Researchers at Independent Security Evaluators said their sample iPhone exploit could be replaced with malicious code that could remotely force the iPhone to do just about anything. For example, the iPhone exploit could be made to send the iPhone's e-mail passwords to the attacker or even record and relay audio on the iPhone.
A group of U.S. security researchers claims to have discovered an iPhone flaw that can open the door for malicious hackers to take control of the smartphone remotely.
While Jon Lech Johansen, also known as "DVD Jon," was busy cracking the activation codes for the iPhone, a team at Independent Security Evaluators set out to investigate how difficult it would be for a remote adversary to compromise private information stored on the new handset.
"Within two weeks of part time work, we had successfully discovered a vulnerability ... and created a proof-of-concept exploit capable of delivering files from the user's iPhone to a remote attacker," the researchers wrote.
Safari Web Exploit
According to the researchers, the exploit can be delivered via a malicious Web page opened in the Safari browser on the iPhone. There are several delivery vectors that an attacker might leverage to get a victim to open such a Web page, said the security researchers. These vectors include an attacker-controlled wireless access point, a Web site forum, or a link delivered via e-mail or SMS.
When the iPhone's version of Safari opens the malicious Web page, the researchers said, arbitrary code embedded in the exploit is run with administrative privileges. In the proof-of-concept exploit, the code reads the iPhone's log of SMS messages, the address book, the call history, and the voicemail data. It then transmits all this information to the attacker.
The researchers said their sample exploit could be replaced with code that could do anything that the iPhone can do. For example, it could send the user's e-mail passwords to the attacker, send text messages that sign the user up for pay services, or record audio that could be relayed remotely.
Hack Called 'Interesting'
Michael Sutton, a security evangelist at SPI Dynamics, called the hack "interesting." It illustrates the severity of client-side attacks, he explained, especially now that client-side devices are becoming much more powerful and contain an ever increasing amount of sensitive data.
"The cell phone is no longer just a cell phone. It is a computer, just like the one that sits on your desk, with much of the same confidential data," Sutton said. "As such, it must be protected with the same security controls, but, unfortunately, we're not yet seeing that."
For those iPhone users wishing to protect themselves from this bug and similar future vulnerabilities, Dr. Charles Miller and his colleagues at Independent Security Evaluators recommended several best practices that sound similar to what security firms tell PC users: Only visit sites you trust, only use Wi-Fi networks you trust, and don't open Web links from e-mail.
Miller plans to present the full details of the vulnerability discovery and the exploit creation at the BlackHat security conference on August 2. The company has notified Apple and proposed a patch. Apple could not immediately be reached for comment.