The iPad, like any highly-hyped gadget, seems to scream out to the cybersecurity research community to be hacked. As with the iPhone, new iterations of Mac OS X, or the first Android phones, a certain amount of glory awaits anyone who can be the first to demonstrate a method of remotely taking control of the device.
So why hasn’t the iPad been publicly pwned yet? Not because it would be too difficult, says Aaron Portnoy, a researcher at the security vulnerability tracking firm Tipping Point, but because it would be too easy. “It’s inevitable that someone will do it in the very near future,” he says. “But there’s not a huge push to hack it. In terms of exploitation, it’s just not that different from the iPhone.”
Charlie Miller, the security researcher who’s gained a reputation for being the first to hack Apple devices, tells us that he hasn’t bothered to go after the iPad. After all, the tablet uses the same OS as the iPhone, which he and other researchers have hacked repeatedly since 2007. “I have one. I’m not currently actively trying to break it,” Miller wrote in an email. “Mostly this is because, from a security perspective, it’s just an iPod Touch.”
See also: In Pictures: A Brief History Of Apple Hacking
Miller figures that in some respects, the iPad would be slightly harder to hack than other Apple products while in other way it would be easier. The vulnerabilities that Miller has typically used to hack Macbooks, for instance, have been found in Safari, and the version of Safari used on the iPad–like the version used on the iPod Touch and iPhone–is far more limited, and thus contains less vulnerabilities. None of the 20 critical flaws he recently announced that he’d found in Apple’s Preview software apply to the iPhone/iPad version, while all of them apply to the Mac OSX version of the browser.
But Miller points out that the iPad, and the iPhone OS in general, has other security disadvantages. Most importantly, it doesn’t randomize where commands are placed in memory as the Mac platform does, a feature known as address space layout randomization, or ASLR. That missing safeguard matters: All Apple products use Data Execution Prevention, or DEP, a feature that prevents malicious code from running its own commands. Instead, an attacker has to hijack existing commands in applications, which becomes tougher when those commands are randomly placed in every different machine’s memory. So the lack of ASLR vastly weakens DEP as a safeguard.
Case in point: At the CanSecWest conference’s Pwn2Own competition, researchers Vincenzo Iozzo and Ralf Philipp Weinmann skirted around the iPhone’s DEP safeguards and managed to steal the phone’s SMS data. Weinmann told us that although he can’t describe his exploit in much detail–by using it in the contest it became property of the contest’s organizers, Tipping Point’s Zero Day Initiative–he believes a form of the same attack would work on any instance of iPhone OS. “All of the stuff we’ve done on the iPhone would be transferable to the iPad,” he says.
Weinmann’s and Iozzo’s exploit wouldn’t actually compromise the iPad in the attack’s current incarnation, says Aaron Portnoy, the Tipping Point researcher who has had access to the code. But he says it would likely just take “some tweaking.” “The build of Safari is slightly different,” he says. “You’d just have to port it to a different version of the software, which would take some debugging.”
The fact that Apple products can be hacked, despite Apple’s promise that its machines are secure “right out of the box” should no longer come as a surprise. Instead, the argument has shifted to whether Apple’s security problems matter, given that cybercriminals target them so much less frequently due to their low market share. But it’s worth remembering that when a cyberspy is determined to steal specific data from a target who happens to use a Mac–or in this case an iPad–market share doesn’t enter the equation.
So while it’s hard to imagine a malicious virus or worm targeting the iPad any time soon, very sensitive data would still be vulnerable to targeted attacks. Maybe a good reminder for NSA Chief Keith Alexander, who is a proud iPad owner.