There are several flaws in the way that the iPhone handles digital certificates which could lead to an attacker being able to create his own trusted certificate and entice users into downloading malicious file onto their iPhones. The attack is the end result of a number of different problems with the way that the iPhone handles over the air provisioning, trusted root certificates and configuration files. But the result of the attack is that a remote hacker may be able to change some settings on the iPhone and force all of the user's Web traffic to run through any server he chose, and also to change the root certificate on the phone, enabling him to man-in-the-middle SSL traffic from the iPhone.
The chain of vulnerabilities and the attack was outlined in an anonymous blog post on the iPhone flaws last Friday. Charlie Miller, an Apple security researcher at Independent Security Evaluators, said that the attack works, although it would not lead to remote code execution on the iPhone.
"It definitely works. I downloaded the file and ran it and it worked, Miller said". The only thing is that it warns you that the file will change your phone, but it also says that the certificate is from Apple and that it's been verified.
The problems start with the fact that the iPhone signs its own credentials using a certificate signed by Apple when it is requesting a configuration file from a remote server during the provisioning process. the only way to establish the validity of the Apple certificate is to verify each of the certificates that leads to the Apple root certificate authority, and that can only be done by getting the data from a jailbroken iPhone.
Interestingly, the Apple root CA on top of the iPhone chain is not the same as the one published on the Apple web site. Fetching the root certificate published on Apple's web site shows "Serial Number: 2"
