Oct 17, 2007

Hackers Release Their Own iPhone SDK

Apple CEO Steve Jobs announced Wednesday that his company will release a software-development kit for the iPhone in February, to allow programmers to produce third-party applications for the device. But hackers have already come up with their own software-development kit. It allows them to deliver any code they want to the iPhone, including viruses, Trojan horses and the ability to snoop on audio and video.

Developer H.D. Moore has added support for iPhone attacks to the Metasploit Framework. Metasploit is an open source hacking tool used by computer-security administrators and black hats alike to create security applications and exploits.

Moore posted sample exploits and detailed instructions this week on how to write and deliver code that can take complete control of an iPhone.

The move takes hackers one step closer to being able to remotely and surreptitiously take control of an iPhone and turn it into a surveillance device.

But it also makes it easier for white hats to develop and install custom software for their own iPhones.

Moore's tool and exploits take advantage of a vulnerability in the TIFF image-rendering library that's used by the iPhone's browser, mail and music software.

It's the same vulnerability that has allowed numerous Apple customers to unlock and customize their iPhones. But Moore's Metasploit Framework does much more, giving hackers remote shell access to iPhones that will allow them to run any code on the device.

"All you have to do is get somebody to open a TIFF image with an exploit in it ,and you've owned the phone," says Rik Farrow, a security consultant and corporate speaker who delivered a security talk to Apple employees last year.

Attackers could conceivably write code to hijack the contacts in an iPhone address book, access the list of received and sent calls and messages, turn the phone into a listening device, track the user's location, or instruct the phone to snap photos of the user's surroundings -- including any companions who may be in view of the camera lens.

Moore wrote on his blog that the iPhone is more vulnerable than other phones, because every application on the phone runs as "root." That means a bug in the calculator application, for example, could lead to full access privileges on the device.

Simply patching the TIFF vulnerability in the iPhone won't solve Apple's problem. The Metasploit Framework allows hackers to easily mix and match exploits and payloads. That means hackers can develop code for the iPhone independent of any particular security hole, then deliver by means of whatever vulnerability in the phones is known and still unpatched at the time.

Jobs said in his announcement that the company is moving slowly on releasing the official SDK because it wants to provide broad access to developers, while also protecting users from hackers and others who might have ill designs on cracking the phones. That suggests the company recognizes it made a blunder by allowing full system privileges for every application.

"Apple is savvy enough to realize that this is really terrible," says Farrow. "And it's going to take them until February to actually be able to release the SDK, because they're going to have to do basic things to the cellphone operating system itself to make it secure. So we're not just talking about a software-development kit, we're talking about fixing something that has major flaws in the security of it as it exists."

But Moore and Farrow say to fix the problem, the company will need to do more, such as create precise rules in the system to limit what a malicious application can do on the phone.

"From what I've seen of the design of the phone, it doesn't look like an easy task," Moore says.

So why didn't Apple do this before releasing the phone?

"Apple wants to sell really fancy, glitzy appliances that have great consumer appeal," Farrow says. "And security has never been one of those things that has great consumer appeal. So Apple is totally correct to ship out an insecure product, because people snap them up. But at the same time I'm sure that there were engineers at Apple saying, 'This is totally insane. We are going to get so hammered for this.'"

"There are some very clue-ful people there. But my impression is that they have to work very hard to make security a priority."

Apple did not respond to a request for comment Wednesday.
Link

No comments: