Researchers claim first iPhone vulnerability

First exploitable vulnerability found in Apple's iPhone

Three security researchers claimed Sunday that they have found the first exploitable vulnerability in Apple's iPhone, a flaw that allows them to steal any data from the device or even to turn it into a remote surveillance tool.

The trio -- Charles Miller, formerly with the National Security Agency; Jake Honoroff; and Joshua Mason of Baltimore-based Independent Security Evaluators (ISE) -- have notified Apple of the vulnerability and given the company less than two weeks to fix the bug before Miller presents more information at the Black Hat conference on Aug. 2.

According to a paper posted by the three, they rooted out a vulnerability in the iPhone's version of Safari using "fuzzing" tools and wrote a proof-of-concept exploit that can be delivered from a malicious Web site or using "man in the middle" tactics to trick users into connecting to a malicious wireless access point.

Once the exploit runs, it's essentially game over, the researchers said: The iPhone is owned. "In our proof of concept, this code reads the log of SMS messages, the address book, the call history and the voicemail data," the researchers wrote on the ISE site. "It then transmits all this information to the attacker."

But wait -- there's more!

That, however, could be just the beginning.

The researchers claimed that a second exploit actually operated the iPhone remotely once the device was hijacked. "When we viewed a second HTML page in our iPhone, it ran the second exploit payload which forced [the iPhone] to make a system sound and vibrate for a second," they said in the paper. "Alternately, by using other API functions we discovered, the exploit could have dialed phone numbers, sent text messages, or recorded audio (as a bugging device) and transmitted it over the network for later collection by a malicious party."

The vulnerability was reported to Apple last Tuesday, July 17. "We proposed a fix they could include in a future iPhone update," the researchers said, "but we don't know if they plan to do so. They responded and are looking into it."

In an e-mail late Sunday night, Apple spokeswoman Lynn Fox would only say: "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We're looking into the report submitted by I.S.E. and always welcome feedback on how to improve our security." She declined to answer questions about the Aug. 2 deadline, whether Apple would issue a patch before then, or what the company thought of the way the trio disclosed the vulnerability.

Miller will provide more information on the vulnerability and exploit at the upcoming Black Hat 2007 security conference, which opens next Saturday, July 28, in Las Vegas.

But is this the ethical way?

ISE's president, Avi Rubin, defended the decision to announce the existence of the vulnerability prior to a patch being made available by Apple. "Why are we doing that? Well, I believe that there is a social responsibility to report it when a device is vulnerable to attackers," said Rubin on his own blog Sunday. "People buy these things and use them in ways that put their identity and their online accounts at risk, and by exposing these vulnerabilities, we can make users better judges of how to use their high-tech devices." Rubin is familiar to many security observers from his research into problems with electronic voting systems.

The paper by Miller, Honoroff and Mason also spelled out a number of weaknesses in the iPhone's security architecture, although it didn't specifically pin the vulnerability on any of those flaws. One, however, most likely contributed to the reach of the exploit.

"There are serious problems with the design and implementation of security on the iPhone," the paper said. "The most glaring is that all processes of interest run with administrative privileges. This implies that a compromise of any application gives an attacker full access to the device."

Other deficiencies the trio cited in the iPhone's operating system included not using address randomization -- a technique applied by Windows Vista that's designed to make it tougher for hackers to write reliable attack code -- and allowing code in the heap to execute.

Those last two shortcomings have been criticized in the desktop version of Mac OS X for some time. Three months ago, during the fallout after a hacking contest that jacked a MacBook Pro notebook, HD Moore -- the vulnerability researcher noted for the Metasploit hacking and attack testing software -- took on the claim that Mac OS X is safer than Windows. "The Mac OS X platform is years behind Linux, Windows, and OpenBSD in terms of operating-system security," said Moore then. "All of the above platforms support some form of address randomization (ASLR) and include features that make exploitation slightly more difficult."

The ISE researchers have also posted a short video of their hack in action on YouTube.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?