While not allowing for remote code execution, the fake certificate flaw could enable many other attacks on an iPhone.
"By setting a new HTTP proxy, it is possible to re-direct all HTTP traffic from the iPhone to an arbitrary server on the net. Modifying root certificates makes it possible to act as man-in-the-middle to hijack SSL (HTTPS) connections too," the researcher said. "Obnoxious modifications can be brought to the phone like prohibiting the use of Safari, mail and other apps, or adding extra VPN, WiFi or email settings."
The server providing the certificate to an iPhone issues a file requesting the iPhone's credentials. The file is called a mobileconfig file, which is used by the iPhone to issue a request to a provisioning server.
The iPhone uses an Apple-signed certificate to sign its own credentials when making a request, which requires a chain of trust to be established up to the root CA. The researchers jailbroke an iPhone to gain access to this root of trust, and found that the self-signed root certificate used by Apple is not the same as the one published on Apple's website – even though the key ID is the same.
"It looks like somebody reused the same keyset to generate a second certificate," the post said. "Hard to tell whether this is an oversight or intentional, but the fact is: you cannot technically relate an iPhone signature to the Apple root CA certificate published on their web site."
The researcher obtained a demo certificate from Verisign and called it Apple Computer. He then created a mobileconfig file using the iPhone Configuration Utility (iPCU), and declared it as issued by Apple Computer. He signed the mobileconfig file with the demo certificate, and put it on a public HTTP server to be accessed by the iPhone.
Charlie Miller, a renowned iPhone security researcher, verified that a proof-of-concept demo file worked, and appeared to be signed by Apple.