To exploit the self-update process, an attacker would have to do at least the following:
intercept the update check, possibly by capturing the domain serving update meta-data (adobe.com for example) or via a MITM
forge a malicious application which will be accepted by the self update feature and installed over the old application
Both are definitely possible. The second becomes almost impossible if the original application vendor enforces digital signature verification on update bundles before installing them.
This doesn't really apply on most GNU/Linux systems though, where application updates are performed through the package manager. You may trust that your updated application is not infected because:
the updates are served by the same people who made your OS
digital signatures are verified on downloaded packages before installation
The second becomes almost impossible if the original application vendor enforces digital signature verification on update bundles before installing them.
Unless/until some state actor forces the vendor to sign the malware, like the FBI is demanding, or someone gets their hands on the private signing key. And you're wrong that it "doesn't really apply" on open source systems. Just because the user initiates updates instead of the operating system doesn't mean that the signers can't be coerced into signing malware masquerading as an update, or that someone with enough resources can't steal the keys and creds needed to push such malware into a package repository.
I'm not an Apple developer by trade, or even a programmer. But this seemed obvious to me. Why couldn't Apple, in an isolated laboratory environment, take an older, insecure OS, edit it to give it a higher version number than what's on this one phone, and push the update? Why wouldn't that unlock the phone?
Their claim is that they would have to create a new fork of the OS with those features. Then, once it existed it would permanently compromise the security of every Iphone.
I would be doubtful if they didn't already have something similar. They just bypassed their "Security features" that were bricking Iphones when third parties repaired them. So what I see here is Apple fighting to protect a false sense of security they had been selling.
Just a note, that San Bernadino has no hardware security features, so this could well be much ado about nothing.
6 comments
3 u/effusive_ermine 28 Feb 2016 01:56
To exploit the self-update process, an attacker would have to do at least the following:
Both are definitely possible. The second becomes almost impossible if the original application vendor enforces digital signature verification on update bundles before installing them.
This doesn't really apply on most GNU/Linux systems though, where application updates are performed through the package manager. You may trust that your updated application is not infected because:
2 u/coldacid 28 Feb 2016 14:32
Unless/until some state actor forces the vendor to sign the malware, like the FBI is demanding, or someone gets their hands on the private signing key. And you're wrong that it "doesn't really apply" on open source systems. Just because the user initiates updates instead of the operating system doesn't mean that the signers can't be coerced into signing malware masquerading as an update, or that someone with enough resources can't steal the keys and creds needed to push such malware into a package repository.
0 u/effusive_ermine 29 Feb 2016 01:07
If your adversary has the resources of a nation state, you've got much bigger problems to worry about than application updates.
0 u/Luke_Luck 28 Feb 2016 21:49
I'm not an Apple developer by trade, or even a programmer. But this seemed obvious to me. Why couldn't Apple, in an isolated laboratory environment, take an older, insecure OS, edit it to give it a higher version number than what's on this one phone, and push the update? Why wouldn't that unlock the phone?
1 u/Crashmarik [OP] 28 Feb 2016 22:35
Their claim is that they would have to create a new fork of the OS with those features. Then, once it existed it would permanently compromise the security of every Iphone.
I would be doubtful if they didn't already have something similar. They just bypassed their "Security features" that were bricking Iphones when third parties repaired them. So what I see here is Apple fighting to protect a false sense of security they had been selling.
Just a note, that San Bernadino has no hardware security features, so this could well be much ado about nothing.