NEWS FROM THE LAB - Wednesday, August 4, 2010

How many ways can you remotely exploit an iPhone? Posted by Sean @ 14:26 GMT

At this point, you've probably read there are vulnerabilities in Apple's iOS that allow drive-by jailbreaks. And you also know that those vulnerabilities can be used for other drive-by exploits such as malicious attacks.

Many reports have mentioned that attackers could exploit iPhone owners by tricking them into visiting a specially crafted webpage. We have been asked: Just how do you trick somebody into opening such a webpage from a phone? What are the methods that could be used? So we did some lab tests using the jailbreak PDFs.

Are e-mail worms possible?

We tested an exploit PDF as an e-mail attachment.

Test #1:
iPhone email with pdf attachment

The iOS e-mail client readily recognized and launched the PDF attachment with no trouble, smooth as silk.

One mitigation that limits an e-mail worm is that the PDF exploit targets a specific combination of hardware and firmware. Spear phishing is a possibility if an attacker knows, or guesses, the versions being used by the potential targets.

How about an SMS worm?

Test #2:
iphone sms with hyperlink

This is probably the easiest method to attempt as the iPhone's software automatically formats hyperlinks sent via SMS.

But then, if this attack were to happen, the lifespan is limited by time before the exploit server is abused and taken offline. (And the security community responds very quickly to such malicious hosts.)

And then what about MMS worms?

Test #3:
iphone mms with pdf attachment

Do you see the question mark in the image above? Fortunately, the iPhone's substandard support for MMS messages prevents the PDF from launching. We'll call this security through incompatibility…

Hopefully Apple will patch the vulnerabilities before anyone attempts to use them maliciously. But we'll have to wait and see just how long that will take.

From Apple's support site:

"For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available."