Possible iPhone Security Hole to be Demonstrated in Las Vegas

Three researchers using a handful of tools mostly developed by others over the few weeks since the product's introduction, claim they have successfully cracked the Apple iPhone. In a white paper released today, the group claims it can obtain clandestine, wireless access to any and all files, including personally identifiable information, stored on an iPhone, and it plans to demonstrate how this is done at the BlackHat security conference in Las Vegas next week.

In their white paper, Charlie Miller and two colleagues with the group Independent Security Evaluators give credit to Apple for paying some attention to security architecture, and for reducing the phone's attack surface by refusing to open its operating system to third-party applications.

But from there, things fall apart. While in one sense, the attack surface is reduced, they claim, the possibilities for exploits become more focused.

"Unfortunately, once an iPhone application is breached by an attacker, very little prevents an attacker from obtaining complete control of the system," the group writes. "All the processes which handle network data run with the effective user id of 0, i.e. the superuser. This means that a compromise of any application gives the ability to run code in the context of that application which has the highest possible privilege level."

Attacks may have been made easier, the group continues, by Apple's neglecting to employ address space randomization. As a result, malicious code can place calls to existing procedures based on their memory addresses, which are always the same.

The white paper refrains from giving an exact description of the exploit. However, a YouTube video posted to the group's Web site purports to show an iPhone launching a malicious Web page in Safari, pretending to be a bookmarked page. To the user, it merely appears to hang and then crash the browser. But a log file that appears in the video to have been transmitted through the phone appears to contain personally identifiable data.

According to the group, one possible vector of exploit concerns how the iPhone determines its access points. "Because the iPhone learns access points by name (SSID)," the group writes, "if a user ever gets near an attacker-controlled access point with the same name (and encryption type) as an access point previously trusted by the user, the iPhone will automatically use the malicious access point. This allows the attacker to add the exploit to any Web page browsed by the user by replacing the requested page with a page containing the exploit."

Charlie Miller will represent the group, it says, during a demonstration session at the BlackHat security conference in Las Vegas on August 2.