As mobile phones get more powerful, the threat of serious attacks against such devices increases, security experts warn. This week, cybercriminals moved closer to proving this point–exploiting a weakness in modified iPhones to spread a worm programmed to steal banking information. Some experts say the worm may be a sign that criminals are getting more savvy about hacking mobile devices.
Last Saturday, researchers at several security firms reported that the new worm, dubbed “Ikee.B” or “Duh,” spreads using the default password for an application that can be installed on modified versions of the iPhone. Once the device has been compromised, the worm grabs text messages, and searches for banking authorization codes used by at least one bank, before sending the codes to a central server. Earlier this month, another iPhone worm was released. It exploited the same password weakness to spread itself, but did not try to steal personal information.
“The banking [attack] is new to mobile devices,” says Chet Wisniewski, a senior security advisor at antivirus firm Sophos. “It goes through your phone, grabbing all your text messages, and sends them off to a server in Lithuania.”
Since the attack affects only the small number of iPhones that have been “jail broken”–modified to run nonapproved software–the worm will likely inconvenience only a few people. Yet some researchers say the worm confirms that attacks against mobile users are evolving, and that cybercriminals are targeting the personal and financial information kept on portable devices. The ability to communicate with a central command-and-control server–a characteristic more commonly associated with hijacked PCs–also makes such software more dangerous.
This past summer, at the Black Hat Security Briefings conference in Las Vegas, Charlie Miller, a consultant with Independent Security Evaluators, demonstrated a way to remotely attack iPhones using the short message service (SMS) protocol. Miller says it’s only a matter of time before cybercriminals find a way to infect phones that haven’t been jail broken, vastly increasing the potential scale of an infection. “A [more serious] worm against an iPhone or any other mobile device is going to happen,” Miller says. “It is going to happen to [Google’s] Android and iPhone and everything else. As more bad guys do research into the mobile platforms, these devices are going to get attacked.”
The evolution of the Ikee.B or Duh worm can be traced back to early attacks against mobile devices. In 2000, Timofonica, a relatively simple virus that spread between desktop computers and servers, also had the ability to spam mobile phones in Spain with text messages. In 2004, Cabir, the first mobile-phone-only worm, was released. Cabir could jump automatically between Nokia handsets.
In 2006, researchers at the University of Toronto and Microsoft confirmed that even short-ranged and short-lived Bluetooth connections between phones could, in theory, be used to spread a wireless worm. “Starting a Bluetooth worm outbreak is relatively easy once a vulnerability is found. An attacker can bring an infected device into a typical urban mall and discover many potential victims,” the researchers wrote in a related paper.
The iPhone, and other smart phones, are a more attractive target for hackers because they resemble mini PCs. The devices are always connected to the Internet, run third-party applications, and store information that is potentially valuable to cybercriminals.
Normally, however, exploiting the iPhone is not that easy. The new worm employed a weakness introduced by an application called OpenSSH that can be used to connect to the phone remotely. This application uses the default password “alpine,” and the worm used this default password to wriggle between handsets.
“This is trivial–there is no shell code, no buffer overflow, nothing,” says Miller. “It took me two weeks to write the [code] for the SMS thing, but I could have written [Ikee.B] in, like, five minutes.”
The attacks that have targeted the iPhone in the last month have also focused on jail-broken devices. The modification process to jail break a phone removes the code that prevents users from loading whatever applications they want, but also removes much of the security that prevents malicious code from running on the device. “The iPhone has all these layers of defense, but when you jail break your phone, you break every single one of them,” Miller says.
The evolution of such hacking will continue, Miller says, although the current crop of iPhone attack code has a long way to go. The new worm does little to hide its activity, for example. And, by sending data over wireless networks, as well as aggressively attempting to infect other phones, the worm also quickly runs down the compromised phone’s battery.
“Because the phone is trying to connect all the time, users that get infected with this thing are going to know,” says Sophos’ Wisniewski.