Security consultants find flaw that allows them to take control of Apple iPhone

“A team of computer security consultants say they have found a flaw in Apple’s wildly popular iPhone that allows them to take control of the device,” John Schwartz reports for The New York Times.

“The researchers, working for Independent Security Evaluators, a company that tests its clients’ computer security by hacking it, said that they could take control of iPhones through a WiFi connection or by tricking users into going to a Web site that contains malicious code. The hack, the first reported, allowed them to tap the wealth of personal information the phones contain,” Schwartz reports.

“Although Apple built considerable security measures into its device, said Charles A. Miller, the principal security analyst for the firm, ‘Once you did manage to find a hole, you were in complete control.’ The firm, based in Baltimore, alerted Apple about the vulnerability this week and recommended a software patch that could solve the problem,” Schwartz reports.

Schwartz reports, “A spokeswoman for Apple, Lynn Fox, said, ‘Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We’re looking into the report submitted by I.S.E. and always welcome feedback on how to improve our security,’ she said. There is no evidence that this flaw had been exploited or that users had been affected.”

“The Independent Security Evaluators researchers were able to crack the phone’s software in a week, said Aviel D. Rubin, the firm’s founder and the technical director of the Information Security Institute at Johns Hopkins University. Mr. Rubin, who bought an iPhone the day after the cellphone was released, said in an interview that he had approached three colleagues, Dr. Miller, Joshua Mason and Jake Honoroff, and offered them an enticing prize if they would try to crack the iPhone. ‘I told the guys I would buy them iPhones,'” Schwartz reports.

Schwartz reports, “Mr. Rubin said, ‘I will think twice before getting on a random public WiFi network now,’ but his overall opinion of the phone has not changed. ‘You’d have to pry it out of my cold, dead hands to get it away from me,’ he said.”

More details in the full article here.

“Researchers at my consulting company, Independent Security Evaluators (ISE) have found serious security vulnerabilities in the iPhone. They were able to take complete control of the iPhone device and run arbitrary shell code (see NYT article). To demonstrate this, they built an exploit that downloads personal information such as SMS text transcripts, address book entries, and email from the iPhone whenever a user visits a particular web site or connects to a particular WiFi network. However, the vulnerability can be exploited in many other ways. For example, an exploit could be written that would cause the iPhone to make an unnoticeable phone call to an attacker, who would then be able to monitor conversations by the victim. In other words, the iPhone could be turned into a bugging device,” Avi Rubin blogs.

“We contacted Apple on July 17 and sent them all of the details of the vulnerability. We also promised not to release any specific technical details of the vulnerability that would allow someone else to exploit it until our Black Hat presentation on August 2. This gave them plenty of time to produce a fix, and we showed Apple how to patch the vulnerability,” Rubin writes.

Full blog entry here.

More info via “Independent Security Evaluators” here.

[Thanks to MacDailyNews Readers “Fred Mertz” and “TowerTone” and “doc” for the heads up.]
While we strongly disagree with the “Security via Obscurity/Microsoft Apologists*” thesis presented in The NY Times’ full article, anyone helping locate potential security issues and allowing Apple to correct them with updates before end-users are affected should be applauded, if indeed that is the case here.

Of possible related interest, on Saturday The Associated Press carried an article by Anick Jesdanun that reported, “For some security researchers who uncover flaws in leading computer programs, a nod of appreciation from software companies is no longer enough. Now they want money.”

Jesdanun reported, “Charlie Miller, now the principal security analyst at Independent Security Evaluators, said the demands for payments stem from frustrations that vendors’ in-house researchers ‘are making a lot of money to look for bugs and whenever someone from the outside finds something, they don’t get paid anything.'”

Jesdanun reported, “But Miller, after trying to sell two separate vulnerabilities himself including the $50,000 one to the government, concluded it wasn’t worth the trouble. He said it was difficult identifying potential buyers, and in one case the vendor had fixed the problem before he could complete the sale. ‘I would have loved to start a business out of it,’ he said. ‘One of the lessons I learned is that it’s impossible to do that.'”

Full article here.

*There are zero-percent (0%) of viruses for the Mac OS X platform that should, logically, have some 10-16% of the world’s viruses if platforms’ install bases dictate the numbers of viruses. The fact that Mac OS X has zero (0) viruses in the wild totally discounts “security via obscurity.” 23+ million Mac OS X installs is not an “obscure” platform at all, but 6+ years of Mac OS X users surfing unimpeded certainly is “secure.” There should be at least some Mac OS X viruses. There are none. The reason for this fact is not attributable solely to ‘obscurity,’ it’s attributable to superior security design.

39 Comments

  1. I’m no security expert, but I am having a hard time believing this is for real. After reading this article I find their claims—such as making the iPhone make unsolicited calls—hard to believe. I guess only time will tell. But my initial reaction is to cry FUD.

  2. stuff gets hacked. iPhones too.

    I remember a time when the readers on here used to complain about all the iPod stories on here.

    it’s pretty obvious the iPhone is the new iPod… lol.

  3. Pay close attention to the “iPhone” in their video; note that it has buttons on the right-hand side and a large black protrusion below the crown.

    Note also that the shadow it casts is as long, or longer, than that cast by the roll of tape to the right.

    On a real iPhone, the buttons are on the left, and there is no such protrusion. A real iPhone is also much thinner than that roll of tape, and oriented as in the video you can see the silver backplate up the right side.

    Clearly, this video does not depict an iPhone. It is more likely to be one of the knock-offs that have been doing the rounds, in which case the “demonstration” is a movie of some sort.

    Whilst this doesn’t say anything one way or another about the actuality of the exploit, it does beg the question: if these folks have a real exploit, why are they faking their demo?

  4. Now imagine if Apple had unleashed an SDK for developers to make 3rd party apps; how much more difficult would it be for Apple to deal with all the security ramifications? Glad to hear the ISE is working with Apple and not exploiting them. I’m sure Apple will respond very quickly as this is paramount to their reputation, and once all the basic security threats are dealt with (things are stable), they will eventually open the phone up to app developers.

  5. If this is true, I’m glad that the researchers at ISE are doing things the right way.

    This is not to say that the exploit is true, since we still have to read a confirmation from Apple, but for them to give Apple the time to study the supposed flaws and provide a fix for it is surely admirable. Responsible disclosure it is.

    Again, if this is true, Apple should release a security update for it and we’ll all be back to stardom. Well, not really me though since I won’t have an iPhone at least until 2008… arrgghh.

    MDN word for the day, “patience”. as in my patience is running out

  6. “There are zero-percent (0%) of viruses for the Mac OS X platform that should, logically, have some 10-16% of the world’s viruses if platforms’ install bases dictate the numbers of viruses.”

    I agree that all the flannel about OS market-share amounts to little more than unproved assertion. It may be true – or, more credibly, it may be one factor – but there’s no evidence it’s the be-all and end-all. And, in fact, there’s some evidence that it isn’t. For example, there was malware around for the old Mac OS, which unlike OS X was not Unix-based, even though its market-share was not high. And this was likely *because* it did not have the superior Unix-based architecture.

    However, I don’t think that what MDN says is logically entailed by the claim that installed base is relevant. David Pogue has claimed this, too, but I think it’s a canard. Malware doesn’t arise by some spontaneous natural process but out of economic calculation. (These days selling compromised machines is big business.) Therefore, there is no reason why percentage of installed base and percentage of malware should be in direct proportion. It is, however, conceivable that, assuming programming for a target platform takes an equivalent length of time for any platform (a big if), it’s not worth the time to write malware for a platform *at all* unless its share is pretty substantial, since the economic payoff (in terms of the commercial value on the black market of the numbers of machines likely to be caught) is going to be lower.

    So I don’t agree with MDN’s line of reasoning there. However, as I say, I do agree with MDN’s overall point. AFAICT there’s no real evidence that installed base is the *only* factor. That’s just unproven assertion.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.