iPhone users will have to be just as vigilant in following "safe surfing" practices as PC users if they want to avoid having their systems taken over by hackers. A newly identified vulnerability in the Safari browser is among the first serious holes that could be exploited -- but given the device's popularity, more are almost sure to follow.A hole in the iPhone's security apparatus could allow a hacker to take complete control of the device, warn researchers at Independent Security Evaluators, who identified the flaw.
The exploit is delivered via a malicious Web page opened in the Safari browser on the iPhone, according to ISE. There are at least three vectors from which a device could be infected:
An attacker-controlled wireless access point: The iPhone learns access points by name (SSID, or service set identifier). Therefore, if a user ever gets near an attacker-controlled access point with the same name and encryption type as an access point previously trusted by the user, the iPhone will automatically use the malicious access point. This allows the attacker to add the exploit to any Web page browsed by the user by replacing the requested page with a page containing the exploit.
A misconfigured forum Web site: If a Web forum's software is not configured to prevent users from including potentially dangerous data in their posts, an attacker could cause the exploit to run in any iPhone browser that viewed the thread.
A link delivered via e-mail or SMS (short message service): If an attacker can trick a user into opening a Web site that the attacker controls, the attacker can easily embed the exploit into the main page of the Web site.
Admin Privileges
Once the browser opens the malicious Web page, arbitrary code embedded in the exploit is run with administrative privileges. In ISE's proof of concept, this code reads the log of SMS messages, the address book, the call history and the voice mail data, and then transmits the information to the attacker.
However, code could be embedded to interfere with anything that the iPhone can do, notes ISE. "It could send the user's mail passwords to the attacker, send text messages that sign the user up for pay services or record audio that could be relayed to the attacker," the firm says.
"As is described in the preliminary research paper, the attack isn't necessarily a serious vulnerability," Shane Coursen, senior technical consultant at Kaspersky Lab, told MacNewsWorld. "What is more serious is that all applications ... are being given administrator privileges." Coursen added the caveat that these statements are subject to ISE's research holding up under peer review.
No Surprise
The discovery is hardly causing shock waves in the security community. The iPhone has an unusually high profile, and there is a temptingly large number of people who already own the device. Also, smartphones are increasingly vulnerable to hacks, given their sophisticated computing processes.
The Safari browser is the obvious chink in the iPhone's armor, David Finger, product marketing manager for TrendMicro, told MacNewsWorld. "By making Safari available on the Windows platform, Apple (Nasdaq: AAPL) has made it much more likely for hackers to target the OS," he said, referring to Windows' huge share of the market compared to the Mac's.
Apple will probably be able to close the hole, Finger added, "but the fact that they found it shows the iPhone is not invulnerable -- and, perceptually, that is important." While the iPhone's popularity leaves its users particularly vulnerable to unwelcome attention from the world's malware community, the larger threat applies to every smartphone owner. "Yes, Apple is a huge brand and the race is, no doubt, now on to exploit the vulnerability," Mark Sunner, chief security analyst at MessageLabs, told MacNewsWorld. "But the bigger problem is not the iPhone in particular, but the fact that small handheld devices are becoming mini-computers in functionality. As with laptops, as the devices become more sophisticated, the potential for exploited vulnerabilities increases in tandem." WiFi poses a huge potential threat for smartphones, Kaspersky's Coursen pointed out. "Once we start to see more cafe-style WiFi hotspots and more WiFi-enabled smartphones, rogue hotspots are going to be a big headache," he predicted.
Modifying Behavior
What this all means is that users of any smartphone device will have be trained to be just as careful on the phone as they are online, said Ron O'Brien, security analyst for Sophos.
"Ultimately, it is the behavior of the user that leads to the vulnerability being exploited," he told MacNewsWorld. "Browsing to an infected site or logging onto a fictitious WiFi site requires user interaction. Such exposure is typical of a laptop or any portable device that allows access to the Internet."
Smartphones hold more than enough personal data that is of interest to hackers. As for the iPhone specifically, it has now been proven that it can act as a physical vector.
"Having control over a device that allows the sending of spam is quite powerful," Coursen remarked. Though common sense precautions could alleviate many of the risks, he has his doubts that any will be quickly adopted en masse.
"The ISE gives several best-practice suggestions, all of which will work perfectly to avoid the exploits they have described in their paper," Coursen said. "Unfortunately, the suggestions mirror those given to PC users for many years -- yet we still see PC users falling victim now and again."
0 comments:
Post a Comment