[ISN] IPhone Flaw Lets Hackers Take Over, Security Firm Says

From: InfoSec News (alerts@private)
Date: Mon Jul 23 2007 - 22:07:09 PDT


http://www.nytimes.com/2007/07/23/technology/23iphone.html

By John Schwartz
The New York Times
July 23, 2007

A team of computer security consultants say they have found a flaw in 
Apples wildly popular iPhone that allows them to take control of the 
device.

The researchers, working for Independent Security Evaluators, a company 
that tests its clients computer security by hacking it, said that they 
could take control of iPhones through a WiFi connection or by tricking 
users into going to a Web site that contains malicious code. The hack, 
the first reported, allowed them to tap the wealth of personal 
information the phones contain.

Although Apple built considerable security measures into its device, 
said Charles A. Miller, the principal security analyst for the firm, 
Once you did manage to find a hole, you were in complete control. The 
firm, based in Baltimore, alerted Apple about the vulnerability this 
week and recommended a software patch that could solve the problem.

A spokeswoman for Apple, Lynn Fox, said, Apple takes security very 
seriously and has a great track record of addressing potential 
vulnerabilities before they can affect users.

"Were looking into the report submitted by I.S.E. and always welcome 
feedback on how to improve our security, she said."

There is no evidence that this flaw had been exploited or that users had 
been affected.

Dr. Miller, a former employee of the National Security Agency who has a 
doctorate in computer science, demonstrated the hack to a reporter by 
using his iPhones Web browser to visit a Web site of his own design.

Once he was there, the site injected a bit of code into the iPhone that 
then took over the phone. The phone promptly followed instructions to 
transmit a set of files to the attacking computer that included recent 
text messages including one that had been sent to the reporters 
cellphone moments before as well as telephone contacts and e-mail 
addresses.

We can get any file we want, he said. Potentially, he added, the attack 
could be used to program the phone to make calls, running up large bills 
or even turning it into a portable bugging device.

Steven M. Bellovin, a professor of computer science at Columbia 
University, said, This looks like a very genuine hack. Mr. Bellovin, who 
was for many years a computer security expert at AT&T Labs Research, 
said the vulnerability of the iPhone was an inevitable result of the 
long-anticipated convergence of computing and telephony.

Weve been hearing for a few years now that viruses and worms were going 
to be a problem on cellphones as they became a little more powerful, and 
were there, he said. The iPhone is a full-fledged computer, he noted, 
and sure enough, its got computer-grade problems.

He said he suspected that phones based on the Windows mobile operating 
system would be similarly attackable, though he had not yet heard of any 
attacks.

Its not the end of the world; its not the end of the iPhone, he said, 
any more than the regular revelations of vulnerabilities in computer 
browser software have killed off computing. It is a sign that you cannot 
let down your guard. It is a sign that we need to build software and 
systems better.

Details on the vulnerability, but not a step-by-step guide to hacking 
the phone, can be found at www.exploitingiphone.com, which the 
researchers said would be unveiled today.

Hackers around the world have been trying to unveil the secrets of the 
iPhone since its release last month; most have focused their efforts on 
unlocking the phone from its sole wireless provider, AT&T, and getting 
unauthorized programs to run on it. The iPhone is a closed system that 
cannot accept outside programs and can be used only with the AT&T 
wireless network.

Some of those hackers have posted bulletins of their progress on the 
Web. A posting went up on Friday that a hacker going by the name of 
Nightwatch had created and started an independent program on the phone.

The Independent Security Evaluators researchers were able to crack the 
phones software in a week, said Aviel D. Rubin, the firms founder and 
the technical director of the Information Security Institute at Johns 
Hopkins University. Mr. Rubin, who bought an iPhone the day after the 
cellphone was released, said in an interview that he had approached 
three colleagues, Dr. Miller, Joshua Mason and Jake Honoroff, and 
offered them an enticing prize if they would try to crack the iPhone. I 
told the guys I would buy them iPhones.

Dr. Miller had already been exploring weaknesses in the computer 
versions of Safari, Apples Web browser, and was planning to reveal that 
vulnerability, a relatively common kind of flaw known as a buffer 
overflow, at the Black Hat computer security conference next month. Dr. 
Miller instantly thought to see whether the phone, which uses a version 
of Safari, would be as vulnerable.

Mr. Rubin said the research was not intended to show that the iPhone was 
necessarily more vulnerable to hacking than other phones, or that Apple 
products were less secure than those from other companies. Anything as 
complex as a computer which is what this phone is is going to have 
vulnerabilities, he said.

There are far more viruses, worms and other malicious software affecting 
Windows systems than Apple systems. But Mr. Rubin said that Apple 
products have drawn fewer attacks because the computers have fewer 
users, and hackers reach for the greatest impact.

Windows gets hacked all the time not because it is more insecure than 
Apple, but because 95 percent of computer users are on Windows, he said. 
The other 5 percent have enjoyed a honeymoon that will eventually come 
to an end.

The iPhone is becoming a victim of its own success, he said. The irony 
is that the more popular something is, the more insecure it becomes, 
because popularity paints a large target on its back.

Mr. Rubin said his goal was to discover vulnerabilities and warn of them 
so that companies would strengthen their products and consumers would 
not be lulled into thinking that the technology they use was completely 
secure.

Mr. Rubin said, I will think twice before getting on a random public 
WiFi network now, but his overall opinion of the phone has not changed.

Youd have to pry it out of my cold, dead hands to get it away from me, 
he said.

Copyright 2007 The New York Times Company


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Mon Jul 23 2007 - 22:22:31 PDT