[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

iPhone certificate flaws

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: iPhone certificate flaws
From: cryptopath@xxxxxxxxx
Date: Fri, 29 Jan 2010 12:54:01 -0700

iPhones can be configured over the air by inviting users to download 
.mobileconfig files from a URL. This feature is used by large companies and 
universities to distribute various settings to a large number of iPhones.

For security reasons, these files need to be cryptographically signed to be 
trusted and shown as such. It appears that there is a flaw in the trust chain 
used by iPhones to validate .mobileconfig signers. Any signature certificate 
issued by a root CA present in the Safari keystore will be trusted. This is the 
case for e.g. demo certificates delivered by Verisign (Level 1) at no cost and 
without any verification.

Using this, it is easy for a phisher to create a mobileconfig files that 
re-directs all HTTP traffic to a dedicated server, sign it with a certificate 
identifying it as issued by an authority of their choice, and having it trusted 
by the iPhone. These config files also allow to place additional root 
certificates in an iPhone, making it possible to install man-in-the-middle 
HTTPS attacks.

More information is available from:
http://cryptopath.wordpress.com/2010/01/29/iphone-certificate-flaws/

Follow-Ups:
- [Suspected Spam]Hackito Ergo Sum 2010 - Call For Paper - HES2010 CFP
  - From: Philippe Mailinglist

Prev by Date: Re: [Webappsec] Paper: Weaning the Web off of Session Cookies
Next by Date: [SECURITY] [DSA 1982-1] New hybserv packages fix denial of service
Previous by thread: Re: [Webappsec] Paper: Weaning the Web off of Session Cookies
Next by thread: [Suspected Spam]Hackito Ergo Sum 2010 - Call For Paper - HES2010 CFP
Index(es):
- Date
- Thread