Over the past few years, researchers have warned that viruses and other security threats could soon start appearing on mobile devices. The buzz at two major hacker conferences suggests that such threats could finally be about to arrive in force. The Black Hat and Defcon conferences, which bring together computer security researchers, consultants, and independent hackers, both took place last week in Las Vegas.
This weekend, a hacker known as “comex” grabbed headlines by launching a website called “JailbreakMe” for breaking the security architecture built into the iPhone. Simply visiting www.jailbreakme.com on an iPhone and clicking a button will disable these security features.
JailbreakMe doesn’t appear to be designed to harm an iPhone or the data stored on it. Some users “jailbreak” their iPhones in order to install applications that haven’t been approved by Apple, or to run the phones on a network other than Apple’s partner, AT&T. But the technique used by JailbreakMe could just as easily be used by malicious hackers or virus writers. It was also just one of many mobile exploits discussed at both Black Hat and Defcon.
According to Dave Marcus, security research and communications manager for the security company McAfee, JailbreakMe relies on two vulnerabilities: one involves the way an iPhone processes PDF files, and another is buried deep in the phone’s operating system. Together, these vulnerabilities allow “remote code execution”–making it possible to run programs on the device without going through Apple’s App Store or getting permission from the user.
In a post on McAfee’s site, Marcus noted that vulnerabilities that work as reliably as those used by JailbreakMe tend to be picked up by other attackers and used for malware and other nefarious purposes. “I hope I am not the only one who is bothered by this because it begs the question, ‘What else can this be used for?’ ” Marcus wrote.
JailbreakMe “shows exactly the threat scenario that mobile phones can face,” adds Vincenzo Iozzo, an engineer for Zynamics. Iozzo was part of a team that won an iPhone hacking contest earlier this year at the CanSecWest security conference in Vancouver. He explains that smart phones are often protected by a technology known as “sandboxing,” which is supposed to isolate some functionality in the phone from installed software, thus preventing attackers from gaining total control. JailbreakMe bypasses sandboxing, demonstrating a serious threat to the device.
Iozzo presented his own research, conducted with colleagues Tim Kornau and Ralf-Philipp Weinmann, at Black Hat. He showed how attackers can run code even on operating systems designed not to allow unfamiliar code to execute by using a type of code that works at a low level within the operating system. Iozzo says his research could significantly cut down the time it takes to develop an effective attack against a smart phone.
The iPhone wasn’t the only phone targeted by security researchers. Nicholas Percoco and Christian Papathanasiou, both researchers at TrustWave’s SpiderLabs, presented a rootkit for the Android HTC Desire at Defcon. The researchers didn’t focus on how to get the rootkit onto a user’s device–software that gives an attacker complete control over a system. Instead, they explored what could happen once an attacker was able to get a rootkit installed.
Percoco says the rootkit gives an attacker very low-level access–making it possible to, for example, cause the device to make “phantom phone calls”–connections that a user wouldn’t notice. This ability might be attractive to attackers looking to make money by collecting fees from a 900 number, Percoco notes.
Percoco argues that it is dangerous that software makers hide much of a smart phone’s complexities from users. This makes for good usability, he says, but it also makes it hard for a user to know when something has gone wrong. “Most users don’t question the integrity of their phones,” he says.
Karsten Nohl, a prominent German security researcher, says the iPhone, which automatically limits the code that can run on the device, is more secure–by default–than the average PC. But he adds that hackers can also attack mobile infrastructure. He says that this infrastructure is less secure than corresponding Internet infrastructure because it hasn’t been researched as thoroughly.
Nohl presented research at Black Hat showing how to break the encryption used by GSM–the network standard for most phones around the world (in the United States, several major carriers use a competing network technology known as CDMA). Nohl released software that allows a user equipped with a software radio (hardware that costs about $1,500) to analyze and break the encryption used to protect GSM communications. Research into GSM has been slowed by the inaccessibility of the networks, Nohl says, but these days anyone can apply knowledge of Internet and PC hacking to GSM.
Other network attacks revealed at Defcon could allow someone to track people’s locations through a mobile network’s databases. Nohl says he hopes that these and other new attacks will make network operators address vulnerabilities with patches and stronger encryption.