Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Hack can open up iPhone to push messaging exploit

While a variety of sources have published a story accusing the iPhone 3.0 software of broadcasting instant messages to random iPhones, in reality this exploit affects only users who have hacked their phone and made it vulnerable.

The problem allegedly occurs through AOL Instant Messenger's push feature in phones that have been jailbroken (allowing the use of unauthorized software) and unlocked (allowing the phone to be used on a non-approved carrier). However, it is not yet clear exactly what causes the issue, though Till Schadde, who discovered the exploit, said AOL officials told him the problem is not on their side.

Till discovered the exploit by sending an AIM message to an iPhone using iChat on his Mac OS X desktop. He said his message appeared not only on the iPhone 3G of the intended recipient, but also on the iPhone 3GS of a complete stranger.

But without user tampering, the iPhone's security layer actually prevents this sort of incident from happening.

Apple's PNS Security

As AppleInsider exclusively reported back in February, Apple's Push Notification Service (PNS) is based on XMPP Publish-Subscribe, an open specification for delivering updated feeds of information using Jabber-style instant messages.

In order to secure the delivery of these messages, Apple uses SSL certificates to securely authenticate the client with the service, similar to how HTTPS websites authenticate themselves to visitors to enable SSL-secured banking, shopping, or other transactions. The iPhone automatically generates itself a private and public key pair, and uses these to register itself with Apple's PNS servers and secure all of its subsequent transactions. The private key and public certificate work together to act as identifying credentials, like a user name and password.

Without having such a mechanism for authenticated identity in place, the iPhone would be deluged by marketers sending push message spam to users, just as spammers have long targeted email, SMS, and Microsoft's Windows Messaging popups, none of which included any inherent security in their designs. Apple's security system prevents users from receiving push message notifications from anyone apart from the system and applications the user explicitly approves.

The security layer also prevents malicious users from intercepting messages and it secures users from receiving fake messages to obtain their location or wipe their phone, while enabling users to perform those actions themselves from MobileMe after authenticating. Users don't need to know anything about the underlying certificates used to secure these communications; everything is designed to "just work."

Putting the break in jailbreak

Jailbreaking the iPhone involves working around Apple's security system to enable the device to run unsigned software. The iPhone's applications, just like its PNS communications, are encrypted using security certificates to prevent tampering, spoofing, or spying by malicious third parties.

Destroying the application security layer of the iPhone does not itself automatically break PNS, but (when combined with an "unofficial activation" required to use it with unofficial service providers) results in the system having no legitimate certificates to use in performing push notifications. Essentially, if the phone is not properly activated as intended through iTunes, the user's credentials for signing into Apple's PNS messaging servers (which are generated by the device itself in normal conditions) are broken along with the application security layer.

Dev team hackers trying to get jailbroken, alternatively activated phones to work with PNS allegedly made the mistake of adding an existing certificate to "fix" the problem. The hack simply identifies the new jailbroken phone to Apple as another phone that already exists, enabling messages to be sent to the wrong device.

Users who don't jailbreak their iPhone won't experience any problems with messages being broadcast to random other users. But those who tamper with the iPhone's security system will have to figure out how to generate SSL authentication keys appropriately to enable the phone to work with PNS messages correctly.



65 Comments

al_bundy 1525 comments · 15 Years

Sounds like the hackers know what they are doing, just not the people jailbreaking their phones.

akf2000 223 comments · 17 Years

Who the hell wrote this, looks like a Yu Wan Mei press release.

kresh 372 comments · 19 Years

Hack your hardware but don't blame the manufacturer when you screw something up, I hope this hurts EFF's effort to get the DMCA exemption.

hezekiahb 448 comments · 16 Years

Quote:
Originally Posted by al_bundy

Sounds like the hackers know what they are doing, just not the people jailbreaking their phones.

If I read the article correctly it sounds like users are getting the hackers messages. Ought to make it easy to know who created the cracks.

jpellino 707 comments · 18 Years

"Dev team hackers trying to get jailbroken phones to work with PNS made the mistake of adding an existing certificate to "fix" the problem, which simply identifies the new jailbroken phone to Apple as another phone that already exists, enabling messages to be sent to the wrong device, where "wrong" is actually "unexpected," not "incorrect."

Pish tosh. We all know hackers don't make mistakes. We have all been told that they simply point out the feeb programmers who made the mistake of not anticipating that someone would do some godforsaken thing to their creation that was neither intended or practical. In related news, it's BMW's fault when someone severs those pesky brand-name control arms, inserts tomato stakes and my car heads off in other directions. Poor planning.