Posted by: David Harley | February 6, 2010

iPhone and Digital Certificates

Here’s a post from a week or so ago that I haven’t flagged previously. Cryptopath is discussing “iPhone PKI handling flaws.” The introductory paragraph is worth quoting in itself:

The iPhone is obviously a consumer market product which was later enhanced to become an enterprise device…

A later post from Dennis Fisher at Kaspersky from 2nd February quotes (at length) from Charlie Miller of Independent Security Evaluators. Some of the work ISE has done has been pretty controversial: in particular, the lab work on anti-malware testing for Consumer Reports

However, Charlie casts a long shadow in Apple vulnerability research, and his summary bears repeating:

“You can make any part of the phone not work. You definitely don’t get to run code, but there’s lots of nasty things you can do. You can make applications not work, make it so that you can’t remove this config file,” Miller said. “At the very least, you can make someone’s day miserable.”

That may sound like the sort of stuff that will only interest the sort of hobbyist hacking you may not associate with enterprise-level technology usage. However, there are ways you can make money out of denying service. And the way in which attempts to exploit an issue with jailbroken iPhones escalated from trivial “pranks” to a functioning botnet indicates the way in which industrial-strength cybercriminals are always watching for a “business opportunity”.

Mac Virus
Small Blue-Green World
AVIEN Chief Operations Officer
ESET Research Fellow & Director of Malware Intelligence

Also blogging at:



  1. At least Apple takes their signatures somewhat seriously. I’m working on a piece about Android and the joke that their code signing is.

    • I can’t see Android misuse not becoming a significant growth industry…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


%d bloggers like this: