Researchers Crack the iPhone

By Lisa Vaas Print this article Print

Apple's popular multifunctional device can be exploited for data theft or snooping purposes, according to a security firm.

A security firm has run the first remote exploits on Apple's iPhone, proving that the widely popular smart phone is vulnerable not only to data theft but also to being turned into a remote snooping device.

A trio of researchers from Independent Security Evaluators—Charlie Miller, Jake Honoroff and Joshua Mason—have created an exploit for the iPhone's Safari Web browser wherein they use an unmodified device to surf to a maliciously crafted drive-by download site. The site downloads exploit code that forces the iPhone to make an outbound connection to a server controlled by the security firm.

The compromised device then can be forced to send out personal data, including SMS text messages, contact information, call history, voice mail information, passwords, e-mail messages and browsing history.

"We only retrieved some of the personal data, but could just as easily have retrieved any information off the device," the researchers said in a report.

The researchers also wrote a second exploit to turn an iPhone into a bugging device to record audio that it then transmitted for later collection by a malicious party. This exploit entailed viewing another maliciously crafted site whose payload forced the phone to make a system sound and vibrate for a second. The researchers discovered they also could force the phone into other physical actions, including dialing phone numbers or sending text messages.

The iPhone runs a streamlined, customized version of the Mac OS X operating system on an ARM processor. Much of its security posture relies on restrictions against running third-party applications, instead only allowing JavaScript to execute in the device's Safari browser within a sandbox environment.

The Safari browser itself has been stripped down as well. Apple, of Cupertino, Calif., sacrificed the use of plug-ins such as Flash and the downloading of many file types, for example, to minimize the iPhone's attack surface.

However, that still leaves "serious problems" with the way security has been designed and implemented on the device, the researchers said.

They said that the most egregious problem with the iPhone's security profile is that it runs all important processes with full administrative privileges, meaning that an attacker who compromises any iPhone application gains full access to any capability on the device.

iPhone vs. IT: clash of the culture titans. Click here to read more.

Curbing administrative rights so as to curtail the reach of a successful attacker is a lesson learned long ago by Microsoft, for one. In its latest operating system release, Vista, one of the most notable security boosts is UAC (User Account Control), a security feature that limits user privileges as much as possible for most of a user's interaction with the desktop. User rights are elevated only when necessary for administrative tasks, at which point a dialog box prompts the user to OK the escalation. Limiting normal permissions is a good thing, given that it limits the operating system surface an attacker can latch onto.

Not only does UAC limit the effectiveness of malicious code, but Microsoft, in its creation, also stands a good chance of breaking developers' habit of granting too many rights, Gartner analyst Neil MacDonald has