iPhones Vulnerable to Forged Signature Certificates

Apple has a list of 224 root certificates that it trusts. As part of the attack, the anonymous researchers obtained a signature certificate from VeriSign for a company named Apple Computer. They backed the certificate up to disk, then used iPCU to create a mobileconfig file called “Security Update,” and attributed it to Apple Computer. They then exported it to disk without a signature as an XML file. They then signed the file and its CA trust chain and uploaded it to a Web server.

Opening the file with Safari on an iPhone results in the phone trusting the configuration file.

Charlie Miller verifies that it works, but also states it doesn’t lead to remote code execution. What popped out at me is that VeriSign issued a security certificate in the name of “Apple Computer” without, you know, verifying that it was Apple.

Wednesday, 3 February 2010