iPhone Find vulnerabilities

Original author: ISE
  • Transfer
Note: the translation of the “Exploiting the iPhone” note is presented below , which reveals some details of the recently discovered and already fixed vulnerabilities in the iPhone and offers a couple of practical tips for avoiding them in the future.

iPhone  ISE

Update: Apple has released an update that addresses vulnerabilities that have been discovered. To find out the details of detecting one of the vulnerabilities, just visit our blog .

Details on BlackHat: Charlie Miller introduced details of an exploit on BlackHat , which took place in Las Vegas on August 2. This presentation is also available at this address .

Preliminary technical description:A preliminary document describing the attack is available at this address . The full version is expected after August 2 ( note: apparently, it was never posted ).

An article in the New York Times: a story of work done was published in the New York Times .



Welcome



Shortly after the iPhone was released, a group of security researchers at Independent Security Evaluators decided to check how difficult it would be for a remote attacker to access private information stored on this device. During two weeks of working under partial load, we were able to detect a vulnerability, develop a set of tools ( Toolchain ) for interacting with the iPhone architecture (including, some of the utilities were borrowed from the # iphone-dev community) and create a prototype exploit that was able to transmit files from a custom iPhone to a remote attacker. We notified Apple of the detected vulnerability and offered an update for the software. Apple is currently considering this offer (note: as stated above, Apple did release the official version of the update ).

A member of our group, Charlie Miller, presented all the details of vulnerability discovery and exploit creation on BlackHat on August 2. The information on the site will be updated to take into account all the changes, while only general information about the exploit for iPhone has been published.

How it works



The exploit is transmitted through a malicious web page opened in Safari on the iPhone. There are several potential possibilities that an attacker could use to force a victim to open such a web page. Consider the following examples.

  • An attacker controls a wireless access point. Since iPhone recognizes access points by their name (SSID), it’s enough for the user to be close to an access point controlled by an attacker. If it has the same name (and encryption type) as the access point that the user trusts and added earlier, then iPhone automatically uses this malicious access point. This will allow an attacker to add an exploit code to an arbitrary page viewed by the user, simply replacing the requested page with an exploit page.
  • Inadequate security settings on the forum. If the software code on the forum does not provide the proper level of processing data from users, then they can load potentially malicious code into their messages. Thus, an attacker can cause an exploit to execute in any browser on the iPhone when the message page is open in it. (However, this will require some minor changes to our exploit prototype.)
  • Link sent by letter or SMS. If an attacker can trick a user into opening a website, then an attacker just needs to include the exploit code on the main page of this site.


When Safari on iPhone opens a malicious page, the arbitrary code included in the exploit is executed with administrator rights. In our prototype, this code reads the SMS message log, address book, call history, and voicemail data. Then it sends all this information to the attacker. However, in place of this code, there may be a rather arbitrary option that is able to use any iPhone features. For example, it can forward user passwords from email, send text messages that subscribe the user to paid services, or make an audio record that will be transmitted to the attacker.




Advice



We notified Apple of this vulnerability and proposed a fix for it. Hopefully they will include it in future updates for the iPhone. In order to protect yourself from this and other similar vulnerabilities in the future, you should adhere to the following rules (for both iPhone and other devices).

  • Only visit sites you trust. If you do not go to the site of the attacker, you will exclude one of the potential possibilities of the attack itself.
  • Use only those WiFi networks that you trust. If attackers control your Internet connection, they can add malicious code to any site that you visit.
  • Do not open links from emails. Many of the currently known viruses send links to malicious sites in emails, which may look like they were sent on behalf of friends you trust.


Related Links





I thank those who took the time and familiarized themselves with the translation. I will be glad to any comments. If you have further information on this topic, please share it. Thank you for your attention.


Also popular now: