Apple iPhone vulnerable to forged VeriSign signature certificates

“The way that the iPhone handles digital certificates… could lead to an attacker being able to create his own trusted certificate and entice users into downloading malicious files onto their iPhones,” Dennis Fisher reports for threatpost.

“Apple has a list of 224 root certificates that it trusts. As part of the attack, the anonymous researchers obtained a signature certificate from VeriSign for a company named Apple Computer. They backed the certificate up to disk, then used iPCU to create a mobilconfig file called ‘Security Update,’ and attributed it to Apple Computer,” Fisher reports. “They then exported it to disk without a signature as an XML file. They then signed the file and its CA trust chain and uploaded it to a Web server.”

Fisher reports, “Opening the file with Safari on an iPhone results in the phone trusting the configuration file.”

Full article here.

John Gruber notes for Daring Freball, “Charlie Miller verifies that it works, but also states it doesn’t lead to remote code execution. What popped out at me is that VeriSign issued a security certificate in the name of ‘Apple Computer’ without, you know, verifying that it was Apple.”

Full article here.

MacDailyNews Take: Yes, why is VeriSign issuing a security certificate in the name of ‘Apple Computer’ without verifying that it’s from Apple?


Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.