Hackers intent on unlocking Apple's iPhone for use with carriers other than AT&T -- and for using third-party applications -- exploited a bug in the device's handling of TIFF images. But that same bug can be used for far more nefarious exploits, renowned hacker HD Moore reported on his Web site, The Metasploit.
Moore posted to the site an exploit that would allow a hacker to insert malicious code onto someone's iPhone to access the device's data  . Because the flawed TIFF library is used by the iPhone's Web browser, e-mail program, and iTunes software -- and because all of those programs run as root processes -- one of the iPhone's undocumented "features" is a gaping security hole.
Unlike the unlocking hackers, Moore said, "I wanted an exploit that would write any arbitrary payload" to the phone. "This exploit is rock solid. It's very reliable," he said. "You can send it in an e-mail, you can embed it in a Web page."
Susceptible to Drive-By attacks
Moore's research revealed the true extent of the TIFF bug, Andrew Storms, director of security operations for nCircle, said in an e-mail. If weaponized, Storms explained, the assault will present itself as a drive-by attack in which sites host seemingly innocuous images and other media that actually perform dangerous actions when rendered in a Web browser on the iPhone.
And, Storms said, the TIFF vulnerability and Safari bugs are "just problems which lie at the surface of the iPhone." Storms pointed out that in a BlackHat 2007 talk, Chris Miller at Independent Security Evaluators disclosed that all processes on the iPhone run privileged as root. "This architectural discovery in the iPhone means that any compromise of the device results in providing the attacker with privileged access."
Moore noted the root-process issue on his Web site, writing, "Having a network-enabled root shell in my pocket is great, but being able to pop a root shell on someone else's iPhone is even better." The security implications might be significant. "Any security flaw in any iPhone application can lead to a complete system compromise," Moore wrote.
"A rootkit takes on a whole new meaning when the attacker has access to the camera, microphone, contact list, and phone hardware . Couple this with 'always-on' Internet access over EDGE and you have a perfect spying device," he added. (continued...)
|
