iPhone's Bluetooth bug under the hacker microscope

Computerworld - Almost lost in the hubbub over Thursday's iPhone firmware update and whether it would "brick" unlocked phones was the fact that Apple Inc. patched 10 vulnerabilities -- twice the number of fixes issued since the phone's June debut.

The iPhone 1.1.1 update, which like previous upgrades is delivered through Apple's iTunes software, fixes seven flaws in the built-in Safari browser, two in the smart phone's Mail application and one in its use of Bluetooth, the short-range wireless technology.

The seven Safari vulnerabilities include several cross-site scripting (XSS) flaws, one that can disclose the URL of other viewed pages -- an online banking site, say -- and another that lets attackers execute malicious JavaScript in pages delivered by the SSL-encrypted HTTPS protocol. One of the Safari flaws, and an associated vulnerability in Mail, involve "tel:" links, which can be exploited by hackers to dial a number without the user confirming the call.

But it was the Bluetooth bug that got the attention of security researchers. Symantec's DeepSight threat network team pointed out the vulnerability in an advisory to customers today. "Reportedly, the Bluetooth flaw occurs when malicious Service Discovery Protocol (SDP) packets are handled; any attacker that is within Bluetooth range can exploit it remotely," wrote DeepSight analyst Anthony Roe in the alert. "Successful exploits are reported to allow the attacker to execute arbitrary code."

According to Apple's security advisory, the Bluetooth bug was discovered and reported by Kevin Mahaffey and John Hering of Flexillis Inc., a Los Angeles-based company that specializes in mobile security development and consulting. Flexillis may be best known for its reverse engineering of the exploit used to hack into several celebrities' T-Mobile cell phone accounts in 2005, include Paris Hilton and Vin Diesel.

The Bluetooth bug may prove to be dangerous to iPhones, Roe speculated, since the potential range of the technology is much greater than most people think. While Bluetooth's potential range -- and thus the maximum distance between attacker and victim -- is about 400 feet, "Several proof-of-concept Bluetooth antennas have intercepted Bluetooth signals at almost a mile," he said.

Roe also pointed out that HD Moore, the driving force behind the Metasploit penetration framework, had recently demonstrated that shellcode could be run on an iPhone. Moore, said Roe, proved that "exploiting security vulnerabilities affecting the iPhone is by no means out of reach."

In a post to his blog -- and to the Metasploit site -- on Wednesday, Moore said that because every process on the iPhone runs as root, and so has full privileges to the operating system, any exploit of an iPhone application vulnerability, such as Safari or Mail or Bluetooth, would result in a complete hijack of the device. Moore also announced that he would add iPhone support to Metasploit, which would make it much easier for hackers to access a vulnerable phone.