Code execution exploit dings iPhone

Code execution exploit dings iPhone

Summary: Researchers at Security Evaluators have found what is believed to be the first remote code execution flaw affecting the device -- a bug that can be used to take full control of an iPhone surfing to a rigged Web site.

SHARE:
TOPICS: Browser, iPhone, Mobility
17

Apple's iPhone has failed the security smell test.

Researchers at Security Evaluators have found what is believed to be the first remote code execution flaw affecting the device -- a bug that can be used to take full control of an iPhone surfing to a rigged Web site.

Dr Charlie Miller, a well-known hacker and former NSA employee, has published basic details on the vulnerability and says full disclosure will come at this year's Black Hat Briefings in Las Vegas.

A special Web site (http://www.exploitingiphone.com) has been created to demo the bug, which is exploited when an iPhone user used the embedded Safari browser. A preliminary paper with some technical details is available here (.pdf).

[We] created an exploit for the Safari browser on the iPhone. We used an unmodified iPhone to surf to a malicious HTML document that we created. When this page was viewed, the payload of the exploit forced the iPhone to make an outbound connection to a server we controlled. The compromised iPhone then sent personal data including SMS text messages, contact information, call history, and voice mail information over this connection. All of this data was collected automatically and surreptitiously. After examination of the filesystem, it is clear that other personal data such as passwords, emails, and browsing history could be obtained from the device. We only retrieved some of the personal data but could just as easily have retrieved any information off the device.

Miller says there are several delivery vectors that an attacker might utilize to get a victim to open such a web page. For example:

  • An attacker controlled wireless access point: Because the iPhone learns access points by name (SSID), if a user ever gets near an attacker-controlled access point with the same name (and encryption type) as an access point previously trusted by the user, the iPhone will automatically use the malicious access point. This allows the attacker to add the exploit to any web page browsed by the user by replacing the requested page with a page containing the exploit.
  • A misconfigured forum website: If a web forum's software is not configured to prevent users from including potentially dangerous data in their posts, an attacker could cause the exploit to run in any iPhone browser that viewed the thread. (This would require some slight changes in our proof of concept exploit, however.)
  • A link delivered via e-mail or SMS: If an attacker can trick a user into opening a website that the attacker controls, the attacker can easily embed the exploit into the main page of the website.

When the iPhone's version of Safari opens the malicious web page, arbitrary code embedded in the exploit is run with administrative privileges.

In Miller's proof-of-concept, the exploit code reads the log of SMS messages, the address book, the call history, and the voicemail data. It then transmits all this information to the attacker.

He warns that this code could be replaced with code that does anything that the iPhone can do. It could send the user's mail passwords to the attacker, send text messages that sign the user up for pay services, or record audio that could be relayed to the attacker.

Apple has been notified and is researching a fix.

See more at New York Times. Techmeme discussion.

Topics: Browser, iPhone, Mobility

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

17 comments
Log in or register to join the discussion
  • That didn't take long...

    ... and what a great exploit! One trip to a bad website and your data is owned by someone else. Now, whilst I'm not exactly known as an admirer of M$, it has to be said that this exploit makes some of their exploitable bugs look almost harmless in comparison.

    Apple better get moving on the fix....
    bportlock
  • Say it isn't so ?!?!?!?!

    Not to worry anyway , APPLE being the cool company that it is will fixed this immediately . Unlike Microsoft who sits on their britches to fix things , because they want to sell their newer things .
    None_Zealot
    • RE: Code execution exploit dings iPhone

      Good luck to you and than you. <a href="http://www.replicawatches.me.uk">cheap replica watches</a>
      tank33
  • hacker believe orther mobiles likely have similar vulnerability...

    don't you think that's an important thing to note?

    "...He said he suspected that phones based on the Windows mobile operating system would be similarly ?attackable,? though he had not yet heard of any attacks."
    doctorSpoc
    • not necessarily true

      true but the wm5 or wm6 phone's browser may have already had this exploit fixed - so it may not be true

      and my wm5 mobile phone doesn't have a safari browser...
      guylwalker@...
      • but is it not important to report that the hacker thinks it likely...

        that other mobiles likely have the same vulnerability? he seems like a pretty smart guy.
        doctorSpoc
        • The only thing he knows for sure is that ....

          ... the iPhone does. The rest is idle speculation. I think it might rain here tomorrow but that doesn't mean it will>
          ShadeTree
  • It'll get fixed quickly

    The iPhone is so new and different there were bound to be some unforseen glitches. The thing is, this is proof of concept, not an in-the-wild exploit. It will get fixed quickly and be forgotten.

    Its interesting because where Apple is usually the smaller target for hackers, the iPhone has garnered so much attention, it is now in the spotlight of hackers in the mobile device world. The thing everyone seems to forget is that even though it might be technically possible to do this, there haven't been a lot of widespread mobile attacks, and theres no reason to think there are going to be.

    My point is, people found a hack because they were looking really hard. Has anyone looked this hard at windows mobile or palmOS?
    pir8matt
    • ya don't say.....

      [i]Its interesting because where Apple is usually the smaller target for hackers, the iPhone has garnered so much attention, it is now in the spotlight of hackers in the mobile device world.[/i]

      Really? All I ever heard was that OS X was just better, and that market share had nothing to do with why the Mac was so secure. Now I find out that the only reason the iPhone is having problems is bacause it's popular and an inviting target. I find this revelation odd.
      Badgered
      • better doesn't equal perfect no one says it's perfect just better nt

        ...
        doctorSpoc
        • It would seem not in this case!

          Better how? The exploit was more severe and discovered faster so you must mean faster to market with critical exploits.
          ShadeTree
          • SO... an exploit that will be fixed before it's in the wild you mean?

            here are some quotes from the researcher...

            [i]He said he suspected that phones based on the Windows mobile operating system
            would be similarly ?attackable,? though he had not yet heard of any attacks.[/i]... just
            as vulnerable, it's just that the exploit hasn't been written yet.. but i bet from the clues
            in this report they are being written as we speak...

            [i]I will think twice before getting on a random public WiFi network now,? but his
            overall opinion of the phone has not changed.
            ?You?d have to pry it out of my cold, dead hands to get it away from me,? he said[/i]...
            in spite of his exploit he has enough faith in the device to continue to use it.. in fact he
            uses the cold, dead hands phase to show how much he loves the device... i don't hear
            him heaping accolades on WinMobile or other devices..

            ...so what's your point again? oh yeah.. you didn't have one.
            doctorSpoc
        • Well, avoiding the point is a good strategy I suppose

          [i]better doesn't equal perfect no one says it's perfect just better[/i]

          Here's the point... try to keep up. Why is it that BEFORE NOW all I ever heard was "market share has nothing to do with security" and now to defend the iPhone people say "well it's only because the iPhone is so popular that it's getting attacked"?

          If that is true, then everything the "Windows Zealots" have been saying is true. Apple has, until now, been the benifactor of security through obscurity. That appears to be changing.
          Badgered
          • you read one story with one person's opinion and it changes everything 4 u?

            i don't know where you get you info but you seem pretty lost... so i imagine it must be
            from complete idiots..

            now your turn to keep up... anyone with half a brain realizes that at the end of the day
            what really matter is how safe a devices is.. not how much vulnerabilities it has.. not if
            some researcher has created some obscure exploit in a lab... vulnerabilities are a red
            herring. what really matters is exploits and more specifically exploits in the wild that are
            actively being exploited.. and devices with windows are the least safe device on the
            planet... number of exploits will likely be related to market share and this contributes to
            windows boxes being less safe than other boxes... but in no way does it then follow that
            just because other OSs have a smaller market share that device with the other OSs are any
            less secure but the obscurity of the OS likely does make them even safer than if they were
            more popular.

            "market share has nothing to do with security"... it doesn't... but obscure OSs are not
            perfect so they are safer than the might be if they were more popular... but then you can't
            say they are necessarily less safe than another OS... that the only thing protecting them is
            their obscurity... your logic is deeply flawed

            "well it's only because the iPhone is so popular that it's getting attacked"... i have no idea
            what point you're trying to make here? if it's more popular it will be attacked more does
            that make it less secure (i.e. have more vulnerabilities/flaws in code) than another device...
            no! it doesn't even mean that it's less safe (i.e. less exploit in the wild) than another
            device... it just means that it is less safe than it might have been had it been less popular...

            read what i wrote again i have a sneaking suspicion because of your response to my 1st
            post that you didn't understand what i wrote.. read it one more time.

            you are drawing lines and reaching conclusions that just don't follow.. you need to
            understand that there are vulnerabilities and exploit (two very different things) and that the
            relative safety of using a device is dependant on many things... rethink you conclusions
            they actually don't make sense.
            doctorSpoc
    • They look at them just as hard and ....

      ... have for much longer. Nice dodge though!
      ShadeTree
  • iphone safety

    okay for all the ignorant morons out there,
    i went through the iphone exploit.. google metasploit iphone
    it seems all processes run as root! how stupid is that?!?
    for those who dont understand what root or a process is... in laymens terms "iphones are very insecure and there will be hacks a dozen very soon" unless someone loads another operating system onto it.. like linux maybe :)
    and yes.. i work for microsoft.. and yes wm6 works good for me
    eric_cartman
  • RE: Code execution exploit dings iPhone

    ewet dedim ama neyse
    http://www.bbgporn.com/
    http://www.hmmtube.com/
    dogru deme
    http://www.erotiktube.org/
    http://www.52tube.com/
    http://www.wctube.com/
    http://www.cameporn.com/
    http://www.escortbayan9.com/
    tamam dedim
    myclub