July 23, 2007
IPhone Flaw Lets Hackers Take Over, Security Firm Says
By JOHN SCHWARTZ
A team of computer security consultants say they
have found a flaw in AppleÂ’s wildly popular
iPhone that allows them to take control of the device.
The researchers, working for Independent Security
Evaluators, a company that tests its clientsÂ’
computer security by hacking it, said that they
could take control of iPhones through a WiFi
connection or by tricking users into going to a
Web site that contains malicious code. The hack,
the first reported, allowed them to tap the
wealth of personal information the phones contain.
Although Apple built considerable security
measures into its device, said Charles A. Miller,
the principal security analyst for the firm,
“Once you did manage to find a hole, you were in
complete control.” The firm, based in Baltimore,
alerted Apple about the vulnerability this week
and recommended a software patch that could solve the problem.
A spokeswoman for Apple, Lynn Fox, said, “Apple
takes security very seriously and has a great
track record of addressing potential
vulnerabilities before they can affect users.”
“We’re looking into the report submitted by
I.S.E. and always welcome feedback on how to improve our security,” she said.
There is no evidence that this flaw had been
exploited or that users had been affected.
Dr. Miller, a former employee of the National
Security Agency who has a doctorate in computer
science, demonstrated the hack to a reporter by
using his iPhoneÂ’s Web browser to visit a Web site of his own design.
Once he was there, the site injected a bit of
code into the iPhone that then took over the
phone. The phone promptly followed instructions
to transmit a set of files to the attacking
computer that included recent text messages —
including one that had been sent to the
reporter’s cellphone moments before — as well as
telephone contacts and e-mail addresses.
“We can get any file we want,” he said.
Potentially, he added, the attack could be used
to program the phone to make calls, running up
large bills or even turning it into a portable bugging device.
Steven M. Bellovin, a professor of computer
science at Columbia University, said, “This looks
like a very genuine hack.” Mr. Bellovin, who was
for many years a computer security expert at AT&T
Labs Research, said the vulnerability of the
iPhone was an inevitable result of the
long-anticipated convergence of computing and telephony.
“We’ve been hearing for a few years now that
viruses and worms were going to be a problem on
cellphones as they became a little more powerful,
and we’re there,” he said. The iPhone is a
full-fledged computer, he noted, “and sure
enough, it’s got computer-grade problems.”
He said he suspected that phones based on the
Windows mobile operating system would be
similarly “attackable,” though he had not yet heard of any attacks.
“It’s not the end of the world; it’s not the end
of the iPhone,” he said, any more than the
regular revelations of vulnerabilities in
computer browser software have killed off
computing. “It is a sign that you cannot let down
your guard. It is a sign that we need to build software and systems better.”
Details on the vulnerability, but not a
step-by-step guide to hacking the phone, can be
found at www.exploitingiphone.com, which the
researchers said would be unveiled today.
Hackers around the world have been trying to
unveil the secrets of the iPhone since its
release last month; most have focused their
efforts on unlocking the phone from its sole
wireless provider, AT&T, and getting unauthorized
programs to run on it. The iPhone is a closed
system that cannot accept outside programs and
can be used only with the AT&T wireless network.
Some of those hackers have posted bulletins of
their progress on the Web. A posting went up on
Friday that a hacker going by the name of
“Nightwatch” had created and started an independent program on the phone.
The Independent Security Evaluators researchers
were able to crack the phoneÂ’s software in a
week, said Aviel D. Rubin, the firmÂ’s founder and
the technical director of the Information
Security Institute at Johns Hopkins University.
Mr. Rubin, who bought an iPhone the day after the
cellphone was released, said in an interview that
he had approached three colleagues, Dr. Miller,
Joshua Mason and Jake Honoroff, and offered them
an enticing prize if they would try to crack the
iPhone. “I told the guys I would buy them iPhones.”
Dr. Miller had already been exploring weaknesses
in the computer versions of Safari, AppleÂ’s Web
browser, and was planning to reveal that
vulnerability, a relatively common kind of flaw
known as a buffer overflow, at the Black Hat
computer security conference next month. Dr.
Miller instantly thought to see whether the
phone, which uses a version of Safari, would be as vulnerable.
Mr. Rubin said the research was not intended to
show that the iPhone was necessarily more
vulnerable to hacking than other phones, or that
Apple products were less secure than those from
other companies. “Anything as complex as a
computer — which is what this phone is — is going
to have vulnerabilities,” he said.
There are far more viruses, worms and other
malicious software affecting Windows systems than
Apple systems. But Mr. Rubin said that Apple
products have drawn fewer attacks because the
computers have fewer users, and hackers reach for the greatest impact.
“Windows gets hacked all the time not because it
is more insecure than Apple, but because 95
percent of computer users are on Windows,” he
said. “The other 5 percent have enjoyed a
honeymoon that will eventually come to an end.”
The iPhone is becoming a victim of its own
success, he said. “The irony is that the more
popular something is, the more insecure it
becomes, because popularity paints a large target on its back.”
Mr. Rubin said his goal was to discover
vulnerabilities and warn of them so that
companies would strengthen their products and
consumers would not be lulled into thinking that
the technology they use was completely secure.
Mr. Rubin said, “I will think twice before
getting on a random public WiFi network now,” but
his overall opinion of the phone has not changed.
“You’d have to pry it out of my cold, dead hands
to get it away from me,” he said.
----------------------------------------------------------------------------------------------------
World Class, Professional, Ethical, and Competent Bug Sweeps, and
Wiretap Detection using Sophisticated Laboratory Grade Test Equipment.
----------------------------------------------------------------------------------------------------
James M. Atkinson Phone: (978) 546-3803
Granite Island Group Fax: (978) 546-9467
127 Eastern Avenue #291 Web:
http://www.tscm.com/
Gloucester, MA 01931-8008 E-mail: mailto:jm..._at_tscm.com
----------------------------------------------------------------------------------------------------
We perform bug sweeps like it's a full contact sport, we take no prisoners,
and we give no quarter. Our goal is to simply, and completely stop the spy.
----------------------------------------------------------------------------------------------------
Received on Sat Mar 02 2024 - 00:57:17 CST