After latest iPhone hack, Charlie Miller kicked out of iOS dev program
Summary: Charlie Miller defeats a major iOS security mechanism, a move that ruffles feathers in Cupertino.
Charlie Miller gets a kick of out defeating Apple's security mechanisms, using his hacking skills to break into Macbooks and iPhones. Now, Apple has kicked the security researcher out of its iOS developer program after word got out that he built a proof-of-concept iPhone app to showcase a bypass of the code signing mechanism.
According to Forbes's Andy Greenberg, Miller found a way to sneak an evil app into the iPhone/iPad app store and will demonstrate the vulnerability at the upcoming SysCan conference in Taiwan.
Miller plans to present a method that exploits a flaw in Apple’s restrictions on code signing on iOS devices, the security measure that allows only Apple-approved commands to run in an iPhone or iPad’s memory. Using his method–and Miller has already planted a sleeper app in Apple’s App Store to demonstrate the trick–an app can phone home to a remote computer that downloads new unapproved commands onto the device and executes them at will, including stealing the user’s photos, reading contacts, making the phone vibrate or play sounds, or otherwise repurposing normal iOS app functions for malicious ends.
Miller has created a video demonstrating the attack, which gave him enough control over the hijacked iPhone to control the device vibration or read files off the iPhone.
Greenberg writes that Miller effectively created a proof-of-concept app called Instastock that appears to merely list stock tickers, but also communicates with a server controlled by Miller, "pulling down and executing whatever new commands he wants."
Details on the actual vulnerability being exploited is being kept under wraps until Apple issues a fix.
Just hours after word of his Miller's app -- which was approved by Apple -- was publicized by Greenberg, Apple nuked Miller from the iOS dev program "effective immediately."
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
RE: After latest iPhone hack, Charlie Miller kicked out of iOS dev program
Apple has got to be the most Security "Unconscious" that I have ever seen. Apple doesn't get it because they believe kicking someone out, suing someone or just throwing a plain ol' Jobs tantrum will solve it all. Sadly to say guys, that's not working today, or tomorrow either, matter of fact you might as well get your head out of the hole it's in and look around.
Your products are not as secure as you lead the masses to believe.
Kicking people out, denying the facts until there out of control. In case you have missed the headlines nearly everyday, your weaknesses are being shown to all and it's not going to go away under a rug. The community is laughing at you, daily, yet you still just don't get it.
Anyway, Miller broke the rules so obviously he was ousted of developer ...
RE: After latest iPhone hack, Charlie Miller kicked out of iOS dev program
He can work with Apple.
It sounds as if he violated the terms of the iOS Developer Program. While his intentions may have been noble but that's irrelevant. Especially because he uploaded a "sleeper app" to the app store.
Apple was correct to do this.
RE: After latest iPhone hack, Charlie Miller kicked out of iOS dev program
So bringing it to light so apple can flat out deny the crap out of it does something more than actually showing them proof of what they so blatantly deny until they cant deny it any more.
What better way to prove them wrong when they say it cant be done or doesn't exist. If he had true malicious intent, why say anything at all and reap the full benefits of his POC code? That's not what happened. He made the public aware in a way apple could not deny but show their true face.
Athens
Rules intendend to hide security holes in their products
How nice of Apple.
RE: After latest iPhone hack, Charlie Miller kicked out of iOS dev program
The way I see it, he doesn't need Apple to get an App into their App Store but they could sure use his help keeping other people from circumventing their state
.
Good!
Kick the bastard and his malware out of the App Store. If he was doing this for the "right" reasons he wouldn't foist it onto the App Store where an unsuspecting person looking for a stock ticker might download his crap. He could have accomplished the same ends without doing what he did.
RE: After latest iPhone hack, Charlie Miller kicked out of iOS dev program
I guess Steve Jobs himself is no rule breaker, yes?
All security researchers required special mindset that break rules and think out side the box. In a way what Miller has done couldn't be more "Apple" than that.
I guess Apple is thinking no more different than IBM anymore.
What if someone did this with nobody's knowledge?
RE: After latest iPhone hack, Charlie Miller kicked out of iOS dev program
"Keep your friends close, and your enemies closer."
RE: After latest iPhone hack, Charlie Miller kicked out of iOS dev program
So what your saying is that because Miller found a hole in Apples product after agreeing (thru some surely complex and lengthy legalize ) to not find any holes he must now be botted instead of thanked for helping Apple to find one more hole that needs plugging/
That makes complete snese in thsimized up world where up is down and right is wrong.
RE: After latest iPhone hack, Charlie Miller kicked out of iOS dev program
And yet he's STILL getting publicity for the exploit - the only difference is that Apple got egg on their face in the process and got rid of the resource needed to fix the issue. Note that this does this invalidate the exploit itself nor does it invalidate the fact that a hacker with malicious intent could do the same exact thing and Apple would be none the wiser - Charlie Miller TOLD Apple what he did.
RE: After latest iPhone hack, Charlie Miller kicked out of iOS dev program
RE: After latest iPhone hack, Charlie Miller kicked out of iOS dev program
APPLE APPROVED THE APP, if one is to believe the article.
RE: After latest iPhone hack, Charlie Miller kicked out of iOS dev program
In this situation all of the Apple fans, fanbois, mactards, whatever need to stop blindly defending Apple...
RE: After latest iPhone hack, Charlie Miller kicked out of iOS dev program
RE: After latest iPhone hack, Charlie Miller kicked out of iOS dev program
RE: After latest iPhone hack, Charlie Miller kicked out of iOS dev program
So what ?
Do you want a secure phone ?
Do you want people to find and reveal vulnerabilities in the open ? or do you want them done where no one knows until their phone is cracked ?
Apple has a choice between letting the Charlie Miller's of the world get their 15 min of fame for finding and exposing vulnerabilities - in a way that makes it likely they will get fixed before millions of phones are cracked, or having it done by others with more hostile goals.
Apple is free to control its Store, and developers program as they please - and I am free to switch to Android.