Interesting read from a BlackHat conf.

Full PDF here:

http://secdocs.lonerunners.net/docum...iphone-privacy


Noteworthy extracts:

Can users trust iPhone applications because they are reviewed by Apple? What about corporate environments? The aim of the work presented in this paper is to get facts and a clear view of iPhone privacy issues, in order to help consumers and professionals taking sensible and well-informed decisions.

...

This paper starts by defining privacy and presenting an overview of past iPhone privacy issues.

Next, it specifically considers the unmodified devices and examines what sensitive data may be compromised by an application downloaded from the App Store. Because seeing is believing, the source code of a proof-of-concept malicious application was made available publicly.

This paper goes on to explain how a malicious application could be crafted to fool Apple’s mandatory reviews in order to be accepted on the App Store. Finally, it discusses several attack scenarios, tries to suggest improvements and delivers basic recommendations.

...

3.1 Root exploits

Here are two well known root exploits on the iPhone. The vulnerabilities were quickly patched by Apple, but could have been exploited to steal private data.

3.1.1 libtiff

July 2007. The first exploit was due to multiple buffer overflows7 discov- ered in libtiff by Tavis Ormandy. The vulnerable libtiff version was used by the Apple’s ImageIO framework. The simple opening of a maliciously crafted TIFF image could lead to arbitrary code execut1on, as demonstrated8 by Rik Farrow. Apple patched9 this vulnerability in iPhone OS 1.1.2.

3.1.2 SMS fuzzing

July 2009. This exploit was presented at Black Hat USA 2009 by Charlie Miller and Collin Mulliner. The researchers presented an iPhone vulnera- bility10 that could allow a hacker to seize control of the phone through ma- liciously crafted SMS messages. The vulnerability was patched11 in iPhone OS 3.0.1.


3.2 Personal data harvesting

3.2.1 Aurora Feint

In July 2008, the popular iPhone game Aurora Feint was the first appli- cation to be pulled from the App Store due to privacy concerns. The game would upload all the contacts stored in the iPhone to the developer’s server, allegedly to discover if any of the user’s friends also play that game.

3.2.2 MogoRoad

In September 2009, the Swiss road traffic information application MogoRoad was pulled from App Store after users complained they got sales calls from the company. MogoRoad is back on App Store after Mogo’s explanations12.

3.2.3 Storm8 complaint

In November 2009, a federal lawsuit was filed in California against iPhone applications editor Storm8, whose games had already been downloaded more than 20 million times. The games were harvesting the user’s phone number13 without encryption. Since then, Storm8 games have stopped collecting the users’ phone numbers.

3.2.4 Pinch Media

Pinch Media14 is a free analytics framework used by many iPhone devel- opers. It collects anonymous usage data from mobile phone applications and could be compared to Google Analytics.

In July 2009, some bloggers started to raise serious concerns15 about Pinch Media, claiming that iPhone users were being tracked by some applications without their knowledge and without the possibility of opting out. Accord- ing16 to Pinch Media, the collected data are:

– a unique hardware identifier – the model of your phone and operating system – the application’s name and version – the result of a check to see if the device has been jailbroken – the result of a check to see if the application has been stolen – the length of time the application was run

– if the user explicitly agrees to share it, the user’s location – if the application uses Facebook Connect, the gender & age of the user

3.3 Worms on jailbroken devices

November 2009 saw an important wave of worm attacks targeting jail- broken iPhones. All of them exploit the fact that very few users bother to change the default root password (alpine) after jailbreaking their iPhone and installing an SSH server.

3.3.1 Ikee

Ikee is the first known iPhone worm. It changes the iPhone’s wallpa- per and displays a photograph of 1980s singer Rick Astley with the words Ikee is never gonna give you up. It was written by a 21-year old australian programmer, who was subsequently hired by the Australian iPhone devel- opment company mogeneration.

3.3.2 Dutch 5 e ransom

This worm locked the screen with the following message: Your iPhone’s been hacked because it’s really insecure! Please visit doiop.com/iHacked and secure your iPhone right now!, until the user had paid a 5 e ransom on a PayPal account. The Dutch hacker has now taken down his PayPal, returned the money he earned and published free instructions on how to remove the backdoor.

3.3.3 iPhone / Privacy.A

This worm steals personal data but, unlike the previous worms, does not reveal its presence.

3.3.4 Ikee.B / Duh

This worm is highly pernicious. It connects to a Lithuanian master, like a traditional botnet node. It changes the root password into “ohshit”, steals private data and attempts to infect other hosts. The worm also tries to exploit ING Direct bank’s two-factor authentication by using SMS. This worm was analyzed by SRI International [5].

3.4 iPhone forensics
Physical access to any device means that pretty much everything can be compromised, with the notable exception of passwords, which are stored encrypted in the phones Keychain.

...

6 Attack scenarios

Here are some attack scenarios, outlining the potential consequences of a “privacy attack” and illustrating ways in which iPhone security is not as good as it should be.

6.1 The spammer

A breakout game is made available for free on Apple’s App Store. While you are playing breakout, it reads your email address, your recent Safari searches, your weather cities and the words contained in your keyboard cache.

When you submit your high score to the application’s server, stolen in- formation is sent at the same time in an encrypted form. The application also sends all the email addresses in your address book.

Now the spammer knows your interests from Safari searches and the key- board cache. It also knows your location thanks to weather cities. This information can then be used to send you targeted commercial offers, or it can be sold on to other parties.

6.2 The blackmailer

A collaborative application on Hollywood gossip is made available for free on the App Store. While giving clues about spotting stars, it surreptitiously goes through your address book and edits the email addresses.

Knowing that film industry people are likely to download this applica- tion, the emails they send are diverted to a clandestine server, providing potentially compromising private information to a prospective blackmailer.

The approach can be tailored to produce the same scenario in the indus- trial, political or financial world.

6.3 The luxury products thief

An application for Rolls Royce owners or art collectors could report the name, the area, the phone and the geotagged photos of wealthy people. This is enough informations to rob them, especially if it can be determined that the targeted individuals are currently away from home.

6.4 The jealous husband

Unlike the previous scenarios, this one needs a physical access to the device.
A detective, an evil competitor or even a jealous husband may be inter- ested in stealing the personal data in an iPhone to which they have physical access. All that is needed to do so is a Mac, a 99 USD Apple developer license and a USB cable. It takes just five minutes to install SpyPhone, steal the personal data with the “email report” function, erase the evidence by deleting the sent mail and delete SpyPhone itself.

Nothing has been jailbroken, no expensive device wiper was involved, and a horde of valuable personal data has been stolen. The iPhone owner need never suspect anything, and the jealous spouse or business competitor has full liberty to study Wifi connection logs, photo library dates and geotags for evidence that, say, the partner was not at the office at a given time.

6.5 VIPs

It is easy to imagine how an attack could be targeted against a particular individual. For example, French Prime Minister Fran ̧cois Fillon (figures 15 and 16) is very proud of his iPhone and takes it everywhere. Fillon is a native of the French region called la Sarthe, where he also has his political roots. There is a significant likelihood that he would download an iPhone application designed to provide local breaking political news. It does not take much imagination to see the potential for damage in such a scenario.