Security threat with iOS 4 and iPad and pdf's

[Maggie Leung]

Quote:

Originally Posted by toddos

Once you've used this security hole to jailbreak your device, install the PDF Loading Warner tweak from Cydia to prevent other sites from exploiting the hole silently. This will make Safari warn you any time it's about to open a PDF file, so if you didn't just explicitly tell it to open a PDF you would've been hacked without this in place (of course if you say "Yes", you'll be hacked anyway).

Your message seems to say that you will be automatically hacked when you open a PDF. Is that true? Not sure how the hacking works. I was guessing that opening a PDF left you open to hacking because of the two security holes, but that didn't mean you'd be automatically hacked.

Separate questions: If you do open a PDF, how long is the "window" for someone to be able to hack you? How would hackers know when you open a PDF, so that they can time their hacking?

I'm not sure I've ever opened PDFs on my iPad, but I'd like to know this stuff, to judge how much risk there actually is. Some of the news reports said that the weaknesses hadn't been exploited so far, but hacking was expected. How can they tell whether any hacking has happened? Is such a statement credible, or more likely PR spin?

[vaughnmr]

You will only be at risk from "risky" pdf's, so be careful what you open. And yes, if you open a "bad" pdf, you're done.

A good example might be downloading pdf ebooks from the darknet, I definitely wouldn't try that.

[dwharrison]

Quote:

Originally Posted by vaughnmr

A good example might be downloading pdf ebooks from the darknet, I definitely wouldn't try that.

Just to clarify that point: this only applies to the Apple PDF viewer and anything that uses it (email, iBooks, etc). Opening even risky PDFs in Goodreader or any other reader that has its own rendering engine should be safe.

Quote:

Separate questions: If you do open a PDF, how long is the "window" for someone to be able to hack you? How would hackers know when you open a PDF, so that they can time their hacking?

It's not that opening the PDF leaves you open to being attack; the PDF *is* the attack. The severity of the attack depends on what the PDF has been designed to do.

[Maggie Leung]

Thanks, guys. So reviewing to make sure I understand:

As long as you open PDFs from a trusted source, as opposed to one rigged by a hacker, you should be fine, right? (I realize there are no absolute guarantees.)

Hackers basically hafta lure you into opening their rigged PDFs, right? Or is it likely that they also will infiltrate some legit site and mess with existing PDFs? I ask because I don't visit the darknet (checked it out and haven't returned), so no risk there. But should I be worried if I need to open a PDF from my bank or such? If there's reasonable risk in such uses, I guess I'd just not open PDFs on iPad till some kinda patch is offered.

[toddos]

Almost, but not quite. That's true if you're physically opening PDFs, but the hack is that PDFs can be loaded automatically. You navigate to shady site X, and that site automatically loads a hacked PDF with malicious payload. If done correctly, you'll never even know that the site just hacked you.

That's why you need to install the PDF Loading Warner (which can only be done after jailbreaking), to stop Safari from automatically and silently opening PDFs. You can still be hacked even after that, since the warner doesn't fix the whole. It just lets you know that, "Hey, this site here just tried to open a PDF. That could be dangerous. You sure you want to do that?" and allows you to stop the load before it's dangerous. If you allow it through anyway, you can still be hacked.

[Maggie Leung]

Quote:

Originally Posted by toddos

Almost, but not quite. That's true if you're physically opening PDFs, but the hack is that PDFs can be loaded automatically. You navigate to shady site X, and that site automatically loads a hacked PDF with malicious payload. If done correctly, you'll never even know that the site just hacked you.

That's why you need to install the PDF Loading Warner (which can only be done after jailbreaking), to stop Safari from automatically and silently opening PDFs. You can still be hacked even after that, since the warner doesn't fix the whole. It just lets you know that, "Hey, this site here just tried to open a PDF. That could be dangerous. You sure you want to do that?" and allows you to stop the load before it's dangerous. If you allow it through anyway, you can still be hacked.

Yeesh. So without jailbreaking, you're pretty much stuck hoping that you don't stumble into some creepy site? Because it seems pretty easy to read something online, like on this forum, follow a link and end up somewhere that you don't know is trustworthy.

How long do you think it will take for Apple to patch this?

Let's say take your iPad back to factory settings, and reload all your stuff from iTunes. Would that work to stop whatever unseen hacking might be already at work on your iPad? I ask because someone posted earlier that it's hard to tell whether you've been hacked. Even if you jailbreak now and load the PDF warner, the hackers could already have access, it sounds like. And it doesn't sound as if the jailbreaking and PDF warner could help if that were the case.

[toddos]

If you want to be sure you're not hacked, resetting to factory and not applying a backup will ensure you're in a good state. Until you browse the web again, because at that point you've introduced the unknown (did you accidentally go to a site that hacked you?). If you want to be completely paranoid, completely wipe and reset your device, immediately go to jailbreakme.com very first thing after the reset, then install PDF Loading Warner before doing any other web browsing.

[Maggie Leung]

Quote:

Originally Posted by toddos

If you want to be sure you're not hacked, resetting to factory and not applying a backup will ensure you're in a good state. Until you browse the web again, because at that point you've introduced the unknown (did you accidentally go to a site that hacked you?). If you want to be completely paranoid, completely wipe and reset your device, immediately go to jailbreakme.com very first thing after the reset, then install PDF Loading Warner before doing any other web browsing.

Yup, that's what I was thinking. I figure if you're gonna go through the effort of jailbreaking and loading the PDF warner, you might as well rule out already carrying a hack aboard.

[arcadata]

It's ironic isn't it - the way to protect yourself right now is to jailbreak your device and then apply the warning hack. Apple says it already has a patch, but they haven't released an update yet.

And if they do patch it, doubt that the already jailbroken phones will go for the update. Cause then, how do you jailbreak it again? (I was just looking at the 5 Killer Apps for Jailbroken iPhones - really cool especially the ability to sync via WiFi!)

[Maggie Leung]

Quote:

Originally Posted by arcadata

It's ironic isn't it - the way to protect yourself right now is to jailbreak your device and then apply the warning hack. Apple says it already has a patch, but they haven't released an update yet.

And if they do patch it, doubt that the already jailbroken phones will go for the update. Cause then, how do you jailbreak it again? (I was just looking at the 5 Killer Apps for Jailbroken iPhones - really cool especially the ability to sync via WiFi!)

Yes, it's crazy. ... All the same, I would think that Apple would wanna patch this quick, but do it right. It would be even worse PR-wise if they rushed a patch and there was some kinda problem.

[arcadata]

The PDF Loading Warner has a bug though, after you install it, every time you check your Clock app, the Warner pops up to warn you that you're opening a PDF file.

[Maggie Leung]

Quote:

Originally Posted by arcadata

The PDF Loading Warner has a bug though, after you install it, every time you check your Clock app, the Warner pops up to warn you that you're opening a PDF file.

Good grief.

[Graham]

What's the reason why an app or plug-in that warns if you're about to open a PDF in Safari can't be written to run on an iPad that hasn't been jailbroken?

Graham

[dwharrison]

Quote:

Originally Posted by Graham

What's the reason why an app or plug-in that warns if you're about to open a PDF in Safari can't be written to run on an iPad that hasn't been jailbroken?

Because Apple doesn't allow plugins to Safari, so when Safari sees a PDF, it is going to open in the internal PDF viewer.

To get around this restriction involves either (not sure which) unsupported APIs (which means Apple wouldn't approve it for the app store) or just plain hacking the files (which requires security escalation). Either requires jailbreaking.

[kjk]

F-secure has a FAQ about the 2 vulnerabilities:
http://www.f-secure.com/weblog/archives/00002004.html

1) It sounds very serious, and affects all iOS devices, including the Touch.
2) There are zero reports of malicious attacks so far.
3) Don't open PDFs, period-not from email, web, or instant messenger until Apple releases a patch. (I've heard possibly this Monday or Tuesday, actually)