Hackers Hang Up On iPhone

The group, which works for consulting and assessment firm Independent Security Evaluators (ISE), is withholding technical details until August 2 in order to give Apple time to fix the problem. They do claim, however, to have successfully exploited the vulnerability, and have posted a video of an attack on their website.

The vulnerability--known as a buffer overflow--lies in the Safari web browser built into the iPhone, said team member Charlie Miller.

By directing the browser to a web page containing malicious code, Miller says that his team has forced an iPhone to connect to a server and personal information contained on the device, including previous SMS text messages, contact information, call history, and voice mail data. By modifying the malicious code, an attacker could also have forced the phone to call out, send text messages, or record audio.

The ISE team noted several techniques an attacker could use to trick a user into accessing a malicious web site, including links embedded in email or online forum posts.

A more subtle attacker could set up a wireless router disguised as a free public access point, and then inject the malicious code into any page an iPhone user attempts to access.

The video on the team's website shows just such an attack on a device attempting to access the New York Times website. As the iPhone can be configured to connect to wireless networks without asking the user, this could present a particularly effective attack.

Though browser vulnerabilities are not uncommon, Miller believes that this one is particularly bad because of weaknesses in the underlying security architecture of the iPhone. Apple's approach, he says, appears to have focused on limiting the applications on the device and restricting how it can be accessed, rather than handling those applications in a secure fashion. Most significantly, iPhone appears to run applications with full administrative rights, giving a successful attacker those same privileges.

"Unfortunately," the ISE team concluded in their paper, "once an iPhone application is breached by an attacker, very little prevents an attacker from obtaining complete control over the system."

The ISE team released a draft whitepaper July 19 outlining the flaw. After reading the whitepaper, Paul Henry, Secure Computing's Vice President of Technology Evangelism, agreed with Miller's assessment of the iPhone's security architecture. "Apple seems to have literally abandoned a core principle of the unix operating system: the rule of least privilege."

Henry asserts, however, that the real underlying issue is inherent in the drive to put more functionality on smaller devices. "You simply don't have the processing power on something like a phone to be able to handle properly securing it," he told CRN. "Running applications as root--that's a horsepower issue with the phones themselves. They're trying to keep the CPU utilization down to acceptable levels to get that performance experience for the user."

While Miller emphasized that vulnerabilities are an inevitable part of every piece of software and every computing device, he also argued that Apple's reputation for security may have less to do with technical prowess than it's relatively small user base.

"This wasn't an easy bug to find, but it wasn't that hard either," Miller told CRN. "If people had been looking at Safari as hard as they look at Internet Explorer, this would have turned up awhile ago. Unfortunately, they may end up being victims of their own success."

Miller says that the vulnerability also exists in the Mac OS X and Windows versions of Safari, but that he was uncertain if it would be exploitable on either platform as a practical matter. While a successful attack on the Mac or Windows versions could be serious, in neither case would the attacker gain the degree of access the ISE team claims to have achieved on the iPhone.

Apple has not responded to requests for comment.