Boing Boing Staging

Report: security flaw lets hackers pwn iPhone

Computer security researchers at Independent Security Evaluators say they’ve found a way to take control of an iPhone by way of a WiFi connection or by tricking users into accessing malware on a website. Basically, a Safari vulnerability, and the preventive takeaway tips are pretty much the same as with your computer: beware of connecting to untrusted open wireless networks, beware of links in weird emails, and beware of untrusted websites that may be malware-laden.

This is the first such report of a verified data security vulnerability with Apple’s iPhone, but no known exploit incidents have occurred. Apple says they’re evaluating ISE’s findings.

John Schwartz reports in Monday’s New York Times:

[ISE’s Charles A.] Miller, a former employee of the National Security Agency who has a doctorate in computer science, demonstrated the hack to a reporter by using his iPhone’s Web browser to visit a Web site of his own design.

Once he was there, the site injected a bit of code into the iPhone that then took over the phone. The phone promptly followed instructions to transmit a set of files to the attacking computer that included recent text messages – including one that had been sent to the reporter’s cellphone moments before – as well as telephone contacts and e-mail addresses.

“We can get any file we want,” he said. Potentially, he added, the attack could be used to program the phone to make calls, running up large bills or even turning it into a portable bugging device.

Link to article.

exploitingiphone.com has more info, including a preliminary version of the paper describing the attack. the ISE’s Dr. Miller is scheduled to present the details of the exploit at BlackHat in Las Vegas on August 2.

The website also includes an h.264 (= iphone-compatible) video that demonstrates the exploit: Video Link. Note that scotch tape and pretzels are required to complete this sophisticated hack.

Now, given all that, I love the way the NYT story ends:

[ISE founder Aviel D.] Rubin said, “I will think twice before getting on a random public WiFi network now,” but his overall opinion of the phone has not changed. “You’d have to pry it out of my cold, dead hands to get it away from me,” he said.

Reader comment: Will Sheward of ISODE says,

Just read your post on the hack discovered by ISE. A few days ago one of our engineers in the US bought an iPhone and, as we’re professionally interested in IMAP, we decided to look at how the phone handles e-mail, specifically the so-called ‘push’ Yahoo mail which we suspected used dodgy proprietary mechanisms (and, of course, it does).

Whilst tracing the iPhone we found another security vulnerability, this one specific to the partnership between the iPhone and Yahoo mail, which leaves the user open to a replay attack. Basically Yahoo IMAP mail doesn’t support the security standards it ought to (although the iPhone does). The problem is specific to Yahoo’s IMAP service, which they only provide to the iPhone, and which doesn’t implement the standards it ought to.

We’ve posted on this at our blog (Link) and the engineer who discovered the problem posts more entertainingly on it on his personal blog (Link).

I particularly enjoy his description of the iPhone as “A shiny box of stupidity”, although it doesn’t change my determination to get my hands on one as soon as I can.

Anonymous says,

This is just in response to the fellow responding to the iphone security flaws. he was saying that yahoo only provides IMAP service to the iphone but i don’t think thats necessarily true. If you set up a yahoo address on a blackberry through their Blackberry Internet Service, it gets set up as an IMAP address as well. so if there are security flaws with the yahoo IMAP service then i suppose blackberries could be affected also. I’ll leave testing that to the experts though.

Exit mobile version