Add to del.icio.us     Digg this

August 23, 2010

Apple wants to greatly increase its efforts in preventing iPhone and iPod owners from jailbreaking their devices, and now the company has applied for a new software patent titled "Systems and Methods for Identifying Unauthorized Users of an Electronic Device."

The new patent will cover a series of new security measures to automatically protect iPhones and iPads from thieves and other unauthorized users.

The term "Unauthorized Users" apparently applies to those who engage in jailbreaking, which allows devices to run mobile apps not approved by the company producing the operating system--such as Apple, the main target of such security breaches.

The new patent, which was filed in February 2009 but was only published August 19, describes measures to identify "particular mobile user activities that may indicate suspicious behavior," so that "safety measures" can be taken to restrict the device's functions.

Those activities include the "hacking, jailbreaking, unlocking, or sheer removal of a SIM card," according to the application.

Apple said that it also intends to send warnings to owners via e-mail or text message if and when such activity is ever detected on their devices.

The new software patent also describes a variety of measures that could be used to help identify the unauthorized user, including the activation of a camera that could capture and geotag the device's surroundings, and perhaps current user and then transmit that information to a remote device.

When unauthorized use has been detected, "access to particular mobile apps can be restricted, access to sensitive information can be disallowed altogether, sensitive information can be erased from the electronic device, etc." the application states, effectively hardening the device.

Apple representatives didn't immediately respond to two requests for comment after two emails were sent late Friday.

An unauthorized user can be detected by comparing the identity of the current user to the identities of authorized users of the electronic device.

For instance, a photo of the current user can be taken, a recording of the current user's voice can be recorded, the heartbeat of the current user can be recorded, or any combination of the above. The photograph, recording, or heartbeat can be compared, respectively, to a photograph, recording, or heartbeat of authorized users of the electronic device to determine whether they match.

If they don't match, the current user can be detected as an unauthorized user.

Last month, the U.S. Copyright Office ruled that bypassing a manufacturer's protection mechanisms to allow "mobile handsets to execute software applications" no longer violates federal copyright law.

While the U.S. Copyright Office has declared the software legal, Apple still has repeatedly discouraged users from loading such a bypass, reminding them that doing so will void their device's warranty.

"As we've indicated many times before, the vast majority of iPhone and iPad users don't jailbreak their devices as this can violate the warranty and can cause the iPhone to become unstable and not work reliably," Apple had said in a previous statement in response to the ruling.

Last Monday, hackers exposed a major security flaw about Apple's iPhone and iPad and have now been questioned by a federal grand jury about the security issues, after publishing all the various and intricate details on an AT&T website dedicated for iPad users. The incident has generated a lot of coverage in the media in the last few days.

"Two Goatse analysts, Sloth and Rucas went before a grand jury on August 11," said Andrew Auernheimer, a key member of the hacker group that calls itself Goatse, wrote in an e-mail response to some questions.

Auernheimer and another member of the hacker group declined to give the real names of the individuals who were questioned or to provide additional information in any way, and still remains tight-lipped about the whole story.

Auernheimer, whose hacker handle is "weev," was arrested last June after FBI agents searching his Fayetteville, Ark., home for evidence related to the AT&T case allegedly found drugs.

Auernheimer didn't show up for a court hearing on the drug charges and was arrested on July 21st for failing to appear at the arraignment, said John Threet, a prosecutor in Washington County, Ark.

An arraignment date on all of the charges is set for August 23, Threet said.

The hacker group had gone public about a week earlier by posting an article about the iPad security issue on the AT&T website that exposed the e-mail addresses of about 114,000 iPad users and the serial numbers of the SIM (Subscriber Identity Module) cards in the devices.

This placed iPad users at increased risk of phishing attacks, as well as other potential attacks targeting the iPad specifically, security experts said.

The DoJ (Department of Justice) acknowledged that it and the FBI were conducting a full-fledged criminal investigation into the AT&T incident in a letter addressed to Auernheimer that he posted on the Web last month.

"You are a main target of that investigation," states the letter from U.S. Attorney Lee Vartan. "In the event that I do not hear from either you or an attorney acting on your behalf by June 30, I shall conclude that you do not wish to discuss this matter with my Office. Consequently, I will present evidence to a federal grand jury, which may result in you being named as a defendant in an indictment."

Bryan Travers, a spokesman in the FBI's office in Newark, N.J., which is leading the investigation, said he could not confirm or deny the information because he can not comment on an active case. The reluctance of law enforcement to discuss the investigation makes it difficult to independently verify information from the hacker group.

Auernheimer still insists that his group has done nothing illegal in the case.

"AT&T published private information for the world to see, essentially sticking their private diary on a shelf of the public library. The true extent of how responsible our disclosure was will come out in the trial if there is one."

In other mobile security news (but unrelated), Apple has released a security update that the company says will fix its iOS operating system to address a dangerous security flaw that was exposed by a new jailbreak process about 10 days ago.

So far, the newest iOS version 4.0.2 is the second update to be released by Apple in as many months, and some wireless industry observers say it won't be the last. The first update directly addressed an issue that Apple claimed to have discovered while investigating issues with the antenna design on the iPhone 4.

Before that update, Apple's mobile devices were indicating a signal strength much greater than they were actually receiving. Remember the big antenna problem on the iPhone 4?

Overall, the new jailbreak approach exploited a critical security flaw in Apple's PDF-viewing engine and, by extension, alerted Apple to a significant issue with its proprietary PDF rendering engine.

Add to del.icio.us     Digg this

Source: Apple.