Forgot your password?
typodupeerror
Security Businesses Cellphones Apple

Hackers Find Remote iPhone Crack 114

Posted by kdawson
from the jailbreaking-via-mortar dept.
Al writes "Two researchers have found a way to run unauthorized code on an iPhone remotely. This is different than 'jailbreaking,' which requires physical access to the device. Normally applications have to be signed cryptographically by Apple in order to run. But Charles Miller of Independent Security Evaluators and Vincenzo Iozzo from the University of Milan found more than one instance in which Apple failed to prevent unauthorized data from executing. This means that a program can be loaded into memory as a non-executable block of data, after which the attacker can essentially flip a programmatic switch and make the data executable. The trick is significant, say Miller and Iozzo, because it provides a way to do something on a device after making use of a remote exploit. Details will be presented next month at the Black Hat Conference in Las Vegas." The attack was developed on version 2.0 of the iPhone software, and the researchers don't know if it will work when 3.0 is released.
This discussion has been archived. No new comments can be posted.

Hackers Find Remote iPhone Crack

Comments Filter:
  • frost pist (Score:4, Funny)

    by Anonymous Coward on Tuesday June 16, 2009 @08:16AM (#28346251)
    Apple are brown hatters, not black.
  • Is this good news. (Score:5, Insightful)

    by jellomizer (103300) on Tuesday June 16, 2009 @08:17AM (#28346261)

    Does that mean if we go to the "wrong" web site we can enable Wi-Fi tethering without have to pay extra?

    • Re: (Score:2, Redundant)

      by Krneki (1192201)
      Apple or the carriers charges for Wi-Fi tethering? And you actual bought a device configured that way?
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Only if you want to risk losing your service. Tethering without a tethering plan is a violation of AT&T's terms of use. It seems to me that it would be pretty easy to detect. For instance, they could check your browser agent information when you make HTTP requests. They could also look for connections over known ports that would imply you're not on a phone (such as a WoW connection). It seems there are several ways AT&T could spot that you're using a tethered connection without paying for it. So eve

      • by Dare nMc (468959) on Tuesday June 16, 2009 @10:51AM (#28347619)

        imply you're not on a phone

        exactly, imply. If your allowed to install apps on your phone, everything you point out is possibly a new app that AT&T doesn't know about, and would be a pain if AT&T's permission were required to install/run each new type of app. Granted, for the I-Phone crowd, requiring permission to install/use a app isn't uncharted territory. but for the rest of the smart phones, this wouldn't be very nice.

      • by qopax (782239)

        or, you know, you could have some balls and use the bandwidth you pay for $30 a month in any way you want until they tell you otherwise

  • by forand (530402) on Tuesday June 16, 2009 @08:20AM (#28346283) Homepage
    The title and summary are very misleading. The exploit is to run unauthorized code. They have not presented an injection path. While this is not good it is not as bad as having a "Remote iPhone Crack."
    • Re: (Score:2, Informative)

      Well, you're also being a bit misleading. The exploit is to remotely cause unauthorized code to run. What is most misleading about this is that it requires the phone to be jailbroken. It won't work on an OOTB iPhone.

      • by forand (530402)
        I would disagree with your statement that "The exploit is to remotely cause unauthorized code to run," since they provide no way to obtain remote access. That is the exploit is, as I state above, to run unauthorized code. As it stands you have both install that code and have physical access to the device to run the code.
        • Re: (Score:2, Informative)

          FTFA:

          But Miller found more than one instance in which Apple failed to prevent unauthorized data from executing. This means that a program can be loaded into memory as a nonexecutable block of data, after which the attacker can essentially flip a programmatic switch and make the data executable.

          The code does not need to be installed, merely downloaded and loaded into memory. The article does not say whether or not they found a remote exploit to make the data executable. Perhaps it is presumed that one will be found.

    • by asifyoucare (302582) on Tuesday June 16, 2009 @09:15AM (#28346671)

      I assumed that when I got to the bit that said "kdawson".

    • Perhaps, but this activity is the kind of thing Apple used as reason to not allow users their software freedom with their own phone. Around the time of the iPhone's introduction Steve Jobs told Newsweek [msn.com]:

      "You don't want your phone to be an open platform," meaning that anyone can write applications for it and potentially gum up the provider's network, says Jobs. "You need it to work when you need it to work. Cingular doesn't want to see their West Coast network go down because some application messed up."

      Lea

    • Exactly. And this was on 2.0, and 3.0 is out already. Nothing to see here.
  • Phone Viruses (Score:5, Interesting)

    by Logical Zebra (1423045) on Tuesday June 16, 2009 @08:24AM (#28346297)

    To this date, I cannot think of any cell phone viruses that have existed and spread. I would assume that is because pretty much every cell phone is different, and writing a virus for one specific phone would be a waste of time, since it would represent only a fraction of a percent of the user base. (Usually, when you write a virus, you want it to spread as far and wide as possible, right?) However, with the popularity of the iPhone, I could see a malicious person writing a virus that would infect all of the Apple phones out there, since there are a lot of iPhones on the networks.

    Could this crack be used for that? If so, are we going to see an antivirus program on the next iteration of the iPhone?

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Might this be the dawn of the first "apple virus" that all Mac users claim will never happen? :-)

      • Re: (Score:1, Interesting)

        by Anonymous Coward

        When I was in high school many eons ago. The game we would play is how many viri can you get on 1 floppy. We did this on macs. I had a record of 8 :)

        Are the newer macs more impervious? Perhaps. But I would venture to say MS has a leg up on them here in that they live it and breath it every day. To Apple it is an abstract thing just due to simple market share.

        But a botnet of 300k in remote devices that can CALL people that would be very attractive to a spammer. The payload being a recorded message. T

        • "To Apple it is an abstract thing just due to simple market share."

          I see how you sneaked that one in there, a sweeping statement that it is part of a much larger debate about the non-prevalence of viruses on Macs.

          Much as no-one wants a diversion from the main thrust of this topic, you cannot be allowed to sneak away with such a fallacious and ill-considered statement.

          • Correct. The only fallacious and ill-considered statement allowed on /. is that "OSX is virus and malware proof just because Apple made it fully secure, and not at all because it's marketshare is close to being in single digit."
      • "all" Mac users (Score:1, Insightful)

        by Anonymous Coward

        Might this be the dawn of the first "apple virus" that all Mac users claim will never happen? :-)

        I know you put the smiley there, but still: who are "all" of these Mac users? I have OS X at home (Unix admin for $WORK), and I partly run OS X because there is currently no malware for it. Just as I prefer Unix for servers as they're a small target as well--in general I avoid Windows whenever I can.

        There actually were viruses for Mac OS in the pre-X (10) days, but no one's bothered to really try since the current Unix-based OS came out.

        Hopefully Apple will put in measures like ASLR, or SELinux-like protect

    • by think_nix (1467471) on Tuesday June 16, 2009 @08:45AM (#28346439)

      To this date, I cannot think of any cell phone viruses that have existed and spread.

      Windows Mobile ?

      • Re:Phone Viruses (Score:5, Interesting)

        by MrCrassic (994046) <deprecated.ema@il> on Tuesday June 16, 2009 @09:30AM (#28346807) Journal
        I know that you were aiming for a "Funny" moderation, but now that I'm back on Windows Mobile after having tried phones from RIM and Apple, I'm finding that it's actually very, very versatile.

        While Windows Mobile is infamous for little bugs and freezes, it actually makes for a very complete mobile platform. Users can edit their Office documents on it, browse the web with it (even easier in WM6.1), play all sorts of media, and find lots of other uses for it. Furthermore, while iPhone OS is becoming just as versatile, it is nowhere near as customizable right off the bat, and application development is much more stringent.

        Though I won't lie that it's nowhere as pretty and suave as using the iPhone, nor will it ever be (at least not in the immediate future).
        • Re:Phone Viruses (Score:4, Insightful)

          by Krneki (1192201) on Tuesday June 16, 2009 @10:01AM (#28347093)
          Isn't this the same for the whole Windows Vs Mac flame war? Design vs functionality, where security is the last concern.
        • Re: (Score:3, Informative)

          by iron-kurton (891451)

          ...application development is much more stringent

          Not only is it more stringent, but a helluva lot more frustrating in my opinion, because of XCode, IB, and Objective-C. Anyone have any insight into why they chose that language??

      • Not sure why this was modded funny, since there is a huge winmo population of phones... granted across different manufacturers, but the underlying code is the same.

        Then, in addition to WinMo, there is Symbian, aren't all nokias symbian based.. thats millions of phones...

      • by Carewolf (581105)

        Well, Nokia is the Microsoft of the mobile industry. There was a whole range of SMS viruses for Nokia some five years back, I think they finally started to validate the SMS'es better now.

    • by gclef (96311)

      Oh, they exist. You're right that they're not as widespread as regular ones, since the hardware and software world is much more diverse. But, they are there. For example, there was a talk at blackhat 2007 about them (slides [blackhat.com]). One interesting side part of that talk for me was the question of how to research a cell phone virus without risking infecting the production network. (The answer: one hell of a Farraday cage around the lab.)

    • Re:Phone Viruses (Score:4, Informative)

      by Hurricane78 (562437) <deleted@slashBLUEdot.org minus berry> on Tuesday June 16, 2009 @09:20AM (#28346709)

      What "lot" of iPhones are you talking about? Here in Germany, the iPhone is one of the rarest phones on the market. Because it's double the price of the best Nokia, and has only half the features. And I bet this will be the case for most of the world.

      If you want to get a virus going, make it run on Symbian. Or with some luck, you can use J2ME, which pretty much every phone supports, but which is a bit hard to get to do something useful (because of the additional VM/Sandbox).

      • Re:Phone Viruses (Score:4, Informative)

        by peppepz (1311345) on Tuesday June 16, 2009 @10:22AM (#28347291)

        If you want to get a virus going, make it run on Symbian.

        On ancient Symbian versions, perhaps. After S60v3 they added that darn platform security that won’t even let you execute your own code, let alone third-party viruses.
        Pirates periodically find cracks, but they tend to be model- and firmware version- specific.

      • The lot of 11% of global smart phones, about 4 million devices? http://www.fiercedeveloper.com/story/iphone-captures-11-global-smartphone-os-share-q1/2009-05-25 [fiercedeveloper.com]

        Sure it's not the most abundant, but 4 million devices is still a lot of devices...
        • Just this year (Fiscal) they've sold over 8 million... http://en.wikipedia.org/wiki/File:IPhone_sales_per_quarter.svg#Data_and_references [wikipedia.org]
        • He's just saying that most iPhone sales ought to be in US. Here in Brazil an iPhone costs around 800 US with 1 year contract* so one might say they are not the most popular phone around.

          * Excluding eBay derivatives which import the phone from somewhere else.
        • Re: (Score:3, Insightful)

          by takev (214836)

          Thing is, non smartphones in Europe have more features than the iPhone. Its just that the interface sucks on most of these phones.
          I am going to get the iPhone because I want a device with a good user interface (currently I don't use the mp3 playback on the my phone, mostly because it requires a dock connector on the headphone), I find that the new iPhone has finally a decent camera in it.

          Although the user interface of the camera on my current phone (sony ericson) is the best, bar none: slide open, press the

      • Here in San Francisco, I am pretty sure everyone and their mother has an iPhone. It feels like a novelty to see another phone.

    • by rgviza (1303161)

      It might be more prudent to fix the unsigned code execution vulnerability first, but phone antivirus is a good idea and would be innovative.

    • I run the VNC server on my phone (veency) and I constantly get requests to connect while I am on the AT&T network.

      Just to illustrate your point

    • Viruses spread not because a computer can be broken into, but because a computer can be broken into AND because it can broadcast the virus to other computers.

      That's why there were no wild Palm OS viruses even when Palm had 80% of the market for years, because the only way to transfer the infection from one Palm to another was for the owner of the infected Palm and the target to deliberately beam a file from one to another.

      For cellphones, there's even fewer opportunities for infection, because iPhone owners

      • by slashkitty (21637)
        You're thinking of worms, not viruses. Viruses do not need to be able to 'broadcast' to spread. They spread via contact or in the old days, infected disks.
        • by argent (18001)

          Active worms or passive viruses, they still need an infection vector. Without traffic between phones to piggyback on, there's no vector, and no propagation of the virus.

  • Capt Crunch? (Score:2, Interesting)

    by Anonymous Coward

    Is there any irony in that some early Apple folks started out phone phreaking?

    • Re: (Score:3, Insightful)

      by bsDaemon (87307)
      I hate the term "phone phreaking" -- it just fills my mind with images of Woz wiping out the Blue Box to make crank calls which inevitably involve the phrase, "so, what are you wearing?" while doing horrible things to himself without any hot grits in site.....ewww....
    • They went from blue boxes to beige boxes to white boxes. Now the white boxes themselves are getting blue-boxed ;-)

      That is, play the right piece of software at 2600 Hz into the iPhone microphone and you can use it to access the whole network instead of Apple and AT&T's walled garden.

      Only this time, the wall is on your phone and not the network.

  • Chances (Score:1, Insightful)

    by s1lverl0rd (1382241)

    Well, it's all just chance calculation. Let's say that 1 million iPhones/iPod Touches were sold. Let us then assume that 0.5 percent of the people that buy an iPhone are Evil Haxx0rz and want to hack their new phone. I guess that no more that a half percent of *that* group succeed in finding a way to execute arbitrary code.

    One of the 25 is holding his speech at the Black Hat conference in Las Vegas.

    • by vadim_t (324782)

      You're not making any sense.

      Somebody wanting to mess with their own phone is not an "Evil Haxx0r". Nor they need this, since they can jailbreak it already.

      What this gives to a real "Evil Haxx0r" is the ability to mess with your phone. And though as you point out the amount of people with the ability to do such things is small, it can also be quite profitable, and programs that make it easy can be made, which will let every script kiddie on the planet exploit your phone with one click.

  • This is news? (Score:2, Insightful)

    by lseltzer (311306)

    TFA makes it sound like there have never been any remotely exploitable vulnerabilities in the iPhone before. There have been dozens of exploitable bugs in Webkit, for example. The fact that no phones were cracked at Pwn2Own didn't prove they weren't crackable.

    • Re: (Score:2, Interesting)

      Infact, the first widely used jailbreaking technique involved exploiting Safari on the iPhone to crash it and inject code - there was infact a website you could visit to jailbreak your iPhone simply by clicking on a link.
      • Actually it was a libtiff exploit (open source, but old version) that the iPhone used, not a bug in Safari itself.
  • As I recall, Microsoft used to have an api call called PrestocChangeo or some such that did this. Probably in Win16. Always thought that changing a chunk of data into executable code was a bad idea. I would have thought such nonsense was a thing of the past but who knows, maybe that same or similar api still exists. (I'm an old guy and I don't get down to the system level calls much anymore, someone younger will need to look.)

  • Someone correct me if I'm wrong, but doesn't the iphone API specifically prevent 3rd party apps from accessing sensitive areas? For instance non-system apps can't access things like your personal address book. Would those additional controls mitigate the exposure here to the non-sensitive user space?

    Don't get me wrong. Any exposure is bad, but the summary makes this sound like some full blown windows remote code execution issue.

    Are there any iPhone developers who can chime in with some insight?
    • From the blurb: This means that a program can be loaded into memory as a non-executable block of data, after which the attacker can essentially flip a programmatic switch and make the data executable.

      They have found a bug in the protection mechanism which prevents the type of exploit of which you talk.
    • Re: (Score:3, Insightful)

      by moon3 (1530265)
      iPhone Access Structure is locked down

      Sure, and btw, nicely designed Apple tinfoil hat.
      • Re: (Score:1, Troll)

        by DJRumpy (1345787)
        Considering the iPhone OS underpinnings are based on Unix, I don't think the hat would be made out of tin...
    • by jeff4747 (256583)

      Would those additional controls mitigate the exposure here to the non-sensitive user space?

      It wouldn't be much of a 'hack' unless it included privilege escalation.

  • by AntiRush (1175479) on Tuesday June 16, 2009 @09:45AM (#28346923) Homepage
    I haven't done the legwork but it appears that an attack vector exists via the App Store. Applications allow downloading of data files (podcasts, for example).

    Simply get your application published and give people some incentive to download it (for free). Once your intended target or target quota has installed download a "media file" that's actually the malicious binary. Then it's just a matter of smashing your own application's stack to run the code.

    • Re: (Score:3, Insightful)

      I haven't done the legwork but it appears that an attack vector exists via the App Store. Applications allow downloading of data files (podcasts, for example).

      Simply get your application published and give people some incentive to download it (for free). Once your intended target or target quota has installed download a "media file" that's actually the malicious binary. Then it's just a matter of smashing your own application's stack to run the code.

      The "simply get your application published" bit, though not impossible to avoid, would leavea a trail leading all the way up to you.

      You'd get more satisfaction out of creating a Windows virus.

  • Details of the exploit will be presented next month...

    My remote iPhone exploit is a Canadian supermodel.

Save the whales. Collect the whole set.

Working...