Independent Security Evaluators (ISE), a security consulting firm that claims it was first to develop a tool that could extract keys from WiFi networks simply by eavesdropping on the network, has now purportedly discovered a serious iPhone flaw that could allow complete control of the device via a malicious Web page.
The flaw would allow outside influences to gain complete control of the iPhone by tricking the user into visiting a malicious page, which in turn can trigger the device to send personal data over a WiFi connection to another computer. The flaw can apparently be used to access any data on the phone and/or invoke functions like dialing phone numbers. A video demonstration is here -- showing the iPhone connected to a malicious network with a spoofed Web page having data forcefully extracted, and a Mac OS X Terminal screen receiving the data.
A page dubbed "Exploiting the iPhone," established by the researchers, says that a member of the team, Dr. Charlie Miller, will be presenting the full details of discovering the vulnerability and creating the exploit at BlackHat on August 2nd. The page also says that there are three possible deliver vectors for the attack (apparently aside from simply tricking a user into following a malicious link):
- "An attacker controlled wireless access point: Because the iPhone learns access points by name (SSID), if a user ever gets near an attacker-controlled access point with the same name (and encryption type) as an access point previously trusted by the user, the iPhone will automatically use the malicious access point. This allows the attacker to add the exploit to any web page browsed by the user by replacing the requested page with a page containing the exploit.
- "A misconfigured forum website: If a web forum's software is not configured to prevent users from including potentially dangerous data in their posts, an attacker could cause the exploit to run in any iPhone browser that viewed the thread. (This would require some slight changes in our proof of concept exploit, however.)
- "A link delivered via e-mail or SMS: If an attacker can trick a user into opening a website that the attacker controls, the attacker can easily embed the exploit into the main page of the website."
Methods of mitigation include the obvious: Only visit sites you trust, only use WiFi networks you trust, Don't open Web links from emails.
With regard to WiFi networks it would appear that one potential problem is that Apple does not provide the option to not automatically join networks that are "trusted." As aforementioned, by matching the name of a network already trusted by the iPhone, an attacker could "trick" the iPhone into joining without a confirmation prompt. Currently, there is not an option to turn off automatic joining of wireless networks other than simply turning off WiFi altogether from the Settings application.
Interestingly, the researchers say that the vulnerability is also present in both the Mac and Windows versions of Safari.