iPhone Coughs Up First Bugs

Researchers are already finding iPhone security issues, including at least one Safari browser bug and a voice mail vulnerability.

Even as the iPhone drew its first breath, security researchers were squeezing it to make it cough up its first bugs.

In a nutshell, the security quibbles, theoretical or otherwise, are that at least one Safari browser bug that was known prior to device launch is still on the phone, and that anyone can listen to users voice mail because spoofing Caller ID is so easy with AT&T/Cingular service.

Errata Securitys Robert Graham said on July 1 that, after waiting a day to get an iPhone activated, the security firm found a bug within a few minutes—although it was familiar from being one of a group of bugs the company had found earlier in the Safari browser. Erratas Dave Maynor found multiple bugs in the beta of Safari for Windows within hours of the betas June 11 release—at least one of which, he found, could be weaponized.

/zimages/4/28571.gifClick here to read about a Microsoft Exchange Server 2007 update aimed at solving e-mail access problems for the iPhone.

Errata also found that its Bluetooth fuzzer locked up the iPhone—a promising sign of further bugs to come after the firm has had time to dissect the reason for the crashes. Errata isnt handing over any of these vulnerability details to Apple until the company publishes "acceptable vulnerability handling guidelines," Graham said—an Errata vulnerability policy of fairly long standing, given the bad blood between the two companies.

Back in February, after Maynor claimed that Windows Vista is more secure than OS X 10.4.8, he described Erratas disclosure policy, saying in part, "If a vendor answers a vulnerability disclosure with marketing and spin attempts, we no longer report vulnerabilities to that vendor but the information goes into our Hacker Eye View program for customers and will be used in pen testing."

Errata on its blog gave a list of questions it still wants answered about iPhone security:

  • What ports are listening on the device
  • What services will it automatically connect to (looks like it automatically connects to known access points)
  • What processor are they are running? Samsung? XScale?
  • Are they running with an MMU?
  • Is everything running as root?
  • How hard is it going to be to get a jtag interface running on that thing?
  • Can we get a hack going that gives us good access without much knowledge (e.g. a Java for QuickTime bug that would allow us to dump memory contents to the screen)?

And then theres the ability to spoof Caller ID and thus exploit a voice mail vulnerability in Cingular service. Security expert Nitesh Dhanjani first wrote about the issue in February 2006. Dhanjani says the iPhone is still vulnerable.

"The AT&T/Cingular voice mail system is configured by default not to ask for a password when you check your voice mail from the handset (it asks for your voice mail password if you call your number from another cell phone and press * when your voice mail answers). Unfortunately, the AT&T/Cingular voice mail system trusts Caller ID to determine if the handset is calling it. Because Caller ID can be spoofed easily … anyone can gain access into your voice mail by calling you and spoofing your phone number (it will appear as if you are calling yourself when your phone rings)—should you not answer the call, your voice mail will answer and allow the intruder full access to your messages," Dhanjani wrote in a recent blog post.

/zimages/4/28571.gifRead a review here that examines how well the iPhone performs with Web 2.0 applications.

Spoofing a caller ID is as simple as buying a calling card from Spoof Card, a service that allows callers to change what the recipients of the call see in the caller ID display. Dhanjani said an attacker could carry out an exploit by calling the victims phone and using Spoof Card. When Spoof Card asks what number the attacker wants to spoof, the attacker would then enter the victims number again.

You are vulnerable, he said, if youre able to listen to iPhone (or other Cingular phone) voice mail without being prompted for a password. Check out Dhanjanis blog for his recommendations on protecting yourself from the vulnerability. AT&T/Cingular hadnt returned a request to comment on the issue by the time this story was posted.

Its still early. Security researchers are promising that more iPhone bugs will surface after theyve had a chance to apply fuzzing to the devices and pore over the results.

But are these security bugs serious enough to make them stay away from the iPhone? No. They love it.

In spite of bad blood between Errata and Apple, and in spite of Safari carrying at least one known vulnerability with it onto the device, Graham said Errata still considers the iPhone "inherently more secure than competing smart phones, such as those based on Windows Mobile or Symbian.

"While Apple is slightly behind Windows on the desktop/server (that Samba bug still appears to be unfixed), its still light years ahead of the mobile vendors. The mobile market is completely screwed up right now: While carriers know about the widespread vulnerabilities in their phones, the carriers are unwilling to patch them," he said.

Still, Graham said that even with better (theoretical) security than Windows, the iPhone is going to be a bigger target, given that the security profile of Mac OS X is better known than competing mobile platforms such as Windows Mobile or Symbian.

"Theyll also have more bugs to patch because of increased hacker interest," he said.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.