[CentOS] Fedora change that will probably affect RHEL

Wed Jul 29 19:18:37 UTC 2015

On Jul 29, 2015, at 7:24 AM, James B. Byrne <byrnejb at harte-lyne.ca> wrote:
> 
> 
> On Tue, July 28, 2015 19:46, Warren Young wrote:
>> 
>> iPads canâ€™t be coopted into a botnet.  The rules for iPad passwords
>> must necessarily be different than for CentOS.
>> 
> 
> http://www.tomsguide.com/us/ios-botnet-hacking,news-19253.html

So many flaws:

1. It’s just a gloss on a Wired article, which itself is a scare report ahead of publication of a paper that hadn’t been presented at the time of writing.  All this pair of articles says is, “This could happen, and Apple is bad because it can happen!”  Rational response: “With what likelihood can it happen?”  Answer: crickets.

I finally managed to track down the paper, here:

  https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-wang-tielei.pdf

tl;dr: You have to hook the iOS device up to a PC that’s already been rooted.  Then it can infect the iOS device through the previously-trusted iTunes sync channel.

If you’re worried enough about that to do something about it, I want you to tell me your experiences either never using SSH and WiFi PSKs, or always using passphrase protection on them.

I also want you to tell me about how you never download device firmware to a PC, but only direct to the device that needs to be flashed with it, and only from SSL protected hosts.  In most cases, this is a far bigger risk than the iOS flaw you point out, because you don’t need to jump through all the hoops the researchers did in order to exploit the iTunes sync process.

(Oh, and by the way, no, the “23%” value from the paper is not a likelihood.  If 23% of rocks can fall from the sky, it doesn’t mean 23% of rocks *will* fall from the sky.)

2. It’s been a year since that report, during which time Apple have released 8 updates containing security patches for iOS.  Apple doesn’t generally say much, if anything, about security flaws they’ve fixed, so any one of them could have closed this door already.

3. No massive new iOS botnet has appeared in the past year.  Meanwhile, CentOS boxes actually exist in botnets today.