Vulns. in iPhone found from fuzzing (and gamegame6)

Can you hear me now? It's Monday's IT Blogwatch: in which we worry about iPhone vulnerabilities. Not to mention the weirdest game in the world...

Gregg Keizer reports:

Three security researchers claimed Sunday that they have found the first exploitable vulnerability in Apple Inc.'s iPhone, a flaw that allows them to steal any data from the device or even turn it into a remote surveillance tool. The trio -- Charles Miller, formerly with the National Security Agency; Jake Honoroff; and Joshua Mason of Baltimore-based Independent Security Evaluators (ISE) -- notified Apple of the vulnerability ... July 17 ... Miller will provide more information on the vulnerability and exploit at the upcoming Black Hat 2007 security conference, which opens next Saturday, July 28, in Las Vegas.


According to a paper posted by the three (PDF format), they rooted out a vulnerability in the iPhone's version of Safari using "fuzzing" tools and wrote a proof-of-concept exploit that can be delivered from a malicious Web site or using "man-in-the-middle" tactics to trick users into connecting to a malicious wireless access point. Once the exploit runs, it's essentially game over ... the iPhone is owned ... The researchers claimed that a second exploit actually operated the iPhone remotely once the device was hijacked.


The paper by Miller, Honoroff and Mason also spelled out a number of weaknesses in iPhone's security architecture, although it didn't specifically pin the vulnerability on any of those flaws. One, however, most likely contributed to the reach of the exploit ... The ISE researchers have also posted a 1:20-minute video of their hack in action on YouTube. [read more]

John Schwartz has more:

A team of computer security consultants say they have found a flaw in Apple’s wildly popular iPhone that allows them to take control of the device ... [and] allowed them to tap the wealth of personal information the phones contain.


Dr. Miller ... demonstrated the hack to a reporter by using his iPhone’s Web browser to visit a Web site of his own design. Once he was there, the site injected a bit of code into the iPhone that then took over the phone. The phone promptly followed instructions to transmit a set of files to the attacking computer that included recent text messages — including one that had been sent to the reporter’s cellphone moments before — as well as telephone contacts and e-mail addresses.


Dr. Miller had already been exploring weaknesses in the computer versions of Safari, Apple’s Web browser, and was planning to reveal that vulnerability, a relatively common kind of flaw known as a buffer overflow, at the Black Hat computer security conference next month. Dr. Miller instantly thought to see whether the phone, which uses a version of Safari, would be as vulnerable. [read more]

ISE head-honcho Avi Rubin justifies its actions:

Although I still love my iPhone for its beautiful interface, well thought out features, and incredible screen, I'm now disappointed that it was not built more securely ... [we] were able to take complete control of the iPhone device and run arbitrary shell code.


I believe that there is a social responsibility to report it when a device is vulnerable to attackers. People buy these things and use them in ways that put their identity and their online accounts at risk, and by exposing these vulnerabilities, we can make users better judges of how to use their high tech devices. In addition, vendors are much more likely to produce devices that are more secure if they know that independent security experts such as my team at ISE are likely to try to break them and to expose any vulnerabilities we find. Just look at the history of Microsoft's software security problems. They started paying attention when they were repeatedly embarrassed by the exposure of vulnerabilities. Now they put more effort into writing secure code than almost anyone. [read more]

Will Park likes to think of himself as a digital warrior, apparently:

The iPhone has finally succumbed ... We wish we could kick off the new week with news that the iPhone’s GSM radio has finally been cracked to work on non-AT&T networks. Instead we’re going to tell you about the first ever malicious-code exploit on the iPhone.


So, how do you avoid this particular vulnerability from biting you in the you-know-where? Don’t click on any links embedded into emails; only visit trusted websites; never use an untrusted wireless access point and your’re in the clear (at least as far as this exploit is concerned). [read more]

Jesus Diaz takes his own name in vain: [you're fired -Ed.]

While security flaws in the iPhone were expected, what is surprising is that they have appeared so early in the game. Or maybe not, because given it's JesusPhone status, security companies and hackers all over the world must be racing to get a piece of its media darling pie. [read more]

Michael Rose, by any other name would smell as sweet:

Is this a very bad thing? Not necessarily; it's not a zero-day vulnerability, the research team is communicating with Apple, and there is no released exploit code out there in the big bad Internet that can currently zombify your iPhone. Unlike many smartphones, which may not have a frequent firmware update mechanism, the iPhone is syncing to iTunes constantly and can be updated at any point, so one would hope this gets patched rapidly.


Is this, on the other hand, an top-notch opportunity for some iPhone and Mac OS X security FUD from the Grey Lady? You betcha ... This exploit does not allow an attack from a remote machine on a shared WiFi network that is uncompromised; you'd have to connect to a WLAN specifically configured and owned to catch iPhones. If you use WiFi only when you have access to a trusted WLAN, you're in the clear.

The exploit allows running arbitrary code, so both the Times and the exploit page suggest that this could theoretically be used to record and transmit room audio to an attacker. Only one problem with that plan: the iPhone's recording capability is itself theoretical at this point, and no application or sample code to do this is available.

You might think from reading the article that this vulnerability isn't only the first for the iPhone but the first ever reported on any smartphone anywhere ... [but I found] reports of vulnerabilities both in IE for Windows Mobile and in MMS, which could be exploited simply by the recipient opening a malicious message. Even the corporate-friendly Blackberry platform has a security problem, where the Blackberry Enterprise Server could open a back-channel for evil Java apps to target internal systems. The only thing extraordinary about an iPhone vulnerability is the publicity to be gained by discovering one. [read more]

Buffer overflow:

Around the Net Around Computerworld Previously in IT Blogwatch

And finally... Weirdest game in the world [hat tip: b3ta]

Richi Jennings is an independent technology and marketing consultant, specializing in email, blogging, Linux, and computer security. A 20 year, cross-functional IT veteran, he is also an analyst at Ferris Research. Contact Richi at

Copyright © 2007 IDG Communications, Inc.

Shop Tech Products at Amazon