Computer Security Research - McAfee Avert Labs Blog

The Apple iPhone was released in the USA on 29 June 2007. Running a stripped down version of OSX makes it very powerful but might also opens the door for malware exploits.

There’s no SDK – Software Development Kit to create native applications on the iPhone device itself, instead Apple seems to want Safari based applications. Developers need to create applications for the iPhone via Web 2.0-based technologies such as Ajax to run on the Safari browser. Web 2.0 applications can access the iPhone to make phone calls and send e-mails. This also might be exploited/abused by malware.

On the other side, the inability to change native Operating System files would make malware creation less tempting. It also means that AV vendors don’t have easy access to direct low level OS system hooks to quickly create and change programs such as on-access scanners etc. Apple decided to launch exclusively with AT&T and at the moment it is not possible to use any other arbitrary simcard with the iPhone. Not many people want to be bound to that contract so there are many projects going on to get around that. Result is that many people are using hacks to activate it. So the iPhone will not be able to make use of your own sim-card and just may be a very expensive iPod! But if people succeed in cracking it then even more people will think about using that crack. Needless to say that this is a huge security risk also. So the exclusive right deals might have a negative impact on security.

While Apple can control content that’s posted on it’s own iTunes website,
it can’t do much with say podcasts with weblinks to adware/malware websites that
are posted to arbitrary websites such as YouTube. Since the Apple iPhone will support
YouTube videos the chance that podcasts/video’s with clickable questionable/malicious weblinks may appear is certainly not zero. The Apple iPhone can access YouTube’s content by using the WiFi or EDGE (using AT&T) connections.

Merely a week after it’s official release on 29 june, on 3 july 2007 the first bugs were discovered. Abusing a Safari web-browser exploit it might be possible to retrieve someone else’s voicemail due to the “easiness” with which one can spoof the caller id of the provider AT&T/Cingular. At the time of this writing, it did not even ask for a password. The iPhone’s root password can also be cracked, the continual bane of passwords overall.

On 23 July 2007 an exploit was discovered which could lead to attackers taking over an iPhone if an malicious website is visited. The malicious website would publish some exploit code to the iPhone which would result in the attackers being in full control over all of the iPhone’s functionality; transmitting files, making phone calls etc. Read those full stories below:

http://www.exploitingiphone.com/
http://www.securityevaluators.com/iphone/

It is to be hoped that such exploits remain proof of concept, allowing the hardware/software vendors to come up with fixes, and that such exploits are not put online/available to the public.

This entry was posted on Tuesday, July 24th, 2007 at 6:04 am and is filed under Apple and OS X. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Apple iPhone

Leave a Reply

Archives

Categories