It must be serious if Apple is already working on a fix for a vulnerability that could allow attackers to gain root access to a victim’s iPhone, ultimately running software of their choosing.
Premier MacOS X security researcher
Charlie Miller is no slouch when it comes to MacOS X. Besides being a leading expert on the operating system, he co-authored The Mac Hacker’s Handbook, and is well-known for his prowess at hacking OS X at PWN2OWN competitions.
So when he released preliminary information about vulnerabilities in iPhone’s SMS application during a presentation at this year’s SyScan conference in Singapore, everyone was listening, including Apple. He didn’t offer much in the way of details (a good thing), as Miller is under an agreement with Apple to not disclose any information that could lead to a working exploit.
Apple has until the end of July
It looks like Apple has until this year’s Black Hat convention (end of July, 2009), as that’s when Miller and fellow researcher Collin Mulliner are spilling the details:
“In this talk we show how to find vulnerabilities in smart phones. Not in the browser or mail client or any software you could find on a desktop, but rather in the phone specific software. We present techniques which allow a researcher to inject SMS messages into iPhone, Android, and Windows Mobile devices.”
iPhone’s vulnerability
It’s well-known that binary code can be sent to mobile devices using SMS. Normally the sent code isn’t executed, but Miller found that the iPhone operating system automatically processes the code without any user intervention. Not good. Knowing this, Miller developed code using the principle of Sulley Fuzzing, a method of injecting random data into program after first forcing the operating system to trust the new code.
Another vulnerability that Miller found was the ability to use the SMS function to gain root access to the iPhone, more or less giving an attacker the “keys to the kingdom”.
What this means
These vulnerabilities allow an attacker to send malicious code to the phone using SMS and executing it because of having admin privileges. The following are some examples of what this could entail:
- Monitor the location of the phone, by enabling GPS.
- Enable the phone's microphone allowing the attacker to listen in on conversations.
- Turn on Wi-Fi and other applications unbeknownst to the user, draining the battery.
- Install malware that could conceivably log sensitive information and send it to some remote location.
Basically anything the user can do the attacker is also capable of doing.
Final thoughts
This could potentially turn into a nasty zero-day exploit if someone else (not having Miller’s morals) figures out how to advantage SMS in the same way Miller has. Sadly, this happens more often than not. So go Apple, get it fixed.
For information on other Apple iPhone issues, please refer to Apple iPhone: One-stop for security tips.
Comments