Kim Zetter and the iPhone Root Security Myth
October 23rd, 2007
Daniel Eran Dilger
Writing for Wired, Kim Zetter published an article that attempts to portray the iPhone as a security boondoggle on the order of Windows 95, due to fundamental mistake Apple made in designing it. Fortunately, Zetter is wrong, here’s why.
Updated: Kevin Poulsen Attacks Ron Paul, iPhone, Mac Users In a Single Broad Brush of Wired Incompetence.
Irony of Ironies.
At first blush, an article about wireless devices in Wired Magazine seems a bit contradictory. Then again, this is a publication that differentiated itself by putting frantic yellow text on lime green pages. Perhaps ‘Wired’ is really just an allusion to hypercaffeination. It also seems ironic that Zetter’s headline, “IPhone’s Security Rivals Windows 95 (No, That’s Not Good),” slavishly conforms to conservative style guidelines that refrain from starting a sentence with trademark that is not supposed start with a capital letter.
Dear Wired: you print your own name in wildly alternating fonts; live a little and print a headline that starts will a small letter. I dare you. I also dare you to have Zetter rewrite the article after interviewing more than one source. Perhaps this would result in an informed, balanced piece rather than a simple regurgitation of the message one individual fed her as a story.
After all, if you’re going to carefully follow the formal style of punctuation from the turn of the last century, you might as well go all the way and write actual content that has been researched as proper journalism.
The Root of All Evil.
Zetter’s article revolves around the idea that because the iPhone runs all its internal applications as the same root user account, users are imperiled by potential crisis. How bad is it? Windows bad, at least according to Zetter’s headline.
“Every application on the device — from the calculator on up — runs as ‘root,’ i.e., with full system privileges,” Zetter noted. “As a result, a serious vulnerability in any of these applications would allow hackers to gain complete control of the device.”
Let’s make that simpler. A serious vulnerability in anything would allow hackers to gain complete control of anything.
Or paring down the details to bare truth: A Possibility of an Undesired Result would allow, possibly, an Undesired Result.
Zetter, thank you for alerting us to the universal nature of cause and effect. However, the real issue you should have examined is: does the architecture of the iPhone actually make it more vulnerable than other products? Would changing things make a real difference?
The Panic Worm.
To provide some context for the level of panic Zetter wants readers to take away, she compares the iPhone’s design to Windows by referencing the “plague of Internet malware” that has caused billions in damage and interruption–as well as untold annoyance–to users from the widely publicized Melissa virus outbreak in 1999 to the more recent Storm worm.
Windows doesn’t have a “root user,” but users logged in as an administrator–which Windows makes the default setting–do have the ability to do most anything on the system. Even worse, other programs can install and perform actions without the user even being aware of it. This is the real reason Windows systems are plagued with malware; simply browsing the web or reading email could result in malware being installed.
Microsoft’s “solution” to this problem in Vista is to pop up UAC warnings every time anything happens. This puts the burden of security upon users, who are effectively trained to click “OK” repeatedly rather than to only examine the legitimacy of an unusual event.
However, Zetter’s mention of Melissa is interesting because that worm, which shut down networks and embarrassed Windows administrators at the height of the dotcom boom, had nothing to do with privilege escalation. “Hackers” didn’t exploit a vulnerability to gain access to Windows and take over full control of the system in the Melissa outbreak.
In reality, Melissa was just an Office macro virus, which–acting as the regular user–carried out a scripted task of sending itself to the top fifty users of their Outlook address book. It then copied itself into all their Word documents as a Word 97 macro, and then attempted to email those documents out randomly to other users. Later variants would also attempt to delete files on attached Windows network shares.
Similarly, the Storm trojan has nothing to do with privilege escalation either. It is also sent by email, with provocative messages designed to entice the user to open the attached script. Windows runs the malware upon opening it, and it installs a hidden Windows service that acts as part of a distributed spambot network, forwarding itself out by email at hundreds of messages per minute.
Certainly Wired editors should know that root access or administrative privilege is not required for sending out emails or deleting one’s own files. Administrative privileges are apparently also not required for printing sensationalist, uninformed articles either.
The Windows Security Crisis.
The security problems Zetter identified relate to the poor design and implementation of Office and Windows–and not just the decade-old Windows 95, as the headline tries to suggests. Microsoft scrambled to address these issues with Windows XP service pack 2, a distraction that helped delay the company from releasing Vista as intended. Vista also attempts to create further safeguards, although its UAC solution has been universally panned as a “sad realization.”
However, while Windows does have privilege escalation flaws on an architectural level, its security problems are not all related to security escalation, as Zetter’s own examples demonstrate. In fact, the most problematic issues with Windows aren’t related to “running as root,” but rather running automated, invisible actions as the regular user, without their knowledge.
Nobody needs root access to delete their own files, or to email out their sensitive documents to random people who happen to be in their contact list. Windows and Office have made automating those types of actions embarrassingly easy for scripts launched from emails to do. This is the problem behind the Windows Security Crisis, not some imagined elite team of hackers who painstakingly crack through real security just to look at our photos.
iPhone Security Cake, And Eating it Too.
In contrast, the iPhone won’t run scripts you send it in emails and it won’t execute ActiveX plugins as Internet Explorer does; even the most determined user can’t run software of any kind on it without using other hardware and the Unix command line to break down its security skin first.
There are no SD card slots that offer to automatically execute any code that might be copied to a memory card when inserted as a Palm OS phone will, and there’s no provision for installing software downloads of unknown origin, as Windows Mobile and most Symbian phones will be happy to do. There’s simply no way to run code on the iPhone, outside of its web application platform within Safari.
And of course, that is what hackers have been complaining about, and what uninformed media columnists have been whining about as if they were the last advocates of the public good on Earth, or perhaps modern day Ronald Reagans demanding “Mr Gorbe-Jobs, Tear Down This Wall!” Yes, very teary and profound, but not very informed.
10 FAS: 10 – Apple’s Mac and iPhone Security Crisis
The iPhone Web Platform.
Those same know-it-alls who seem to think they steer the captains of industry from their populist pulpits were also in the same breath outraged to find that the iPhone might have potential vulnerabilities. Sure enough, there were soon documented flaws in the web interface offered by Safari, after it was found to incorporate open source software with some previously discovered flaws.
The thing is, we know a lot about web security. The web is also quite restrictive, and therefore has a finite number of vectors for attack. Unless you add something new, such as Flash or Silverlight or ActiveX, the actual functionality of the web is hard to exploit in unknown ways. We know most of them. That’s why Apple released the web interface as the only way to build third party applications at the iPhone’s launch, and why it’s taking another several months to gestate plans for an SDK with more native access to the iPhone’s internals.
Imagine if Apple had released the iPhone in June with the door wide open to throw on any software. Is it perhaps likely that the first implementation of Apple’s Cocoa development tools ever ported to ARM might have some initial flaws? Perhaps even many times more flaws than the well documented, highly restrictive environment provided by Safari and the well vetted, mature open source code Apple incorporated with it?
Steve Jobs Ends iPhone SDK Panic
There are a lot of reasons for complaining about iPhone security–including making a name for yourself as a security researcher–but nobody can seriously compare iPhone security with that of other mobiles, nor that of Windows on the desktop. Anything that can load software of any kind is automatically more vulnerable to attacks than the iPhone.
In addition, the iPhone is at the top of everyone’s tongue, so if there were any actual problems in the wild, they’d be on the front page. Zetter imagineers scenarios where rogue applications take over one’s iPhone to spy on them, take photos, and track their location via WiFi. Oh please, the virus market on Windows is funded by spam; there’s no incentive behind Hollywood-style fantasy viruses that do such things on an individual level. Who is going to develop custom applications targeting 1% of the mobile industry to covertly snap pictures of users’ pockets?
Such frantic, uninformed scare mongering belongs in one of the many anti-iPhone blogs run by Rob Enderle, who similarly imagined scenarios involving the violent death of children, murder, and rape, all of which were somehow connected to the iPhone.
Zetter clearly does not understand the subject matter she presents, and should not be writing about it without first passing her copy to someone with security credentials. She also should have talked to more than just one source; in this case it was Dan Geer, who only seems to be an expert at being an expert. What’s next, an article on global warming, interviewing science fictionalist Michael Crichton?
Zetter wrote, “Computer security professionals call the iPhone design flaw a fundamental mistake, and say that Apple should have known better,” citing Geer as saying, “The principle of ‘least privilege’ is a fundamental security principle.” Yes, and what phone has fewer privileges that the iPhone?
Your internal organs are highly vulnerable to infection, but that’s why you keep them wrapped up in skin. Being vulnerable on the inside isn’t something to worry about unless you plan to rip things open. That’s why it’s a challenge to provide a secured development environment for mobiles. Apple is giving things some thought to prevent another disaster on the order of Windows.
The Root Myth.
Insisting that the iPhone’s internal architecture is a house of cards because it all runs as processes as root ignores the fact that the vast majority of malware doesn’t have to run as root. In fact, most everything a user cares about on the iPhone is user data.
Are Zetter and the iPhone Root Scare Mongers really trying to say that Apple could design the iPhone so that users wouldn’t have access to their own data, or wouldn’t have permission to use the camera or to send messages? Any compromised user account could do everything the user can do. User permission limitations only matter if you have multiple users and don’t trust some of them.
“Running as root” has become such a sensationalized buzzword that the underlying idea has been lost. A similar thing happened to the concept of a “firewall,” which many pundits are prattling off as another supposed omission from the iPhone. Real security is an engineering effort, not a marketing exercise.
Dealing with Malware.
The biggest problem for Windows PC users infected with malware isn’t that they lose some type of “root access,” but that a messed up PC is very difficult to fix. There’s no simple way to pull all your data from an infected PC and reinstall everything without wasting a lot of time and likely losing data and settings that are stored who knows where in the system. It’s also a huge pain to have to reinstall all of your PC applications again because of the design of the Windows Registry.
On a Mac, you could do an archive install and cleanly wipe out just the hypothetically infected system, leaving applications and data intact. On the iPhone, iTunes does all that itself. If the iPhone were breached by a nefarious attack, all a user would have to do is sync their data and reset the phone from iTunes, which would reinstall all the system software fresh and resync their data and configurations on top.
In any case, the entire premise of Zetter’s article is flawed; running services as root makes no difference to users, and does not expose them to special rings of evil. Apple has also released rapid patches for addressing vulnerabilities that have been found. Incidentally, they were found in large part because the iPhone is built using a lot of publicly scrutinized, mature code.
Windows isn’t; its a black hole of proprietary software that is only “open” in the sense of Pandora’s Box. Which is why Windows–and not just Windows 95–most certainly does not rival the security of the iPhone, hypothetically or in practical terms.
For her outstandingly poor research and sensationalist, emotional pandering, Kim Zetter gets a Zoon. Thanks to Mardis Coers for providing a nomination.