Metasploit Creator Distributes Exploits for iPhone

[Cleverboy]

They tried to warn you. They said, "we're trying to make the iPhone secure", and people skoffed, laughed and geered, and said "apple is just trying to take away our apps! Don't upgrade, oh, check out this new exploit, let's distribute the code for using it!"

As Apple worked to close more holes, people questioned why apple still didn't feel the platform was ready for primetime 3rd party development, and why it may have released its 1.1.1 before giving it more tests... now, behold the form of the destroyer (okay, maybe a tad melodramatic, but...).

READ THIS ARTICLE:
http://blog.wired.com/27bstroke6/2007/10/metasploit-crea.html

WIRED writes:
HD Moore, one of the developers of the Metasploit pen-testing (and hacking) tool, has posted exploits and detailed instructions on how to attack an iPhone. The information takes hackers -- and the FBI and NSA -- one step closer to being able to remotely and surreptitiously take control of an iPhone and turn it into a surveillance device.

The exploits take advantage of a vulnerability in the TIFF image-rendering library that's used by the phone's browser, mail and iTunes software. It's the same vulnerability that allows Apple customers to unlock and customize their iPhones. But Moore's exploits will allow hackers to do much more.

Last month he added capability to the Metasploit tool that would give a hacker remote shell access to an iPhone in order to deliver any arbitrary malicious code to it. All attackers needed to do was write malicious payload code.

This week Moore posted some payload exploits and provided detailed instructions for writing more of them. Attackers could conceivably write code to hi-jack the contacts in an iPhone address book, access the list of received and sent calls and messages, turn the phone into a listening device, track the user's location or instruct the phone to snap photos of the user's surroundings -- including any companions who may be in sight of the camera lens.

No... we don't need "certificate signing" at all. Malware and malicious scripts will only be comprised of daisies and fuzzy bunnies when it comes to the iPhone.

Let's make sure we keep reporting problems to Apple, and upgrading our iPhones, and wait for February for secure 3rd party app support (or be responsible about what you're opening yourself up to, ok?) I really don't want to hear about the gnashing of teeth when your phone begins making calls by itself in your pocket, after a script successfully breaks in and starts dancing the jig on your mobile minutes, text messages, email and sending out your personal info.

We need a secure platform, and considering 3rd party apps like Apollo and MobileChat store your Google, MSN, and AOL passwords in clearly readable (and transmittable) unencrypted text... apparently very few people are concerned enough to make it a priority.

So... um, what DefCon are we at now?

MobileSafari, MobileMail, even the Calculator, all run with full root privileges. Any security flaw in any iPhone application can lead to a complete system compromise. A rootkit takes on a whole new meaning when the attacker has access to the camera, microphone, contact list, and phone hardware. Couple this with "always-on" internet access over EDGE and you have a perfect spying device.

"All they'll need to do is back port the firmware to an earlier version that's vulnerable," said Moore. "Apple has to leave a way to restore an iPhone back [to previous versions of the firmware]."

The same technique was used to hack the Sony PSP after Sony issued an update that patched the TIFF vulnerability on that video game player.

~ CB

 

[kdarling]

Ironically, one of the first things high-powered WM phone users do, is look on the web and find out how to unlock their phone to all applications, signed or not.

That way, they can use free programs written by developers who can't afford to buy the certificates.

The boogeyman is much smaller than Apple's greed would have you believe.

The difference and beauty of a handheld is that they're not as vulnerable as desktops for a good reason: even if it gets messed up, you can easily wipe and restore.

 

[Cleverboy]

Ironically, one of the first things high-powered WM phone users do, is look on the web and find out how to unlock their phone to all applications, signed or not. That way, they can use free programs written by developers who can't afford to buy the certificates.

Crossing fingers that these same developers seem well-vetted by others who would dare to walk this road. For a consumer phone like the iPhone, this is a dangerous road indeed. Sites like Gizmodo or TUAW, regularly encourage folks that probably less than fit the definition of a "high-powered" user, to expose themselves to an open community not focused on making security any kind of priority.

The boogeyman is much smaller than Apple's greed would have you believe.

Interesting. The article doesn't seem to be about anything Apple is releasing to help people hack into iPhones... when you say Apple's greed, I get the impression that you're engaged in some significant speculation about how they'll implement the certificates.

~ CB

 

[kdarling]

Interesting. The article doesn't seem to be about anything Apple is releasing to help people hack into iPhones... when you say Apple's greed, I get the impression that you're engaged in some significant speculation about how they'll implement the certificates.~ CB

Sorry, written before coffee. Make that "Apple's control freakhood".

 

[Cleverboy]

Sorry, written before coffee. Make that "Apple's control freakhood".

Agreed. Cheers.

The thing that gets me, is that all this time after Digg made it big breaking the deal with Paris Hilton's phone being hacked into and people publishing all of her contacts, here we are in an interesting NEW position. A friend and I had mused over the idea of putting up a webpage showing all the celebrities/personalities who have iPhones. Given this kind of news... and considering the popularity of sites like Gawker, that help to make everyone into a celebrity stalker... suddenly, you just need to find all the notables with highly exploitable devices, with non-updated software (or other exploits not yet plugged), and its a PR disaster in the making. --At least something that might make people take it more seriously.

I mean, has identity theft stories begun to meet with the desensitization of the masses? A kid at a McDonald's drive-thru window showed me his iPhone, when he saw mine. He gotten super-excited when I showed him all the apps I'd installed at the time (and since have removed), and lent me his iPhone so I could type in the web address to his notebook. I was greeted with a horror show of personal information sitting in there (bank accounts, passwords, etc). People really don't know.

~ CB

 

[aristobrat]

The thing that gets me, is that all this time after Digg made it big breaking the deal with Paris Hilton's phone being hacked into and people publishing all of her contacts, here we are in an interesting NEW position.

And the neat thing about the Paris story was that it had nothing to do with her device. T-Mobile's back-end systems were manipulated.

In January, the teen hacked into the telephone records system of T-Mobile International. He used a security flaw in the company's Web site that allowed him to reset the password of anyone using a Sidekick, a pricey phone-organizer-camera device that stores videos, photos and other data on T-Mobile's central computer servers. A month later, the teen would use that flaw to gain access to Hilton's Sidekick files, according to corroborating information and screen shots he shared with washingtonpost.com.

http://www.washingtonpost.com/wp-dyn/content/article/2005/09/13/AR2005091301423.html

It's a totally different ballgame to hack into a big system and go snooping through records for a celebrity than it is to specifically hack a celebrities personal device, no?

I mean, has identity theft stories begun to meet with the desensitization of the masses? A kid at a McDonald's drive-thru window showed me his iPhone, when he saw mine.

A kid, as in he was under 18 years old?

 

[Cleverboy]

It's a totally different ballgame to hack into a big system and go snooping through records for a celebrity than it is to specifically hack a celebrities personal device, no?

True. Single point of failure and one security fix as resolution with thousands if not millions of records at stake versus multiple isolated security flaws with no centralized, forced security updates, and a series of single devices at stake. I'm not sure if anything gets better or worse for the distinction if you're the one who gets hit.

A kid, as in he was under 18 years old?

Yeah. All I remember seeing were the words "account number", and a bunch of scattered info before I hit "plus" for a new note. So, I'm generalizing. I know I had my first bank account at 16. He looked around that age.

~ CB

 

[Sobe]

so the question is, are those who hack the iPhone part of the problem or part of the solution?

Or is the water muddy and the answer lies somewhere in between?

 

[thomasfxlt]

so the question is, are those who hack the iPhone part of the problem or part of the solution?

Or is the water muddy and the answer lies somewhere in between?

Hack the phone and give the data to Apple and your part of the solution. Hack the phone and post it all over the internet and you ARE the problem.

 

[Cleverboy]

Channel Web Network
http://www.crn.com/security/202404419

"iPhone Vulnerability An Open Door For Hackers - Researcher"

Apple's failure to patch a buffer overflow vulnerability in the image rendering library used by the iPhone puts users at risk, says a noted security researcher.

Security researchers HD Moore, creator of the Metasploit vulnerability testing tool, and Kevin Finisterre, who specializes in Apple security issues, earlier this week published an exploit that takes advantage of a bug in the libtiff library, which is used by iPhone applications such as MobileMail, MobileSafari, and iTunes.

"The fact that the libtiff vulnerability is out there and not patched is a problem," said Finisterre in an interview with CMP Channel. "I know I probably won't be using MobileSafari or MobileMail until the patch comes out."

The exploit works on any iPhone, including those with the latest 1.1.1 firmware that Apple released last month. "I have a strong feeling you could also trigger it via YouTube and Maps programs as well," said Finisterre.

Finisterre says there's a popular misconception that iPhone vulnerabilities can only be attacked over a wireless connection. But earlier this week, Finisterre and fellow security researcher HD Moore successfully exploited the libtiff bug using the iPhone's EDGE connection.

"I started Safari on my iPhone, browsed to a Website, and a few seconds later, HD was able to get root on my phone, without a wireless connection. Being able to run your own machine code pretty much opens the gates," Finisterre said.

"Ultimately, it's probably the unsuspecting user that unintentionally opens the door to let the hacker inject unauthorized code into the phone," Bardwell said.

This is the second time the iPhone has been burned by outdated open source software libraries, according to Finisterre. In July, researchers found a glitch in the Perl Compatible Regular Expressions (PCRE) library that's used by the Javascript engine in Safari, which Dr. Charlie Miller, a researcher with Baltimore-based Independent Security Consultants, discussed in a presentation at Black Hat hacker confab in July,.

In an interview with CMP Channel at Black Hat, Miller said Apple regularly uses outdated versions of open source code in the OS X platform, much of which contains known security flaws.

Interesting read.

~ CB