iPhone shellcode hits the Web

By Dennis Fisher, Executive Editor 26 Sep 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Apple Inc., long ignored by most hackers and security researchers, is getting a chance to find out what it feels like to walk a mile in Microsoft Corp.'s shoes, thanks to its popular iPhone. First, a New Jersey teenager published detailed instructions for unlocking the new gadget, and now a well-known security researcher has posted shellcode that can be used on the iPhone.

All you need is one Safari bug to bust through and you're off and running because every process runs as root. HD Moore security researcher

HD Moore, creator of the popular Metasploit Framework penetration-testing tool, on Tuesday published a long blog post which includes shellcode for the iPhone and other instructions for using the device as a portable hacking platform. Moore also was able to get Metasploit to run on the iPhone and says he will write some iPhone-specific payloads for the framework, as well.

In an interview, Moore said he benefited from the previous work done by others on the iPhone. He also added that the phone holds plenty of other potentially productive avenues for research.

"Everyone else did all of the hard work. I just modified my shellcode to run on the iPhone," he said. "But there are a number of other bugs on there that I've been playing around with, just some normal stack overflows and things like that. All you need is one Safari bug to bust through and you're off and running because every process runs as root."

iPhone security: iPhone not ready for the enterprise: While the Apple iPhone won't be the first choice of many enterprises, a group of industry analysts say it could have a positive impact on future devices. Apple iPhone to provoke complex mobile attacks, expert warns: Mikko Hypponen, director of antivirus research at F-Secure Corp., said he expects mobile malware attacks to escalate thanks to interest in Apple's iPhone. Apple iPhone crack discovered by security researchers: Researchers have found a way to take complete control of the Apple iPhone by sending a user to a malicious Web site.

In a blog post, Moore explained how he conducted his research.

"The first thing I did is bypass activation, run jailbreak, and install the AppTapp Installer. Using the installer, I added OpenSSH and a VT-100 Terminal to the phone," Moore wrote in his post. AppTapp Installer is a program that enables users to download and manage third-party applications on the iPhone. "Metasploit 2 runs decently, even though the Terminal isn't the best interface for a screen of this size. Metasploit 3 should run, as soon as the toolchain is capable of building a working Ruby interpreter. With only a few headaches, I was able to port the bind shell and reverse shell payloads to the iPhone. I added a very simple nop generator to match. At this point, its possible to generate working iPhone shellcode using the trunk version of Metasploit 3."

Moore's work is significant for a number of reasons, not the least of which is the fact that the iPhone includes Wi-Fi networking capability. A user running Metasploit would have a handy tool for attacking iPhones or other mobile devices in range. Security researchers at Independent Security Evaluators, a Baltimore-based company that does testing and systems design, in July disclosed a serious security flaw in the iPhone that enabled a remote attacker to gain control of the device. The researchers also wrote their own shellcode, which they were able to run on the iPhone.

Moore's shellcode is somewhat smaller and is based on his own existing Mac OS X code . Moore is not alone in his interest in hacking the iPhone; it's become something of an obsession among researchers and everyday Apple enthusiasts both. Apple, of Cupertino, Calif., has actively discouraged third-party application installation on the iPhone, but various methods for bypassing the phone's restrictions have been made available online.

On the security front, researchers are intrigued by the iPhone both because of its powerful feature set and the fact that every process on the phone runs as root. So even the smallest vulnerability in the iPhone's software could lead to a complete compromise of the device.

"A rootkit takes on a whole new meaning when the attacker has access to the camera, microphone, contact list, and phone hardware. Couple this with 'always-on' Internet access over EDGE and you have a perfect spying device," Moore says in his post.

In fact, Moore said he is working on a set of tools to do exactly that. "My next project is writing a whole suite of tools to monitor the microphone, pull down pictures, whatever," he said. "You'll essentially be able to monitor the entire phone while it's in someone's pocket."

Tags: Handheld and Mobile Device Security Best Practices,  Smartphone and PDA Viruses and Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Handheld and Mobile Device Security Best Practices RIM patches serious BlackBerry Attachment Service flaws How secure are iPhone App Store mobile applications? Is there a spy on my mobile device? Mobile phones win during Pwn2Own contest Latest Apple iPhone features prompt security concerns Apple iPhone app could boost two-factor What Obama's Blackberry means for mobile device security SMS mobile worm attacks Symbian smartphones Smartphone security lacking at many businesses Firms show DLP interest to monitor social networking traffic, survey finds Handheld and Mobile Device Security Best Practices Research Smartphone and PDA Viruses and Threats RIM patches serious BlackBerry Attachment Service flaws Latest Apple iPhone features prompt security concerns SMS mobile worm attacks Symbian smartphones Smartphone security lacking at many businesses RIM warns of serious vulnerability in BlackBerry Web loader RIM fixes serious BlackBerry PDF handling flaws How easily can spyware be placed on a mobile phone? Should enterprises ban USBs because the DoD banned them? RIM updates BlackBerry Desktop Software to fix ActiveX flaw Do mobile devices put sensitive data at risk when used overseas?

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary