A team of consultants at Baltimore-based Independent Security Evaluators today released general details about a buffer overflow vulnerability that could permit malware writers to inject malicious code to steal personal information from a user’s phone, one of the researchers, Jake Honoroff, told SCMagazine.com . The attack also could be tweaked to drop other malware, for example, a keylogger.
Attackers would attempt to get victims to visit a specially crafted malicious website either through an email link or by controlling a wireless access point, Honoroff, who worked with researchers for 10 days to discover the flaw, said.
As part of the attack, the thieves, who attain administrative privileges, pilfer personal information, which is then sent to a server the attacker operates. The stolen iPhone data can include stored contacts, text messages or passwords, Honoroff said.
"You could make it (the malicious webpage) look totally real, but after a few seconds, their browser would close and all of their information could be stolen," he said.
The Independent Security Evaluators notified Apple about the flaw, and the consulting company is hopeful it will be patched soon. The research team, which included Charlie Miller and Joshua Mason, did not release specific instructions of how to take advantage of the flaw in their disclosure write-up today, and there are no reports of public exploits.
Apple officials would not disclose whether a patch is coming but said the company is investigating the claims.
"We always welcome feedback on how to improve our security," company spokeswoman Lynn Fox told SCMagazine.com.
The bug is caused by a buffer overflow, a common programming error in which an application attempts to store data beyond its memory capabilities.
To avoid falling victim, users should only visit websites they know and rely on wireless connection points they trust.
If a patch is released, users would download it through the phone's iTunes feature.
Honoroff said the proof-of-concept code shows the iPhone is vulnerable, like any other web-enabled machine. Other researchers have attempted to "unlock" the device over a USB connection, but this marks the first successful break-in over a remote connection, he said.
"The iPhone is a powerful computer and powerful computers are vulnerable to security issues," he said.
Gartner, in a 10 July report, warned enterprises to expect three or four "critical" patches to be released this year for first-generation versions of the iPhone.
"Apple's iPhone was designed and developed first and foremost to appeal to the consumer market," the report said. "Apple didn't include a portfolio of security features and supporting products that are expected by enterprise buyers."
According to the Independent Security Evaluators, although the iPhone restricts third-party applications, it offers the risk of easy exploit because it runs critical processes with administrative privileges and does not use address randomisation or non-executable heaps.
First iPhone remote exploit revealed
By Dan Kaplan on Jul 24, 2007 9:44AM