Hack can open up iPhone to push messaging exploit

The problem allegedly occurs through AOL Instant Messenger's push feature in phones that have been jailbroken (allowing the use of unauthorized software) and unlocked (allowing the phone to be used on a non-approved carrier). However, it is not yet clear exactly what causes the issue, though Till Schadde, who discovered the exploit, said AOL officials told him the problem is not on their side.

Till discovered the exploit by sending an AIM message to an iPhone using iChat on his Mac OS X desktop. He said his message appeared not only on the iPhone 3G of the intended recipient, but also on the iPhone 3GS of a complete stranger.

But without user tampering, the iPhone's security layer actually prevents this sort of incident from happening.

Apple's PNS Security

As AppleInsider exclusively reported back in February, Apple's Push Notification Service (PNS) is based on XMPP Publish-Subscribe, an open specification for delivering updated feeds of information using Jabber-style instant messages.

In order to secure the delivery of these messages, Apple uses SSL certificates to securely authenticate the client with the service, similar to how HTTPS websites authenticate themselves to visitors to enable SSL-secured banking, shopping, or other transactions. The iPhone automatically generates itself a private and public key pair, and uses these to register itself with Apple's PNS servers and secure all of its subsequent transactions. The private key and public certificate work together to act as identifying credentials, like a user name and password.

Without having such a mechanism for authenticated identity in place, the iPhone would be deluged by marketers sending push message spam to users, just as spammers have long targeted email, SMS, and Microsoft's Windows Messaging popups, none of which included any inherent security in their designs. Apple's security system prevents users from receiving push message notifications from anyone apart from the system and applications the user explicitly approves.

The security layer also prevents malicious users from intercepting messages and it secures users from receiving fake messages to obtain their location or wipe their phone, while enabling users to perform those actions themselves from MobileMe after authenticating. Users don't need to know anything about the underlying certificates used to secure these communications; everything is designed to "just work."

Putting the break in jailbreak

Jailbreaking the iPhone involves working around Apple's security system to enable the device to run unsigned software. The iPhone's applications, just like its PNS communications, are encrypted using security certificates to prevent tampering, spoofing, or spying by malicious third parties.

Destroying the application security layer of the iPhone does not itself automatically break PNS, but (when combined with an "unofficial activation" required to use it with unofficial service providers) results in the system having no legitimate certificates to use in performing push notifications. Essentially, if the phone is not properly activated as intended through iTunes, the user's credentials for signing into Apple's PNS messaging servers (which are generated by the device itself in normal conditions) are broken along with the application security layer.

Dev team hackers trying to get jailbroken, alternatively activated phones to work with PNS allegedly made the mistake of adding an existing certificate to "fix" the problem. The hack simply identifies the new jailbroken phone to Apple as another phone that already exists, enabling messages to be sent to the wrong device.

Users who don't jailbreak their iPhone won't experience any problems with messages being broadcast to random other users. But those who tamper with the iPhone's security system will have to figure out how to generate SSL authentication keys appropriately to enable the phone to work with PNS messages correctly.