Sunday, July 22, 2007

ISE researchers find serious security vulnerabilities in iPhone

The day after the iPhone was released, I purchased mine and blogged about it here. Although I still love my iPhone for its beautiful interface, well thought out features, and incredible screen, I'm now disappointed that it was not built more securely.

Researchers at my consulting company, Independent Security Evaluators (ISE) have found serious security vulnerabilities in the iPhone. They were able to take complete control of the iPhone device and run arbitrary shell code (see NYT article). To demonstrate this, they built an exploit that downloads personal information such as SMS text transcripts, address book entries, and email from the iPhone whenever a user visits a particular web site or connects to a particular WiFi network. However, the vulnerability can be exploited in many other ways. For example, an exploit could be written that would cause the iPhone to make an unnoticeable phone call to an attacker, who would then be able to monitor conversations by the victim. In other words, the iPhone could be turned into a bugging device.

We contacted Apple on July 17 and sent them all of the details of the vulnerability. We also promised not to release any specific technical details of the vulnerability that would allow someone else to exploit it until our Black Hat presentation on August 2. This gave them plenty of time to produce a fix, and we showed Apple how to patch the vulnerability.

However, we are disclosing the fact that the iPhone is vulnerable. Why are we doing that? Well, I believe that there is a social responsibility to report it when a device is vulnerable to attackers. People buy these things and use them in ways that put their identity and their online accounts at risk, and by exposing these vulnerabilities, we can make users better judges of how to use their high tech devices. In addition, vendors are much more likely to produce devices that are more secure if they know that independent security experts such as my team at ISE are likely to try to break them and to expose any vulnerabilities we find. Just look at the history of Microsoft's software security problems. They started paying attention when they were repeatedly embarrassed by the exposure of vulnerabilities. Now they put more effort into writing secure code than almost anyone.