X

Theoretical attacks exploit iOS browser flaw

Here's how an attacker could get an iPhone user to visit a malicious Web page in order to exploit a new hole in the device's browser, researchers say.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
See full bio
Elinor Mills
3 min read
 

The new browser security flaw in iPhones, iPods, and iPads could be more dangerous than initially suspected.

The vulnerability comes from the way the jailbreak software, released on Sunday, uses the mobile Safari browser instead of requiring that the device be connected to a computer. Jailbreaking the phone allows it to run apps not approved by Apple. But this flaw could be used to launch an exploit if the user were to surf to a Web site hosting a malicious PDF, giving unrestricted access to the device.

"The same PDF exploit used to jailbreak the device could also be used to install something malicious," security expert Mike Kershaw told CNET on Thursday.

Apple said Wednesday it is working on a fix for the problem. But until then all iOS devices are at risk.

Now researchers are coming up with different ways to get an iOS device user to visit a Web page hosting the exploit, which is vital for an attack to succeed and not necessarily easy to do if trying to attack a stranger.

Kershaw, who wrote the open-source Kismet Wi-Fi sniffer, has envisioned several attack methods, which I will attempt to describe below. They are theoretical at this point--at least he hasn't heard of anyone attempting them--but that doesn't mean someone hasn't tried or won't.

"If I had an iPhone I would be very worried about using it out in public," he said. The attacks might sound far-fetched, "I wouldn't want to trust my company's security" to the devices as they stand, Kershaw said. "One way to mitigate (these threats) is to turn off Wi-Fi," he added.

The attacks, which he wrote about on his Kismet Wireless blog, go something like this.

Scenario 1:
An attacker could spoof a wireless access point, (here's an example) by pretending to be a legitimate access point, and redirect the iOS device user to a Web page hosting the exploit.

Scenario 2:
An attacker could use a tool dubbed Metasploit Airpwn to hijack unencrypted Web traffic and pretend to be a Web server that an iOS device user is attempting to visit.

Scenario 3:
An attacker armed with so-called "IMSI-catcher" equipment, used to snoop on GSM (Global System for Mobile Communications) phone calls, could pretend to be a cell tower. Because the radio software in the device doesn't support data, the device is forced into voice-only mode and will switch to wifi automatically. The attacker could then send the user a text message, appearing to come from the carrier, that directs the user to a Web page hosting the malicious exploit, or even revert at this point to either method one or two.

Kershaw got the idea of using an IMSI catcher from security researcher Nick DePetrillo who saw it demonstrated by fellow researcher Chris Paget using a homemade device in a demo at Defcon last week.

These attacks "are concrete examples of how this iPhone exploit isn't just a jailbreak," DePetrillo said in an interview on Thursday. "It's a serious issue, and people need to pay attention."