Exploiting the iPhone

Speak with our analysts today at 1.443.270.2296

	Featured News
Case Studies Exploiting Android Exploiting Age of Conan Exploiting SecondLife Exploiting the iPhone Exploiting RFIDs Exploiting the iPhone Exploiting the iPhone Patch and details: Apple has patched the vulnerabilities we reported. Full disclosure at BlackHat: Dr. Charlie Miller presented the details of the exploit at BlackHat in Las Vegas on August 2 at 4:45. The slides from this talk are also available. Preliminary technical paper: A preliminary version of the paper describing the attack is available. The full version with details of the vulnerability and exploit will be available in the evening on August 2nd. New York Times article: A story in the New York Times about this work is available here. Welcome Shortly after the iPhone was released, a group of security researchers at Independent Security Evaluators decided to investigate how hard it would be for a remote adversary to compromise the private information stored on the device. Within two weeks of part time work, we had successfully discovered a vulnerability, developed a toolchain for working with the iPhone's architecture (which also includes some tools from the #iphone-dev community), and created a proof-of-concept exploit capable of delivering files from the user's iPhone to a remote attacker. We notified Apple of the vulnerability and proposed a patch. Apple subsequently resolved the issue. A member of our team, Dr. Charlie Miller, presented the full details of discovering the vulnerability and creating the exploit at BlackHat on August 2nd, 2007. How the exploit works The exploit is delivered via a malicious web page opened in the Safari browser on the iPhone. There are several delivery vectors that an attacker might utilize to get a victim to open such a web page. For example: An attacker controlled wireless access point: Because the iPhone learns access points by name (SSID), if a user ever gets near an attacker-controlled access point with the same name (and encryption type) as an access point previously trusted by the user, the iPhone will automatically use the malicious access point. This allows the attacker to add the exploit to any web page browsed by the user by replacing the requested page with a page containing the exploit. A misconfigured forum website: If a web forum's software is not configured to prevent users from including potentially dangerous data in their posts, an attacker could cause the exploit to run in any iPhone browser that viewed the thread. (This would require some slight changes in our proof of concept exploit, however.) A link delivered via e-mail or SMS: If an attacker can trick a user into opening a website that the attacker controls, the attacker can easily embed the exploit into the main page of the website. When the iPhone's version of Safari opens the malicious web page, arbitrary code embedded in the exploit is run with administrative privileges. In our proof of concept, this code reads the log of SMS messages, the address book, the call history, and the voicemail data. It then transmits all this information to the attacker. However, this code could be replaced with code that does anything that the iPhone can do. It could send the user's mail passwords to the attacker, send text messages that sign the user up for pay services, or record audio that could be relayed to the attacker. An h.264 encoded video showing the exploit is also available. Mitigations We've notified Apple of the vulnerability and proposed a fix. Hopefully they will include a patch in a future iPhone update. To protect yourself from this and similar future vulnerabilities, there are a few best practices that can be followed (both on an iPhone and on other devices): Only visit sites you trust. If you don't visit attackers' sites, you give them one less attack vector. Only use WiFi networks you trust. If attackers have control of your Internet connection, they have the ability to insert exploits into any website you visit. Don't open web links from emails. Many current viruses send links to malicious sites in emails that look like they are from trusted contacts. Frequently asked questions Why did you do this? In our day jobs, we spend a lot of time carrying out similar attacks against both PCs and embedded devices. Because of all the hype surrounding the iPhone and the large amount of personal information stored on the device, we wanted to see what level of security the device currently provides for the user. Also, it was a great excuse to get everyone iPhones. Who are you guys? We're Charlie Miller, Jake Honoroff, and Joshua Mason, members of the software security team at Independent Security Evaluators, an information security consulting firm. Matt Green, Avi Rubin, Sam Small, and Adam Stubblefield were also involved in the project. If you're good at doing this kind of analysis, we're hiring. Have you told Apple? What are they doing about it? We have notified Apple and proposed a fix that they could include in a future iPhone update, but we don't know if they plan to do so. They responded and are looking into it. Should I turn my iPhone off and lock it in a drawer until Apple fixes this? Not unless you plan to do the same to all the other computers you own. The iPhone is an internet connected device running a relatively full featured software suite: this research shows that it is vulnerable just like many other similarly capable devices, both PCs and embedded systems. What can I do to avoid such attacks? The same things that you should do to avoid attacks on your laptop. Only visit sites you trust. Only use encrypted WiFi access points you trust. Don't open web links contained in email messages. Is it likely that there are other vulnerabilities in the iPhone? It's a near certainty. For example, every cause of Safari crashing on the iPhone is a potential vulnerability. And getting Safari on the iPhone to crash isn't that hard. Additionally, it's likely there are vulnerabilities in the other iPhone applications as well. Does this add credence to Apple's position that 3rd party applications are not allowed on the iPhone for security reasons? We don't think so. Almost all of the security engineering effort on the iPhone seems to have been spent protecting the revenue model, rather than protecting the user (which is, of course, an entirely understandable position). For example, a constrained environment is used to prevent users from loading new ringtones onto the phone, but the applications are not run in a constrained environment to contain damage caused by hackers who exploit them. Is the new vulnerability in the Mac or Windows versions of Safari? The vulnerability is also present in both the Mac and Windows versions of Safari, though it may or may not be exploitable there. Is it present in Mail on the iPhone? No. Could the vulnerability be used to `unlock' the iPhone from AT&T? We haven't looked into it. Media Contact You can contact us at media [at] securityevaluators.com. We can also be reached by phone at 443-270-2296.	January 30, 2012 Stephen Bono quoted in Gizmodo article. Read all News Featured Publications 2010 Kim Jong-il and me: How to build a cyber army to attack the U.S.. Read all Publications

Featured News

Case Studies

Exploiting Android

Exploiting Age of Conan

Exploiting SecondLife

Exploiting the iPhone

Exploiting RFIDs

Exploiting the iPhone

Patch and details: Apple has patched the vulnerabilities we reported.
Full disclosure at BlackHat: Dr. Charlie Miller presented the details of the exploit at BlackHat in Las Vegas on August 2 at 4:45. The slides from this talk are also available.
Preliminary technical paper: A preliminary version of the paper describing the attack is available. The full version with details of the vulnerability and exploit will be available in the evening on August 2nd.
New York Times article: A story in the New York Times about this work is available here.

Welcome

Shortly after the iPhone was released, a group of security researchers at Independent Security Evaluators decided to investigate how hard it would be for a remote adversary to compromise the private information stored on the device. Within two weeks of part time work, we had successfully discovered a vulnerability, developed a toolchain for working with the iPhone's architecture (which also includes some tools from the #iphone-dev community), and created a proof-of-concept exploit capable of delivering files from the user's iPhone to a remote attacker. We notified Apple of the vulnerability and proposed a patch. Apple subsequently resolved the issue.

A member of our team, Dr. Charlie Miller, presented the full details of discovering the vulnerability and creating the exploit at BlackHat on August 2nd, 2007.

How the exploit works

The exploit is delivered via a malicious web page opened in the Safari browser on the iPhone. There are several delivery vectors that an attacker might utilize to get a victim to open such a web page. For example:

An attacker controlled wireless access point: Because the iPhone learns access points by name (SSID), if a user ever gets near an attacker-controlled access point with the same name (and encryption type) as an access point previously trusted by the user, the iPhone will automatically use the malicious access point. This allows the attacker to add the exploit to any web page browsed by the user by replacing the requested page with a page containing the exploit.
A misconfigured forum website: If a web forum's software is not configured to prevent users from including potentially dangerous data in their posts, an attacker could cause the exploit to run in any iPhone browser that viewed the thread. (This would require some slight changes in our proof of concept exploit, however.)
A link delivered via e-mail or SMS: If an attacker can trick a user into opening a website that the attacker controls, the attacker can easily embed the exploit into the main page of the website.

When the iPhone's version of Safari opens the malicious web page, arbitrary code embedded in the exploit is run with administrative privileges. In our proof of concept, this code reads the log of SMS messages, the address book, the call history, and the voicemail data. It then transmits all this information to the attacker. However, this code could be replaced with code that does anything that the iPhone can do. It could send the user's mail passwords to the attacker, send text messages that sign the user up for pay services, or record audio that could be relayed to the attacker.

An h.264 encoded video showing the exploit is also available.

Mitigations

We've notified Apple of the vulnerability and proposed a fix. Hopefully they will include a patch in a future iPhone update. To protect yourself from this and similar future vulnerabilities, there are a few best practices that can be followed (both on an iPhone and on other devices):

Only visit sites you trust. If you don't visit attackers' sites, you give them one less attack vector.
Only use WiFi networks you trust. If attackers have control of your Internet connection, they have the ability to insert exploits into any website you visit.
Don't open web links from emails. Many current viruses send links to malicious sites in emails that look like they are from trusted contacts.

Frequently asked questions

Why did you do this? In our day jobs, we spend a lot of time carrying out similar attacks against both PCs and embedded devices. Because of all the hype surrounding the iPhone and the large amount of personal information stored on the device, we wanted to see what level of security the device currently provides for the user. Also, it was a great excuse to get everyone iPhones. Who are you guys? We're Charlie Miller, Jake Honoroff, and Joshua Mason, members of the software security team at Independent Security Evaluators, an information security consulting firm. Matt Green, Avi Rubin, Sam Small, and Adam Stubblefield were also involved in the project. If you're good at doing this kind of analysis, we're hiring. Have you told Apple? What are they doing about it? We have notified Apple and proposed a fix that they could include in a future iPhone update, but we don't know if they plan to do so. They responded and are looking into it. Should I turn my iPhone off and lock it in a drawer until Apple fixes this? Not unless you plan to do the same to all the other computers you own. The iPhone is an internet connected device running a relatively full featured software suite: this research shows that it is vulnerable just like many other similarly capable devices, both PCs and embedded systems. What can I do to avoid such attacks? The same things that you should do to avoid attacks on your laptop. Only visit sites you trust. Only use encrypted WiFi access points you trust. Don't open web links contained in email messages. Is it likely that there are other vulnerabilities in the iPhone? It's a near certainty. For example, every cause of Safari crashing on the iPhone is a potential vulnerability. And getting Safari on the iPhone to crash isn't that hard. Additionally, it's likely there are vulnerabilities in the other iPhone applications as well. Does this add credence to Apple's position that 3rd party applications are not allowed on the iPhone for security reasons? We don't think so. Almost all of the security engineering effort on the iPhone seems to have been spent protecting the revenue model, rather than protecting the user (which is, of course, an entirely understandable position). For example, a constrained environment is used to prevent users from loading new ringtones onto the phone, but the applications are not run in a constrained environment to contain damage caused by hackers who exploit them. Is the new vulnerability in the Mac or Windows versions of Safari? The vulnerability is also present in both the Mac and Windows versions of Safari, though it may or may not be exploitable there. Is it present in Mail on the iPhone? No. Could the vulnerability be used to `unlock' the iPhone from AT&T? We haven't looked into it.

Media Contact

You can contact us at media [at] securityevaluators.com. We can also be reached by phone at 443-270-2296.

January 30, 2012
Stephen Bono quoted in Gizmodo article.

Read all News

Featured Publications

2010
Kim Jong-il and me: How to build a cyber army to attack the U.S..

Read all Publications