltimore Sun Media Group publication | Place an Ad