By Gregg Keizer
October 16, 2007
Noted hacker HD Moore has publicly posted exploits that take advantage
of a vulnerability in Apple's iPhone, the same flaw that's been used by
others to unlock the smart phone so it will work on non-AT&T networks.
The vulnerability, which is in the TIFF image-rendering library shared
by the iPhone's Safari browser and its e-mail program, as well as by the
iTunes software, leaves the iPhone wide open to attack, said Moore, who
posted a second, and more robust, exploit today after debuting attack
"This exploit is rock solid," Moore said in an interview. "It's very
reliable, as reliable as the WMF [Windows Metafile] exploits in Windows.
You can send it in an e-mail, you can embed it in a Web page."
Although the vulnerability is the same as the one leveraged by hackers
such as the iPhone Dev Team to return unlock capabilities to iPhones
updated to Firmware 1.1.1 last month, Moore said that's the only
similarity between his work and the activities of unlockers. "I wanted
an exploit that would write any arbitrary payload" to the iPhone, rather
than the specialized changes made for an unlocking hack, Moore said.
He claimed success. "The second exploit works on 1.0, 1.0.1, 1.0.2 and
1.1.1 iPhones," he said, referring to the four versions of the phone's
firmware released since the device's June debut.
Although he expects Apple to plug the TIFF vulnerability in the next
iPhone update -- a move that many interested in unlocking the iPhone
have also predicted and bemoaned -- Moore also said it wouldn't matter.
Citing the history of the vulnerability, which was also present in the
Sony PlayStation Portable (PSP), he said attackers will be able to
exploit the flaw in the future, even if Apple fixes it.
"All they'll need to do is back port the firmware to an earlier version
that's vulnerable," said Moore. "Apple has to leave a way to restore an
iPhone back [to previous versions of the firmware]."
The same technique was used to hack the Sony PSP after Sony issued an
update that patched the TIFF vulnerability on that video game player.
In notes posted to customers of its DeepSight threat management network,
Symantec Corp. warned iPhone users of Moore's exploits and recommended
they use caution when browsing the Web, handling unsolicited e-mail and
dealing with suspicious or unexpected music files.
But Ollie Whitehouse, a software architect with Symantec's security
response team, downplayed the iPhone's apparent insecurity. "The iPhone
isn't any different from other mobile platforms," he argued. "It's only
the interest from the security research community that makes it seem
Moore disagreed. "I think the iPhone is pretty terrible," he said,
referring to its level of security. "It's an easy platform to exploit."
That's true in part, he explained, because exploiting any iPhone
application gives root access to the entire phone. But other security
weaknesses abound, including ones in the Safari browser and in the
underlying operating system -- a scaled-back version of Mac OS X -- that
runs the device, he added.
Moore has added the exploits to Metasploit, the popular penetration
framework, a move that in the past has meant in-the-wild attacks are not
far behind. He predicted that malicious code exploiting the TIFF
vulnerability would be on the loose "pretty soon."
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com