iPhone Hacking: Security Vulnerability Allows Full Remote Control From Malicious Web Sites
By Angsuman Chakraborty, Gaea News NetworkTuesday, July 24, 2007
Security researchers Charlie Miller, Jake Honoroff & Joshua Mason claimed and then demonstrated a prrof-of-concept vulnerability in iPhone which can be used by any website to inject codes in iPhone which will allow full remote control of your iPhone over the internet. The hackers can do everything you can do with your iPhone remotely. They can take pictures and send them, make phone calls, more importantly send all your personal data including SMS text messages, contact information, call history, voice mail information to any remote server. Read on to find more on iPhone’s architectural issues and on this vulnerability and how it can affect you as an iPhone user.
iPhone runs stripped down and customized version of Mac OS X on an ARM processor. Much of the device’s claimed security is reliant on its restrictions against running third party applications. The inbuilt Safari browser executes only Javascript code ensuring that all third party applications executes in a sanboxed environment; even Flash support has been removed from the customized version of Safari. Many filetypes cannot be downloaded. These steps reduces the attack vectors of the device.
However these researchers found out there are serious problems with the design and implementation of security on the iPhone, most glaring of which is that all interesting processes runs with administrative (root) privileges. This implies that a compromise of any application gives an attacker full access to the device. iPhone doesn’t utilize widely accepted practices like address randomization or non-executable heaps, which makes it easier to develop stable exploit code once a vulnerability is discovered. So in summary not only a vulnerability has been discovered and an exploit demonstrated, iPhone’s weak architectural decisions wrt. security makes it easy to create stable exploits for future vulnerabilities too.
Researchers created an exploit for the Safari browser on iPhone. They used an unmodified iPhone to surf to a malicious HTML document (web page) they created. When the page was viewed, the exploit code forced the iPhone to make an outbound call to the server they controlled. The compromised iPhone then send personal data including SMS text messages, contact information, call history and voice mail information over this connection. All the data was collected automatically and surreptiously. Examination of the file system revealed that other personal data such as passwords, emails and browsing history could also be obtained remotely from compromised iPhone.
They also made a second exploit which performs physical action on the iPhone. The payload from that exploit forced the iPhone to make sounds and vibrate. Using API functions they discovered they could also have recorded audio (remote snooping device) and later transmitted it over the network.
The two ways iPhone can be easily compromised are through email and HTML. Their paper also talked about a man-in-the-middle attack where a advertised free WiFi hotspot can be used to invisibly inject iPhone exploit code to obtain complete control over your iPhone. This is more insidious in some ways and can also allow for automatic exploitation of iPhones within a target area. For an enterprising hackers all iPhones in the vicinity can be used for remote surveillance and more, much more.
Tags: Gadgets, iPhone, Mac, Safari