It is presentation of the Paper written by Charlie Miller, Jake Honoroff, Joshua Maason at Indepandent Security Evaluators (ISE). This paper is about find vulnerability in Apple iPhone and a few suggestion how to fix them.
1. Summary of Apples iPhone
- Released by Apple Inc. on June 29, 2007
- Runs a customised version of MAC OS X
- Run on ARM 1176JZF-S Processor
- Has the Features like multi touch, accelerometer etc etc.
- Support QUAD-Band GSM and supports AT&T EDGE network.
- Apple walay says ”People Like our phone”
2. iPhone as Close Phone
- iPhone Only works only on AT&T networks means no Warid and Jazz (I think).
- You can not install Third Party Applications.
- You are not access File System, you can access small portion in a ”SandBox”. That is mainly for adding and removing Songs waghaira.
- Thats SandBoxed area can only be accessed by iTunes provided by Apple inc.
3. Weakness in iPhone
- Apple has mainly tried to Avoid attacks (by Making it close)
- Never tried to handle it.
- The Only user is root (The Power User)
- Attacks (will be discussed later) avoided through restricting user to access a portion of file system.
- No Address Randomization and Non – Executable Heap.
4.1 Jail Breaking
- The process of gaining root access to filesystem to install 3rd party tools.
- The Access to File System is RW.
- Mainly The Owner of the Phone do the Attack
- Using jail breaking Leeds to Unlocking.
- Jailbreaking tool is avilble for download (If you have iPhone).
- Unlocking means to use service of any service provider other then ATT&T.
- The Following tools are available
AnySIM ————– (Free of Cost)
SimFree ————– (Paid)
- anySim use a patch to bypass the AT&T check.
- TurboSim hasn’t yet reveled their secret.
- SimFree tells the iPhone that current sim is of AT&T
4.3 Buffer overflow
- We can find vulnerability and use buffer overflow attack, due to my kindness I gave an Example.
- Suppose we a password function
Void func(chat *passedStr)
- In above Function there is no check on Password length
- Lets suppose password should be four characters (abcd)
- If an attackers provide the password ”abcd\x12\x23\x56\x78”
- The value would be \x87654321 (little endian)
- The over write value \x87654321 will execute a function system() and passing desired values.
4.4 Other Attacks
- The Other attacks are return-to-libc and reverse engineering. (Need to study them)
- By Visiting a malicious website due the fact that mobile Safari (iPhone Browser) is not a full fledged browser.
- By Crashing the iPhone and studying the log.