Today, the most common method for stealing information from mobile devices is physical theft. Few people password-protect their cell phones and PDAs, although the vast majority of products on the market support authentication with a simple PIN. Yes, it's inconvenient, but it significantly boosts security. (The downside, unfortunately, is that if the cell phone is lost and you try to call it, an innocent person who finds the phone will likely be unable to answer it without the PIN, making it difficult to get it back. But, for many people, the information on their mobile devices is far more valuable than the actual hardware itself, so protecting that information at the risk of losing the hardware might be a reasonable trade-off.)
While physical theft dominates today, remote exploitation is an emerging vector for information theft from mobile devices. Some of these attacks involve a bad guy sending device content (such as an email or text message) that exploits a flaw such as a buffer overflow. Other attacks involve the mobile device user accessing a service set up by an attacker, such as using a browser on the mobile device to surf to a website hosting the attacker's content. Either way, the device is exploited, making it run code and install software of the attacker's choosing. That code could tell the device to send all of the sensitive information back to the hacker, across the network wirelessly, meaning all of your data was just swiped out of your pocket, likely without you knowing it.
Given the widespread use of these devices, the valuable information stored on them and the "newness" factor of creating exploits for this rapidly expanding realm of the IT industry, it's no wonder that many are diligently hunting for remote mobile device exploits. In fact, the Metasploit project includes an exploit for Apple's iPhone Safari Web browser, exploiting a flaw in its TIFF image-handling library. Metasploit includes a nifty shell called ipwn (pronounced "eye-pone") as a payload an attacker can use for the exploit. The attacker gets remote command shell access to an iPhone simply because its user surfed to the machine on which the attacker was running Metasploit. While the TIFF flaw was patched on a recent iPhone update, not all users are running the latest software. And, surely numerous other flaws will be found for not only the iPhone, but also other kinds of mobile platforms. Mobile device software should be kept up-to-date to lower the chance of falling prey to this kind of attack.
For more information:
This was first published in April 2008