Researchers Crack the iPhone

A security firm has run the first remote exploits on Apple’s iPhone, proving that the widely popular smart phone is vulnerable not only to data theft but also to being turned into a remote snooping device.

A trio of researchers from Independent Security Evaluators—Charlie Miller, Jake Honoroff and Joshua Mason—have created an exploit for the iPhone’s Safari Web browser wherein they use an unmodified device to surf to a maliciously crafted drive-by download site. The site downloads exploit code that forces the iPhone to make an outbound connection to a server controlled by the security firm.

The compromised device then can be forced to send out personal data, including SMS text messages, contact information, call history, voice mail information, passwords, e-mail messages and browsing history.

“We only retrieved some of the personal data, but could just as easily have retrieved any information off the device,” the researchers said in a report.

The researchers also wrote a second exploit to turn an iPhone into a bugging device to record audio that it then transmitted for later collection by a malicious party. This exploit entailed viewing another maliciously crafted site whose payload forced the phone to make a system sound and vibrate for a second. The researchers discovered they also could force the phone into other physical actions, including dialing phone numbers or sending text messages.

The iPhone runs a streamlined, customized version of the Mac OS X operating system on an ARM processor. Much of its security posture relies on restrictions against running third-party applications, instead only allowing JavaScript to execute in the device’s Safari browser within a sandbox environment.

The Safari browser itself has been stripped down as well. Apple, of Cupertino, Calif., sacrificed the use of plug-ins such as Flash and the downloading of many file types, for example, to minimize the iPhone’s attack surface.

However, that still leaves “serious problems” with the way security has been designed and implemented on the device, the researchers said.

They said that the most egregious problem with the iPhone’s security profile is that it runs all important processes with full administrative privileges, meaning that an attacker who compromises any iPhone application gains full access to any capability on the device.

iPhone vs. IT: clash of the culture titans. Click here to read more.

Curbing administrative rights so as to curtail the reach of a successful attacker is a lesson learned long ago by Microsoft, for one. In its latest operating system release, Vista, one of the most notable security boosts is UAC (User Account Control), a security feature that limits user privileges as much as possible for most of a user’s interaction with the desktop. User rights are elevated only when necessary for administrative tasks, at which point a dialog box prompts the user to OK the escalation. Limiting normal permissions is a good thing, given that it limits the operating system surface an attacker can latch onto.

Not only does UAC limit the effectiveness of malicious code, but Microsoft, in its creation, also stands a good chance of breaking developers’ habit of granting too many rights, Gartner analyst Neil MacDonald has pointed out.

Aside from limiting the effectiveness of malicious code, the biggest impact of UAC, according to MacDonald, will be to change developer behavior so applications don’t demand that users have to run as administrators to use them.

Apple also dropped the ball on some other widely accepted practices when it comes to security on the iPhone. For example, as has been pointed out by other researchers, when designing the iPhone, Apple eschewed techniques such as address randomization and non-executable heaps, all of which make it harder to exploit the device and more difficult to develop exploit code with staying power.

“These weaknesses allow for the easy development of stable exploit code once a vulnerability is discovered,” according to the report.

To use another comparison to Vista, another security feature in the new operating system is Address Space Layout Randomization. ASLR’s job is to shuffle the address space deck, randomly locating programs in memory and making it tougher for attackers to pinpoint a target during an exploit of a vulnerable application. Symantec has determined that when implemented correctly, ASLR is “extremely effective” at mitigating memory corruption attacks.

The researchers have notified Apple of their findings and are holding off on releasing details until Aug. 2 to give Apple time to patch the security holes.

Check out eWEEK.com’s Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK’s Security Watch blog.