HD Moore takes iPhone exploits public
He says the device will still be vulnerable even after Apple patches it
Computerworld - Noted hacker HD Moore has publicly posted exploits that take advantage of a vulnerability in Apple's iPhone, the same flaw that's been used by others to unlock the smart phone so it will work on non-AT&T networks.
The vulnerability, which is in the TIFF image-rendering library shared by the iPhone's Safari browser and its e-mail program, as well as by the iTunes software, leaves the iPhone wide open to attack, said Moore, who posted a second, and more robust, exploit today after debuting attack code yesterday.
"This exploit is rock solid," Moore said in an interview. "It's very reliable, as reliable as the WMF [Windows Metafile] exploits in Windows. You can send it in an e-mail, you can embed it in a Web page."
Although the vulnerability is the same as the one leveraged by hackers such as the iPhone Dev Team to return unlock capabilities to iPhones updated to Firmware 1.1.1 last month, Moore said that's the only similarity between his work and the activities of unlockers. "I wanted an exploit that would write any arbitrary payload" to the iPhone, rather than the specialized changes made for an unlocking hack, Moore said.
He claimed success. "The second exploit works on 1.0, 1.0.1, 1.0.2 and 1.1.1 iPhones," he said, referring to the four versions of the phone's firmware released since the device's June debut.
Although he expects Apple to plug the TIFF vulnerability in the next iPhone update -- a move that many interested in unlocking the iPhone have also predicted and bemoaned -- Moore also said it wouldn't matter. Citing the history of the vulnerability, which was also present in the Sony PlayStation Portable (PSP), he said attackers will be able to exploit the flaw in the future, even if Apple fixes it.
"All they'll need to do is back port the firmware to an earlier version that's vulnerable," said Moore. "Apple has to leave a way to restore an iPhone back [to previous versions of the firmware]."
The same technique was used to hack the Sony PSP after Sony issued an update that patched the TIFF vulnerability on that video game player.
In notes posted to customers of its DeepSight threat management network, Symantec Corp. warned iPhone users of Moore's exploits and recommended they use caution when browsing the Web, handling unsolicited e-mail and dealing with suspicious or unexpected music files.
But Ollie Whitehouse, a software architect with Symantec's security response team, downplayed the iPhone's apparent insecurity. "The iPhone isn't any different from other mobile platforms," he argued. "It's only the interest from the security research community that makes it seem different."
Moore disagreed. "I think the iPhone is pretty terrible," he said, referring to its level of security. "It's an easy platform to exploit." That's true in part, he explained, because exploiting any iPhone application gives root access to the entire phone. But other security weaknesses abound, including ones in the Safari browser and in the underlying operating system -- a scaled-back version of Mac OS X -- that runs the device, he added.
Moore has added the exploits to Metasploit, the popular penetration framework, a move that in the past has meant in-the-wild attacks are not far behind. He predicted that malicious code exploiting the TIFF vulnerability would be on the loose "pretty soon."
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Gartner Report: A Guide to Gartner's Enterprise Mobile Security Self-Assessment Gartner introduces a model and a Toolkit intended to help mobility and security IT leaders assess their enterprise mobility programs from a security...
- Gartner Report: Containing Mobile Security Risks With the 80/20 Rule IT planners can deliver better mobile protection with higher user satisfaction by segmenting users into risk groups before committing to specific management or...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts