How the iPhone was hacked

Rixstep has a nice write-up of a presentation given at this week's Black Hat security conference detailing an iPhone vulnerability that was announced on July 23rd and patched by Apple on July 31st.

Some salient points about the iPhone's security pitfalls:

• As previously noted, the iPhone runs most (all?) of its applications/processes as root (superuser, UID 0).
• Safari has the capability launch over a dozen applications, making it a potential attack vector.
• The crash reports are perhaps overly detailed, revealing significant chunks of code.
• Crucial parts of memory are both writable and executable
• Code addresses are, in some cases, not randomized at startup
• Perhaps most importantly: Apple "branches" open source code (customizes it heavily) meaning that patches are, generally, slower to evolve. Rixstep writes "[...] not only does Apple leave their users wide open but also because the code is originally open source the astute hacker can simply consult the 'change logs' for the real open source variants and see where bugs have been discovered and fixed. [...] Samba had an exploitable root vulnerability - long since fixed in the open source community - that's been open on OS X since February 2005 - two months before the release of OS X Tiger, two and one half years ago." The version of WebKit that the iPhone uses contains other open source code (specifically the Perl Regular Expression Library) that is outdated. Hence, a hacker can simply look at the flaws that have been patched in the newest release of the Perl Regular Expression Library, and exploit away.

Feedback? info@iphoneatlas.com.