SAN DIEGO–The success of a group of hackers in compromising the security of Apple’s iPhone may set the stage for more malware for the popular handset, including rootkit-style remote monitoring tools and data stealing malware.
In a presentation at the ToorCon Hacking Conference here on Saturday, Eric Monti, a Senior Researcher at Trustwave’s Spider Labs demonstrated how the same kind of vulnerabilities and exploits that allowed a team of hackers to “jailbreak” iPhones and iPads from Apple’s content restrictions could be used to push rootkit-style malware onto those devices and intercept credit card data from an iPhone-based transaction.
For his presentation, Monti designed a proof of concept iPhone rootkit, dubbed “Fat” by modifying the original jailbreakme code to create a stripped down remote monitoring application.
“Fat” was an effort to learn from the work of the team that created jailbreak by “weaponizing” the code, Monti said in an interview with Threatpost. Among other things, the researcher removed system prompts created by the jailbreakme app and added a rootkit feature to remotely control such key iPhone features as the microphone, camera and geolocation services, as well as SMS, he said.
The program is harmless and the vulnerabilities in question were patched by Apple in early August. However, Monti warns that more and more high value applications on the iPhone will increase the attractiveness of the platform for malicious parties, including banking and e-commerce.
“There are lots of different applications for causing mayhem,” Monti said. “We talking about some pretty sensitive apps: banking, credit card processing, point of sale, SCADA,” he said.
As an example, Monti used a free iPhone credit card transaction reader,”Square,” on a rooted iPhone, showing how magnetic stripe data could be silently siphoned by the rootkit.
Monti hopes the presentation will be a wakeup call to enterprises that don’t yet see iPhone devices as serious threats.
“These devices are just as complicated as desktops and laptops or server – and that’s before you ship a point of sale application on it,” he said.
The biggest threat posed by mobile phones may be the false sense of security that users and enterprises have about mobile device security. The amount of malware targeting such devices is small, but mobile platforms like IOS and Android are more similar to their progenitors (OS X and Linux) than they are different.
“The resources are there for attackers,” Monti said. As a result, malware and attacks for mobile systems will overlap with those for the original OS, rather than run along parallel paths. And, as third parties introduce more sensitive applications for mobile devices, intererest from the malicious hacking community will increase.