Original URL: http://www.theregister.co.uk/2007/08/03/iphone_pwnage/

Will the iPhone be iPwned?

The dark lining to Apple's silver cloud

By Robert Lemos

Posted in Security, 3rd August 2007 11:34 GMT

LAS VEGAS - The Apple Store at the Fashion Show Mall has a solid crowd for a Monday afternoon and it's easy to pinpoint the favourite.

A dozen iPhone stations collect at the front of the store, and they are rarely lonely. A stylish 20-something couple laughs as the man snaps a picture of the woman and shows her the screen. A brown-haired woman wearing a UNLV t-shirt moves her fingers over the display and smiles as the device responds. The ready touches and kid-in-the-candy-store smiles are likely just the reaction that Apple CEO Steve Jobs hoped to elicit with the device.

However, the iPhone has gotten a lot rougher treatment from the hackers and security researchers that will converge on Las Vegas for the Black Hat Security Briefings and the DEFCON hacking conference this week.

A month after its release, the iPhone has been poked, prodded, torn apart and made to reveal a number of its secrets. Hackers have already learned how to build and install programs on the device, a considerable feat as Apple has not published any application interfaces or development kits for the iPhone. And bug hunters have had wins of their own: On Thursday, Charles Miller, a security researcher at Independent Security Evaluators, will reveal the details of a significant flaw found in the device's stripped-down web browser - a flaw that Apple patched on Tuesday.

For Miller, there is no secret about the reason for all the attention. Since its launch a month ago, the iPhone and its slick interface have garnered rave reviews from tech-savvy users. Hacker and security researchers are no exception: Miller carries his own iPhone and quickly pulls it out upon request over breakfast Tuesday.

"The iPhone is cool," he said.

Yet, the popularity of the sleek phone has also lured hackers to pull apart the device and flout Apple's restrictions on developing software for the device. And, just as they took to Macs and MacBooks, security researchers have focused on finding flaws in the iPhone's operating system and software. It's the dark lining to Apple's silver cloud.

"The bottom line is that people will find ways of accessing the device," said Mikko Hyppönen, chief research officer for anti-virus firm F-Secure and an expert on mobile-device security. "I'm guessing there will be more activity for the next six months on the iPhone then there will be on the Macs or OS X."

Already, the first month's flurry of hacking rivals the attacks of late last year that focused on cracking the security surrounding the next-generation Blu-Ray and HD DVD video formats. The poking and prodding have also born fruit -sSecurity researchers have already identified severe design weaknesses in the iPhone.

At the top of the list, the device's operating system runs every application with administrator privileges, according to Miller and his cohorts at Independent Security Evaluators, turning a simple breach of any application into a breach of the system. In addition, both the iPhone's stack and heap are executable and the layout of programs in memory are not randomised - two factors that make exploitation of any vulnerabilities much easier, he said.

"I think people are letting Apple off easy," Miller said. "You need to design the iPhone so that even if there is a problem in Safari, people don't completely take over your phone."

Yet, the hip consumer technology company has done a credible job with security.

For one, Apple turned off as many non-essential services as possible, minimising the software surface area that could be attacked by malicious code. The stripped-down version of Safari, known as MobileSafari, allows very few files types, making it harder to attack. In addition, Apple has quickly produced a patch for the vulnerability found by ISE, releasing an update for the phone on Tuesday. The patches are easily installed through iTunes, making it less likely that people will be carrying phones vulnerable to older flaws.

The iPhone's restrictions on installing non-Apple software can be seen as a security feature as well, as long as the protections make it difficult to create programs for the phone, F-Secure's Hyppönen said.

"From the attacker's point of view, it is a hard device to attack, because there is no SDK (software development kit) - it's a closed system," he said.

Moreover, while the minimalist phone has found favour, the total number of users is still small. AT&T announced earlier this month that 146,000 iPhones had registered with the wireless service in the first two days - a strong showing but short of rosy analyst estimates (registration required) that predicted numbers as high as 500,000. Apple stated in its earnings that the company had shipped 270,000 iPhones during those two days.

Because most attackers target the largest possible population of victims, the iPhone is likely not worth the effort for truly malicious attackers, Hyppönen said.

"The installed base is really low - only a few hundred thousand," he said. "If you attack other phones, such as Symbian phones, you get millions of possible targets."

Yet, if Apple's estimates for sales of the iPhone pan out, the device will only become more appealing. The company aims to sell one million phones by the end of this quarter and ship 10 million by July 2008.

Finally, some researchers question whether compromising an iPhone would gain anything of value for the attacker. While some countries in Asia use cell phones to connect to bank accounts, that is seldom heard of in the United States. And the other data on the device is not necessarily worth stealing, said David Goldsmith, president of security firm Matasano.

"I don't think the attack model of breaking into machines and stealing MP3s is convincing," he said.

Sitting near the Black Hat Security Briefings registration area on Tuesday, Miller agrees.

"There are a lot of other things to worry about right now than my iPhone being hacked," he said.

This article originally appeared in Security Focus.

Copyright © 2007, SecurityFocus