A group of security researchers have found a couple of simple ways of taking complete control of the Apple iPhone. The results are the first real success that security researchers have had in trying to find ways to exploit the
The first attack scenario is a straightforward one in which the attacker sends an Apple iPhone user an email containing a link to a malicious Web site. Once the user clicks on the link, the attacker's Web server exploits a flaw in the Safari browser that runs on the phone and takes control of the device. At that point, it's pretty much game over.
The trio of experts at Baltimore-based Independent Security Evaluators, who did the research, were able to perform any function they wanted on the iPhone, including sending text messages, collecting the user's call history and contact information and voice mail data.
"After examination of the file system, it is clear that other personal data such as passwords, emails and browsing history could be obtained from the device. We only retrieved some of the personal data, but could just as easily have retrieved any information off the device," the researchers wrote in their paper.
In assessing the iPhone's security, the ISE team concluded that Apple focused all of its resources on preventing third-party applications from running on the device, even going so far as restricting the use of common plug-ins such as Flash. "However, there are serious problems with the design and implementation of security on the iPhone," they wrote.
The researchers, Charlie Miller, Joshua Mason and Jake Honoroff, also used a second HTML-based exploit to force the iPhone to perform some trivial functions, such as buzzing and vibrating. However, they said the same attack could be used to exploit additional APIs in the phone to make calls, send text messages or record conversations and send them to a third party. Miller, along with some other ISE researchers, will be discussing their findings at the Black Hat USA conference in Las Vegas next week.
It took the team just a week of work to produce the attacks, and they also were able to write a patch that fixes the Safari vulnerability. ISE contacted Apple, of Cupertino, Calif., and gave the company the details of the flaws and the attacks, as well as the patch code. Apple personnel responded by saying they would look into the issue, said Avi Rubin, a professor of computer science at Johns Hopkins University, and the founder of ISE.
"Once we got the exploit working, the hard part was getting the shellcode located correctly," Rubin said. "The impressive thing is that these guys did this with the iPhone essentially as a black box. They didn't have a debugger or access to the file system, so once they were able to cause the crash in Safari, they had all of this binary data they had to read manually. They had to read it on a PC and it was just a matter of a couple of days to get it all working."
In their paper, the ISE researchers suggest a number of ways in which Apple could improve the iPhone's security. For example, they recommend not giving every application on the device administrative rights, which is the case now. They also suggest that Apple add heap and stack address randomization to make exploit development more difficult.
"While Apple takes some precautions to minimize the amount of code accessible to remote attackers, it did not take other basic precautions in designing a robust security solution for the device," they say in the conclusion to their paper.