Researchers Crack the iPhone

By Lisa Vaas  |  Posted 2007-07-23 Print this article Print

Updated: Apple's popular multifunctional device can be exploited for data theft or snooping purposes, according to a security firm.

A security firm has run the first remote exploits on Apples iPhone, proving that the widely popular smart phone is vulnerable not only to data theft but also to being turned into a remote snooping device.

A trio of researchers from Independent Security Evaluators—Charlie Miller, Jake Honoroff and Joshua Mason—have created an exploit for the iPhones Safari Web browser wherein they use an unmodified device to surf to a maliciously crafted drive-by download site. The site downloads exploit code that forces the iPhone to make an outbound connection to a server controlled by the security firm.
The compromised device then can be forced to send out personal data, including SMS text messages, contact information, call history, voice mail information, passwords, e-mail messages and browsing history.
"We only retrieved some of the personal data, but could just as easily have retrieved any information off the device," the researchers said in a report. The researchers also wrote a second exploit to turn an iPhone into a bugging device to record audio that it then transmitted for later collection by a malicious party. This exploit entailed viewing another maliciously crafted site whose payload forced the phone to make a system sound and vibrate for a second. The researchers discovered they also could force the phone into other physical actions, including dialing phone numbers or sending text messages. Charlie Miller told eWEEK in an interview that the iPhone not only fell hard, it fell fast. "I was a little surprised how quickly and easily it was—two or three days…." to get to a point where the firm knew their exploits would work, he said, and then one and a half weeks total until the researchers had working exploits. "It was a little scary how easy it was." Theres no reason why others might not have already cracked the device, Miller said. "Were good at what we do but there are thousands of people just as good as us in the world," he said. "We did it so quickly, its hard to imagine someone else [whos] skilled and motivated couldnt have done the same thing." The iPhone runs a streamlined, customized version of the Mac OS X operating system on an ARM processor. Much of its security posture relies on restrictions against running third-party applications, instead only allowing JavaScript to execute in the devices Safari browser within a sandbox environment. The Safari browser itself has been stripped down as well. Apple, of Cupertino, Calif., sacrificed the use of plug-ins such as Flash and the downloading of many file types, for example, to minimize the iPhones attack surface. However, that still leaves "serious problems" with the way security has been designed and implemented on the device, the researchers said. They said that the most egregious problem with the iPhones security profile is that it runs all important processes with full administrative privileges, meaning that an attacker who compromises any iPhone application gains full access to any capability on the device. Its a problem specific to the iPhone, with scaled-back rights on Mac desktops having been lost somewhere along the line in the devices design. "[Apple does] things better on the desktop than the iPhone," Miller said. iPhone vs. IT: clash of the culture titans. Click here to read more. He suggested that one reason Apple may have done security differently with the iPhones version of Mac OS X is that, ordinarily, youd expect only one user on one phone. "I think why everything runs as it does [with the rights of an administrator on the iPhone] may be because with a phone, basically, you dont ever expect to have more than one user," Miller said. "All the data on theres probably [belonging to only] the one user." But thats just a guess, he said. At any rate, Apple could have tripped Miller up by having applications limited in the amount of data theyre allowed to access. "I think it makes sense to have it where applications can only access data needed by that one application," he said. "If they had done that, I would have only been able to break into the Safari Web browser and read only the browser information," instead of being able to force the phone to cough up the extensive information he got out of it, "much less dial a phone number" and the other actions, Miller said. In both exploits—access to sensitive information and tinkering around with physical controls—process is running as root, meaning that an attacker can control the phone completely. "Once you get your foot in the door, you can do whatever you want," Miller said. Curbing administrative rights so as to curtail the reach of a successful attacker is a lesson learned long ago by Microsoft, for one. In its latest operating system release, Vista, one of the most notable security boosts is UAC (User Account Control), a security feature that limits user privileges as much as possible for most of a users interaction with the desktop. User rights are elevated only when necessary for administrative tasks, at which point a dialog box prompts the user to OK the escalation. Limiting normal permissions is a good thing, given that it limits the operating system surface an attacker can latch onto. Not only does UAC limit the effectiveness of malicious code, but Microsoft, in its creation, also stands a good chance of breaking developers habit of granting too many rights, Gartner analyst Neil MacDonald has