First iPhone Vulnerability Comes to Light

When a new product ships, the first thing hackers — good and bad — do is poke around in the product’s internals to see what they can accomplish. Pretty much every videogame console has had Linux installed on it within days of being released.

In the case of the iPhone, hackers have been trying to make it work with other wireless services than AT&T or making all of its features usable without having to activate the cell phone service.

Security firm Independent Security Evaluators (ISE) found a vulnerability in the iPhone version of Safari that would grant a program or user complete access to the phone. iPhone uses a stripped-down version of Apple’s OS X software, which includes the Safari browser.

The company has informed Apple , CERT and Yahoo, because part of the problem involves Yahoo’s use of IMAP e-mail servers. The plan is to show off and discuss the vulnerability at the upcoming Black Hat security conference in Las Vegas next month, and hopefully Apple will have a fix available by then.

Apple did not respond to inquiries for comment.

Safari had to be included in the iPhone because it was the platform for building third-party applications. Apple was in a no-win situation when it came to third-party applications on the iPhone, according to Sam Masiello, director of threat management at security firm MX Logic. At first, it said third-party apps would not be allowed on the iPhone, then it relented.

“Apple couldn’t win either way,” said Masiello. “In the end, they decided to side with folks who wanted to develop apps for the phone. Any time you make that decision, then from a security standpoint they open themselves up.”

ISE has documented (PDF file) the vulnerability to a point. It doesn’t want the vulnerability to be widely known until Apple can address it.

More troubling to Jake Honoroff, a security analyst with ISE who found the problem, was the lack of security within the iPhone. Once you breech its outer walls, the whole phone is yours because there are no internal security mechanisms.

All the processes that handle network data run with the effective user ID of 0, or a super user. This means that a compromise of any application gives the ability to run code at the highest possible privilege level. So even if Apple fixes the Safari hole, any new holes within the iPhone mean, once again, complete access to the phone is possible.

“We consider that to be a serious issue, given that a remote attack against any of the apps would basically give you full access to the iPhone,” Honoroff told

According to the report, the exploit can read the log of SMS messages, the address book, call history or voicemail data and transmit it to a third-party site. Because a user would have complete control of the phone, it could be used to call anywhere in the world or transmit data via Wi-Fi.

The exploit can be accessed one of two ways: by following a link to a Web page with software crafted to take advantage of the vulnerability, or through a Wi-Fi access point that can reroute the iPhone’s traffic.

Honoroff and Masiello offer the same advice used so often with security problems; don’t go to Web sites you don’t know, especially if sent from an unknown sender, and don’t connect to a public Wi-Fi network you don’t recognize.

ISE also found a second problem. Most e-mail servers use IMAP (Internet Mail Access Protocol), but Yahoo Mail uses its own protocol, XYMPKI, and this protocol does not support TLS (Transport Layer Security) like IMAP does. This would allow for someone to eavesdrop on the phone doing an authentication exchange on a Wi-Fi network and gain full access to the user’s e-mail account.

Honoroff said he hasn’t heard any more from Apple, and has thus far only focused on the Safari and e-mail problems. The problem is apparently in the Mac version of Safari as well, he said, but it only causes a crash, not complete access to the computer.

“We know that it causes a crash on the desktop. Just because something causes a crash doesn’t necessarily mean it’s exploitable. We haven’t looked into the desktop problem yet, just iPhone.”

News Around the Web