Apple Inc., long ignored by most hackers and security researchers, is getting a chance to find out what it feels like to walk a mile in Microsoft Corp.'s shoes, thanks to its popular iPhone. First, a New Jersey teenager published detailed instructions for unlocking the new gadget, and now a well-known security researcher has posted shellcode that can be used on the iPhone.
HD Moore, creator of the popular Metasploit Framework penetration-testing tool, on Tuesday published a long blog post which includes shellcode for the iPhone and other instructions for using the device as a portable hacking platform. Moore also was able to get Metasploit to run on the iPhone and says he will write some iPhone-specific payloads for the framework, as well.
In an interview, Moore said he benefited from the previous work done by others on the iPhone. He also added that the phone holds plenty of other potentially productive avenues for research.
"Everyone else did all of the hard work. I just modified my shellcode to run on the iPhone," he said. "But there are a number of other bugs on there that I've been playing around with, just some normal stack overflows and things like that. All you need is one Safari bug to bust through and you're off and running because every process runs as root."
In a blog post, Moore explained how he conducted his research.
"The first thing I did is bypass activation, run jailbreak, and install the AppTapp Installer. Using the installer, I added OpenSSH and a VT-100 Terminal to the phone," Moore wrote in his post. AppTapp Installer is a program that enables users to download and manage third-party applications on the iPhone. "Metasploit 2 runs decently, even though the Terminal isn't the best interface for a screen of this size. Metasploit 3 should run, as soon as the toolchain is capable of building a working Ruby interpreter. With only a few headaches, I was able to port the bind shell and reverse shell payloads to the iPhone. I added a very simple nop generator to match. At this point, its possible to generate working iPhone shellcode using the trunk version of Metasploit 3."
Moore's work is significant for a number of reasons, not the least of which is the fact that the iPhone includes Wi-Fi networking capability. A user running Metasploit would have a handy tool for attacking iPhones or other mobile devices in range. Security researchers at Independent Security Evaluators, a Baltimore-based company that does testing and systems design, in July disclosed a serious security flaw in the iPhone that enabled a remote attacker to gain control of the device. The researchers also wrote their own shellcode, which they were able to run on the iPhone.
Moore's shellcode is somewhat smaller and is based on his own existing Mac OS X code . Moore is not alone in his interest in hacking the iPhone; it's become something of an obsession among researchers and everyday Apple enthusiasts both. Apple, of Cupertino, Calif., has actively discouraged third-party application installation on the iPhone, but various methods for bypassing the phone's restrictions have been made available online.
On the security front, researchers are intrigued by the iPhone both because of its powerful feature set and the fact that every process on the phone runs as root. So even the smallest vulnerability in the iPhone's software could lead to a complete compromise of the device.
"A rootkit takes on a whole new meaning when the attacker has access to the camera, microphone, contact list, and phone hardware. Couple this with 'always-on' Internet access over EDGE and you have a perfect spying device," Moore says in his post.
In fact, Moore said he is working on a set of tools to do exactly that. "My next project is writing a whole suite of tools to monitor the microphone, pull down pictures, whatever," he said. "You'll essentially be able to monitor the entire phone while it's in someone's pocket."