What it took to hack the iPhone

iPhone vulnerability also exists in Mac OS X

The iPhone vulnerability that could let hackers steal data or commandeer the device also exists in the desktop edition of Apple's Mac OS X operating system, the exploit's researchers said Tuesday.

Charles Miller, one of the three researchers from Baltimore-based Independent Security Evaluators (ISE) who found the bug and wrote proof-of-concept exploits, confirmed that the vulnerability in the iPhone version of Safari is also present in the desktop version of the browser. Safari is included with all Mac OS X installations.

The Windows version of Safari is also vulnerable. "[But] it may or may not be exploitable there," Miller said.

Miller, Jake Honoroff and Joshua Mason found the Safari flaw using what Miller described as "fuzzing" techniques. Fuzzing, a tactic commonly used by vulnerability researchers, drops random data into applications or operating system components to see if -- and where -- breakdowns occur. Typically, the process is automated with a fuzzer, software that hammers on application inputs.

Not that the iPhone made it easy. The lack of debugger, for example, required that Miller and the others turn to alternatives, including the Mac OS X crash reporter, which logs all crashes, for ways to probe the iPhone. "The crash reports contained the contents of registers and what libraries were loaded," giving the team some clues, Miller said. Others they gleaned by examining the phone's core applications, which they could pull off the device only using iPhoneInterface. That program, part of the results of a group effort at the iPhone Dev Wiki, lets researchers and hackers modify the phone.

"Between the crash reports and the core files, we had a good picture of the application when it crashed," said Miller. "We found a few crashes that stuck out from the rest."

With iPhoneInterface and another program named Jailbreak -- Miller called them "hacking tools" -- the three researchers were able to pull Safari off the iPhone, disassemble it on a Mac desktop machine, and modify it so that would crash at the code location where the researchers wanted. "It was trial and error," Miller admitted. Testing required the application to be returned to the iPhone, where it was run, generating another crash report.

"It was like 'fuzzing' for an exploit," said Miller.

Although the three are withholding details until Aug. 2, when Miller will reveal more at the Black Hat security conference, one security expert is betting that the Safari vulnerability is a buffer overflow bug. "The methods and results described [by the ISE researchers] hint at a buffer overflow," said Andrew Storms, director of security operations at nCircle Network Security Inc. "But it's not entirely clear if they were intentionally crashing the application to get crash dumps to disassemble the code and look for flaws in general, or if the application crashed due to being fuzzed and hence the fuzzing activity reveled the bug."

Although their work was time-consuming, Miller doesn't see it as rocket science. Where they went, others will soon follow, he said. "The vulnerability was there, no harder to find than any other. We didn't do anything that was clever," he explained.

Apple may disagree if it's not able to issue a fix before the Aug. 2 Black Hat presentation. ISE reported its findings to the computer maker a week ago, on July 17, giving Apple just 16 days to patch Safari. "We gave them a patch," Miller said. "All they have to do it put it with an update." However, when contacted by Computerworld on Saturday, Apple spokeswoman Lynn Fox declined to say whether Apple would issue a patch in time.

Other iPhone applications may contain vulnerabilities as well, Miller warned. A Safari patch may not be the end of the device's troubles.

But would he give up his new iPhone? Not hardly. "It's like any other computer," he said. "As long as you're careful about the sites you visit and know what wireless access point you're connecting to, you should be safe."

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?