A security firm has run the first remote exploits on Apples iPhone, proving that the widely popular smart phone is vulnerable not only to data theft but also to being turned into a remote snooping device.
A trio of researchers from Independent Security Evaluators—Charlie Miller, Jake Honoroff and Joshua Mason—have created an exploit for the iPhones Safari Web browser wherein they use an unmodified device to surf to a maliciously crafted drive-by download site. The site downloads exploit code that forces the iPhone to make an outbound connection to a server controlled by the security firm.
The compromised device then can be forced to send out personal data, including SMS text messages, contact information, call history, voice mail information, passwords, e-mail messages and browsing history.
“We only retrieved some of the personal data, but could just as easily have retrieved any information off the device,” the researchers said in a report.
The researchers also wrote a second exploit to turn an iPhone into a bugging device to record audio that it then transmitted for later collection by a malicious party. This exploit entailed viewing another maliciously crafted site whose payload forced the phone to make a system sound and vibrate for a second. The researchers discovered they also could force the phone into other physical actions, including dialing phone numbers or sending text messages.
Charlie Miller told eWEEK in an interview that the iPhone not only fell hard, it fell fast. “I was a little surprised how quickly and easily it was—two or three days….” to get to a point where the firm knew their exploits would work, he said, and then one and a half weeks total until the researchers had working exploits. “It was a little scary how easy it was.”
Theres no reason why others might not have already cracked the device, Miller said. “Were good at what we do but there are thousands of people just as good as us in the world,” he said. “We did it so quickly, its hard to imagine someone else [whos] skilled and motivated couldnt have done the same thing.”
The Safari browser itself has been stripped down as well. Apple, of Cupertino, Calif., sacrificed the use of plug-ins such as Flash and the downloading of many file types, for example, to minimize the iPhones attack surface.
However, that still leaves “serious problems” with the way security has been designed and implemented on the device, the researchers said.
They said that the most egregious problem with the iPhones security profile is that it runs all important processes with full administrative privileges, meaning that an attacker who compromises any iPhone application gains full access to any capability on the device.
Its a problem specific to the iPhone, with scaled-back rights on Mac desktops having been lost somewhere along the line in the devices design. “[Apple does] things better on the desktop than the iPhone,” Miller said.
He suggested that one reason Apple may have done security differently with the iPhones version of Mac OS X is that, ordinarily, youd expect only one user on one phone. “I think why everything runs as it does [with the rights of an administrator on the iPhone] may be because with a phone, basically, you dont ever expect to have more than one user,” Miller said. “All the data on theres probably [belonging to only] the one user.”
But thats just a guess, he said.
At any rate, Apple could have tripped Miller up by having applications limited in the amount of data theyre allowed to access. “I think it makes sense to have it where applications can only access data needed by that one application,” he said.
“If they had done that, I would have only been able to break into the Safari Web browser and read only the browser information,” instead of being able to force the phone to cough up the extensive information he got out of it, “much less dial a phone number” and the other actions, Miller said.
In both exploits—access to sensitive information and tinkering around with physical controls—process is running as root, meaning that an attacker can control the phone completely. “Once you get your foot in the door, you can do whatever you want,” Miller said.
Curbing administrative rights so as to curtail the reach of a successful attacker is a lesson learned long ago by Microsoft, for one. In its latest operating system release, Vista, one of the most notable security boosts is UAC (User Account Control), a security feature that limits user privileges as much as possible for most of a users interaction with the desktop. User rights are elevated only when necessary for administrative tasks, at which point a dialog box prompts the user to OK the escalation. Limiting normal permissions is a good thing, given that it limits the operating system surface an attacker can latch onto.
Not only does UAC limit the effectiveness of malicious code, but Microsoft, in its creation, also stands a good chance of breaking developers habit of granting too many rights, Gartner analyst Neil MacDonald has pointed out.
Aside from limiting the effectiveness of malicious code, the biggest impact of UAC, according to MacDonald, will be to change developer behavior so applications dont demand that users have to run as administrators to use them.
Apple also dropped the ball on some other widely accepted practices when it comes to security on the iPhone. For example, as has been pointed out by other researchers, when designing the iPhone, Apple eschewed techniques such as address randomization and non-executable heaps, all of which make it harder to exploit the device and more difficult to develop exploit code with staying power.
“These weaknesses allow for the easy development of stable exploit code once a vulnerability is discovered,” according to the report.
To use another comparison to Vista, another security feature in the new operating system is Address Space Layout Randomization. ASLRs job is to shuffle the address space deck, randomly locating programs in memory and making it tougher for attackers to pinpoint a target during an exploit of a vulnerable application. Symantec has determined that when implemented correctly, ASLR is “extremely effective” at mitigating memory corruption attacks.
The researchers have notified Apple of their findings and are holding off on releasing details until Aug. 2 to give Apple time to patch the security holes.
Until Apple patches the iPhones security holes, Independent Security Evaluators is advising iPhone users to use common sense and not click on links sent by those they dont trust. Also, iPhone users should only use Wi-Fi access points they trust. “If you do those two simple things you reduce your risk to a small, manageable level,” Miller said.
Apples response to the security firm was pretty much the same as its response to eWEEK, and it is in keeping with what other security researchers have called its typical brush-off style: The company sent Independent Security Evaluators an e-mail saying that its looking into the issues, without any acknowledgment that theres a problem. An Apple spokesperson told eWEEK that the company is looking into the issue and gave no further information.
Editors Note: This story was updated to include input from security researcher Charlie Miller.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.