Hackers intent on unlocking Apple's iPhone for use with carriers other than AT&T -- and for using third-party applications -- exploited a bug in the device's handling of TIFF images. But that same bug can be used for far more nefarious exploits, renowned hacker HD Moore reported on his Web site, The Metasploit.
Moore posted to the site an exploit that would allow a hacker to insert malicious code onto someone's iPhone to access the device's data. Because the flawed TIFF library is used by the iPhone's Web browser, e-mail program, and iTunes software -- and because all of those programs run as root processes -- one of the iPhone's undocumented "features" is a gaping security hole.
Unlike the unlocking hackers, Moore said, "I wanted an exploit that would write any arbitrary payload" to the phone. "This exploit is rock solid. It's very reliable," he said. "You can send it in an e-mail, you can embed it in a Web page."
Susceptible to Drive-By attacks
Moore's research revealed the true extent of the TIFF bug, Andrew Storms, director of security operations for nCircle, said in an e-mail. If weaponized, Storms explained, the assault will present itself as a drive-by attack in which sites host seemingly innocuous images and other media that actually perform dangerous actions when rendered in a Web browser on the iPhone.
And, Storms said, the TIFF vulnerability and Safari bugs are "just problems which lie at the surface of the iPhone." Storms pointed out that in a BlackHat 2007 talk, Chris Miller at Independent Security Evaluators disclosed that all processes on the iPhone run privileged as root. "This architectural discovery in the iPhone means that any compromise of the device results in providing the attacker with privileged access."
Moore noted the root-process issue on his Web site, writing, "Having a network-enabled root shell in my pocket is great, but being able to pop a root shell on someone else's iPhone is even better." The security implications might be significant. "Any security flaw in any iPhone application can lead to a complete system compromise," Moore wrote.
"A rootkit takes on a whole new meaning when the attacker has access to the camera, microphone, contact list, and phone hardware. Couple this with 'always-on' Internet access over EDGE and you have a perfect spying device," he added.
Shunned by the Enterprise
Apple should be thanking researchers like Moore and Miller, Storms said, for helping them make the iPhone more secure. "Apple is in a unique position compared to other
smartphone providers," he said, because the company can update the iPhone's firmware with an online-update strategy with which users are comfortable. "Given all the public and privately known vulnerabilities in other smartphones, by the end of this year the iPhone might just end up being the most secure consumer smartphone available."
But Apple must provide centralized tools for managing configuration and compliance of an iPhone. Until then, he said, "it will continue to be shunned by enterprises. No matter how useful or ingenious the device may be, the simply cannot consume another device where private data could be leaked."
Imagine a corporate CEO or sales director loading all of his or her contacts onto the phone. Or an HR manager loading employee data. "One of these attacks could provide a method to retrieve all the information stored on the iPhone," Storms said. Even worse, imagine that trade secrets or intellectual property are stored on a compromised phone.
A less likely but still conceivable scenario, Storms said, involves an enterprise allowing the iPhone's VPN client access to a private network. "The attacker may be able to use the VPN tunnel to gain access to further resources," Storms said.