A team of independent security experts has found a flaw in the Apple iPhone that allows hackers to take control of the device, the New York Times reported today.
The researchers at Independent Security Evaluators, which test the security of devices by hacking them, found that the Wi-Fi connectivity of the iPhone allowed them to take control of it and mine the wealth of private information the phones contain. The researchers also said that they could redirect users to a malicious Web site that could also circumvent the security on the phone.
The story quotes Lynn Fox, spokeswoman for Apple, saying, "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users."
The researchers at Independent Security Evaluators, which test the security of devices by hacking them, found that the Wi-Fi connectivity of the iPhone allowed them to take control of it and mine the wealth of private information the phones contain. The researchers also said that they could redirect users to a malicious Web site that could also circumvent the security on the phone.
The story quotes Lynn Fox, spokeswoman for Apple, saying, "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users."
Welcome iphone
Shortly after the iPhone was released, a group of security researchers at Independent Security Evaluators decided to investigate how hard it would be for a remote adversary to compromise the private information stored on the device. Within two weeks of part time work, we had successfully discovered a vulnerability, developed a toolchain for working with the iPhone's architecture (which also includes some tools from the #iphone-dev community), and created a proof-of-concept exploit capable of delivering files from the user's iPhone to a remote attacker. We have notified Apple of the vulnerability and proposed a patch. Apple is currently looking into it.
A member of our team, Dr. Charlie Miller, will be presenting the full details of discovering the vulnerability and creating the exploit at BlackHat on August 2nd. This site will be updated to reflect those details at that time; until then, we have decided only to release general information about exploiting the iPhone.
How the exploit works
The exploit is delivered via a malicious web page opened in the Safari browser on the iPhone. There are several delivery vectors that an attacker might utilize to get a victim to open such a web page. For example:
An attacker controlled wireless access point: Because the iPhone learns access points by name (SSID), if a user ever gets near an attacker-controlled access point with the same name (and encryption type) as an access point previously trusted by the user, the iPhone will automatically use the malicious access point. This allows the attacker to add the exploit to any web page browsed by the user by replacing the requested page with a page containing the exploit.
A misconfigured forum website: If a web forum's software is not configured to prevent users from including potentially dangerous data in their posts, an attacker could cause the exploit to run in any iPhone browser that viewed the thread. (This would require some slight changes in our proof of concept exploit, however.)
A link delivered via e-mail or SMS: If an attacker can trick a user into opening a website that the attacker controls, the attacker can easily embed the exploit into the main page of the website.
When the iPhone's version of Safari opens the malicious web page, arbitrary code embedded in the exploit is run with administrative privileges. In our proof of concept, this code reads the log of SMS messages, the address book, the call history, and the voicemail data. It then transmits all this information to the attacker. However, this code could be replaced with code that does anything that the iPhone can do. It could send the user's mail passwords to the attacker, send text messages that sign the user up for pay services, or record audio that could be relayed to the attacker
Shortly after the iPhone was released, a group of security researchers at Independent Security Evaluators decided to investigate how hard it would be for a remote adversary to compromise the private information stored on the device. Within two weeks of part time work, we had successfully discovered a vulnerability, developed a toolchain for working with the iPhone's architecture (which also includes some tools from the #iphone-dev community), and created a proof-of-concept exploit capable of delivering files from the user's iPhone to a remote attacker. We have notified Apple of the vulnerability and proposed a patch. Apple is currently looking into it.
A member of our team, Dr. Charlie Miller, will be presenting the full details of discovering the vulnerability and creating the exploit at BlackHat on August 2nd. This site will be updated to reflect those details at that time; until then, we have decided only to release general information about exploiting the iPhone.
How the exploit works
The exploit is delivered via a malicious web page opened in the Safari browser on the iPhone. There are several delivery vectors that an attacker might utilize to get a victim to open such a web page. For example:
An attacker controlled wireless access point: Because the iPhone learns access points by name (SSID), if a user ever gets near an attacker-controlled access point with the same name (and encryption type) as an access point previously trusted by the user, the iPhone will automatically use the malicious access point. This allows the attacker to add the exploit to any web page browsed by the user by replacing the requested page with a page containing the exploit.
A misconfigured forum website: If a web forum's software is not configured to prevent users from including potentially dangerous data in their posts, an attacker could cause the exploit to run in any iPhone browser that viewed the thread. (This would require some slight changes in our proof of concept exploit, however.)
A link delivered via e-mail or SMS: If an attacker can trick a user into opening a website that the attacker controls, the attacker can easily embed the exploit into the main page of the website.
When the iPhone's version of Safari opens the malicious web page, arbitrary code embedded in the exploit is run with administrative privileges. In our proof of concept, this code reads the log of SMS messages, the address book, the call history, and the voicemail data. It then transmits all this information to the attacker. However, this code could be replaced with code that does anything that the iPhone can do. It could send the user's mail passwords to the attacker, send text messages that sign the user up for pay services, or record audio that could be relayed to the attacker
No comments:
Post a Comment