Wednesday, October 3, 2007

iPhone Turned into Pocket-Sized Hacking Platform

One such observation: The iPhone has a potential security pitfall in that its MobileMail application supports Microsoft Office document formats by using the OfficeImporter framework when converting files into viewable form. "This looks like a great target for file-format fuzzing and some late-night reverse engineering," Moore said.

Another potential way for attackers to get into the phone is through the mDNSResponder service, which runs by default, Moore said. The mDNSResponder, used by iTunes for music sharing, is part of the Bonjour application suite, which provides automatic and transparent configuration of network devices.

When the iPhone first syncs with iTunes, its host name is changed, Moore said. The default hostname becomes "User's iPhone," with the Mac OS X user account name filling in for "User." If the iPhone is connected to a Wi-Fi network, the mDNS service exposes the iPhone owner's user name.

That particular security exposure hasn't yet responded to Moore's probes, he said, making active discovery "less likely."

Moore has also been playing with the "vibrate" shellcode released by Miller at Black Hat 2007. By the time the security show rolled around, Independent Security Evaluators had already revealed, shortly after the smart phone's release, that Apple's popular multifunctional device could be exploited for data theft or snooping purposes.

At the time, Miller, Jake Honoroff and Joshua Mason created an exploit for the iPhone's Safari Web browser wherein they used an unmodified device to surf to a maliciously crafted drive-by download site. The site downloaded exploit code that forced the iPhone to make an outbound connection to a server controlled by the security firm.

The researchers showed that a compromised device then could be forced to send out personal data, including SMS text messages, contact information, call history, voice mail information, passwords, e-mail messages and browsing history.

Miller told eWEEK that with Moore's Metasploit work, the time needed to write iPhone exploits has substantially shrunk. "One thing interesting about the work H.D.'s done, if you look at the time frame, is it took us two days to find a vulnerability and write something to where we knew it was legitimate. [It took] seven or eight days after that to having a working exploit. If we had what H.D. has done, it would have taken maybe a day or less. Having this available now will cut what we did from two weeks to two days.

Now that the iPhone has been out for months, is the desire to hack it still at a fever pitch? Miller said that given how much personal information an attacker can shake out of the device, "It probably is something people should worry about."

"[Like H.D. said in his blog,] It's always on, it's always on the Internet, and you can get a lot of personal information. It's a viable target," Miller said.

So now it's time for real fun.

"It's going to be such good times," one blogger wrote after Moore published his findings. "…we have the accessibility/vector. What we need are market saturation (some predict 14M sold by end of 2008,) a mesh networking application (or something to cross-connect the myriad of networking options) and an attractive application to encourage the owners to share amongst each other (say, some funky music sharing application or social networking tie-in, or instant messaging.) That'll lay the ground work for some very effective malware."

For his part, Moore said in his posting that he's added support for iPhone executables to the msfpayload command, allowing users to generate stand-alone bind/reverse shell executables using a syntax supplied in his posting. Next up is an XOR encoder, and then all hell should break loose.

"Once the XOR encoder is done, the only step left is to find the bugs and write the exploits :-)," Moore wrote.

By the time this article posted, Apple had not responded to a request for comment.

No comments: