We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Nasty iPhone Worm Hints at the Future

As smart phones become smarter, malicious code will find a friendlier home.

As mobile phones get more powerful, the threat of serious attacks against such devices increases, security experts warn. This week, cybercriminals moved closer to proving this point–exploiting a weakness in modified iPhones to spread a worm programmed to steal banking information. Some experts say the worm may be a sign that criminals are getting more savvy about hacking mobile devices.

Last Saturday, researchers at several security firms reported that the new worm, dubbed “Ikee.B” or “Duh,” spreads using the default password for an application that can be installed on modified versions of the iPhone. Once the device has been compromised, the worm grabs text messages, and searches for banking authorization codes used by at least one bank, before sending the codes to a central server. Earlier this month, another iPhone worm was released. It exploited the same password weakness to spread itself, but did not try to steal personal information.

“The banking [attack] is new to mobile devices,” says Chet Wisniewski, a senior security advisor at antivirus firm Sophos. “It goes through your phone, grabbing all your text messages, and sends them off to a server in Lithuania.”

Since the attack affects only the small number of iPhones that have been “jail broken”–modified to run nonapproved software–the worm will likely inconvenience only a few people. Yet some researchers say the worm confirms that attacks against mobile users are evolving, and that cybercriminals are targeting the personal and financial information kept on portable devices. The ability to communicate with a central command-and-control server–a characteristic more commonly associated with hijacked PCs–also makes such software more dangerous.

This past summer, at the Black Hat Security Briefings conference in Las Vegas, Charlie Miller, a consultant with Independent Security Evaluators, demonstrated a way to remotely attack iPhones using the short message service (SMS) protocol. Miller says it’s only a matter of time before cybercriminals find a way to infect phones that haven’t been jail broken, vastly increasing the potential scale of an infection. “A [more serious] worm against an iPhone or any other mobile device is going to happen,” Miller says. “It is going to happen to [Google’s] Android and iPhone and everything else. As more bad guys do research into the mobile platforms, these devices are going to get attacked.”

The evolution of the Ikee.B or Duh worm can be traced back to early attacks against mobile devices. In 2000, Timofonica, a relatively simple virus that spread between desktop computers and servers, also had the ability to spam mobile phones in Spain with text messages. In 2004, Cabir, the first mobile-phone-only worm, was released. Cabir could jump automatically between Nokia handsets.

In 2006, researchers at the University of Toronto and Microsoft confirmed that even short-ranged and short-lived Bluetooth connections between phones could, in theory, be used to spread a wireless worm. “Starting a Bluetooth worm outbreak is relatively easy once a vulnerability is found. An attacker can bring an infected device into a typical urban mall and discover many potential victims,” the researchers wrote in a related paper.

The iPhone, and other smart phones, are a more attractive target for hackers because they resemble mini PCs. The devices are always connected to the Internet, run third-party applications, and store information that is potentially valuable to cybercriminals.

Normally, however, exploiting the iPhone is not that easy. The new worm employed a weakness introduced by an application called OpenSSH that can be used to connect to the phone remotely. This application uses the default password “alpine,” and the worm used this default password to wriggle between handsets.

“This is trivial–there is no shell code, no buffer overflow, nothing,” says Miller. “It took me two weeks to write the [code] for the SMS thing, but I could have written [Ikee.B] in, like, five minutes.”

The attacks that have targeted the iPhone in the last month have also focused on jail-broken devices. The modification process to jail break a phone removes the code that prevents users from loading whatever applications they want, but also removes much of the security that prevents malicious code from running on the device. “The iPhone has all these layers of defense, but when you jail break your phone, you break every single one of them,” Miller says.

The evolution of such hacking will continue, Miller says, although the current crop of iPhone attack code has a long way to go. The new worm does little to hide its activity, for example. And, by sending data over wireless networks, as well as aggressively attempting to infect other phones, the worm also quickly runs down the compromised phone’s battery.

“Because the phone is trying to connect all the time, users that get infected with this thing are going to know,” says Sophos’ Wisniewski.

Be the leader your company needs. Implement ethical AI.
Join us at EmTech Digital 2019.

Register now
Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    Print + Digital Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

    Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

    10% Discount to MIT Technology Review events and MIT Press

    Ad-free website experience

You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.