iPhone Jailbreak Tool Sets Stage for Mobile Malware

SAN DIEGO–The success of a group of hackers in compromising the security of Apple’s iPhone may set the stage for more malware for the popular handset, including rootkit-style remote monitoring tools and data stealing malware.

SAN DIEGO–The success of a group of hackers in compromising the security of Apple’s iPhone may set the stage for more malware for the popular handset, including rootkit-style remote monitoring tools and data stealing malware.

In a presentation at the ToorCon Hacking Conference here on Saturday, Eric Monti, a Senior Researcher at Trustwave’s Spider Labs demonstrated how the same kind of vulnerabilities and exploits that allowed a team of hackers to “jailbreak” iPhones and iPads from Apple’s content restrictions could be used to push rootkit-style malware onto those devices and intercept credit card data from an iPhone-based transaction.

For his presentation, Monti designed a proof of concept iPhone rootkit, dubbed “Fat” by modifying the original jailbreakme code to create a stripped down remote monitoring application. 

“Fat” was an effort to learn from the work of the team that created jailbreak by “weaponizing” the code, Monti said in an interview with Threatpost. Among other things, the researcher removed system prompts created by the jailbreakme app and added a rootkit feature to remotely control such key iPhone features as the microphone, camera and geolocation services, as well as SMS, he said.

The program is harmless and the vulnerabilities in question were patched by Apple in early August. However,  Monti warns that more and more high value applications on the iPhone will increase the attractiveness of the platform for malicious parties, including banking and e-commerce.

“There are lots of different applications for causing mayhem,” Monti said. “We talking about some pretty sensitive apps: banking, credit card processing, point of sale, SCADA,” he said.

As an example, Monti used a free iPhone credit card transaction reader,”Square,” on a rooted iPhone, showing how magnetic stripe data could be silently siphoned by the rootkit.

Monti hopes the presentation will be a wakeup call to enterprises that don’t yet see iPhone devices as serious threats.

 

“These devices are just as complicated as desktops and laptops or server – and that’s before you ship a point of sale application on it,” he said.

The biggest threat posed by mobile phones may be the false sense of security that users and enterprises have about mobile device security. The amount of malware targeting such devices is small, but mobile platforms like IOS and Android are more similar to their progenitors (OS X and Linux) than they are different.

“The resources are there for attackers,” Monti said. As a result, malware and attacks for mobile systems will overlap with those for the original OS, rather than run along parallel paths. And, as third parties introduce more sensitive applications for mobile devices, intererest from the malicious hacking community will increase.

Suggested articles

enterprise mobility cyberthreats risk management

Mobile Risks Boom in a Post-Perimeter World

The bloom is on mobile, whether it be the enterprise, employees or the cybercriminals plotting new ways to slip past a corporate defenses in a post-parameter world.

Discussion

  • BambisMusings on

    I agree totally in however, you have not taken it far enough. It is just as fair to say this is true of Windows Mobile/Win7 on smart phones -- and there is A LOT more malware for Windows than Mac or Linux. Besides one should not have to jailbreak their iPhones to begin with. iPhones should be open to installing what people want/need on them. It would be no more dangerous for the majority of users. And less dangerous for those who have need of programs that are not in the Apple Store. /rant off
  • zeejermanz on

    yeah but apple could already do all that stuff anyways, this just allows the common man to do what nsa does already

  • Opening the Door on

    Ok, let's see what has to happen for the malware to infect the user:

    1. The user has to deliberately download some software that Apple doesn't recommend.
    2. Plug his phone to the computer.
    3. Put his phone into D.F.U. mode.
    4. Run the software and let it modify the OS of his phone.
    It's like saying that your house got robbed because you left your front door open while you're out.
    I don't see the point of what the researcher is trying to do aside from putting FUD into the jailbreak community.

  • Anonymous on

    To Opening the Door:

     

    Are you fucking retarded try to learn about something before you talk our your ass. The Jailbreakme exploit they are talking about was as simple as pointing safari on the actualy iOS to jailbreakme.com and then activating the exploit. That was it, and if a malicious person wanted they would not even have to give the option to activate it, it would just be injected upon visit.

     

    The method you are talking about is for the current method of Jailbreaking, get your facts straight.

  • Anonymous2 on

    To Anonymous :

    they are in denial because their stupidity can't accept that their "best ever ever best best ever" phone it's not safe.

  • Anonymous on

    Yeah, that was one fine piece of research dufus. Obviously, this world needed another malware proof of concept so your sorry parent basement-living ass could get some more tech points. LOSER!

  • Anonymous on

    Still, Opening the Door's premise is correct: this is not a remote exploit, it requires user interaction. For those who never use Safari on the iPhone, this is a non-issue. As far as the injection goes without user feedback, I do not know, I have not used the exploit in question. My hunch is that Apple has a lockdown on any phone-configuring URLs provided to Safari, as in the past I did change some network settings in this manner (enabling phone tethering) and it did require explicit user approval in order to change anything, with caveats of doom for a bad settings file. Cheers!

  • Eric Monti on

    Following up on a few points:

    Commenters suggesting that exploitability requires user interaction are partly correct. A victim must visit or be guided to a malicious site. But the jailbreak weaponization technique removes all pop-ups and other visible signs of infection. Since the original exploit was very well designed by comex (the original jailbreak author) the phone is still even completely usable and no crashes (usually) occur to tip off a victim what has happened under the hood. Also, unless you're patched or updated, the vulnerability is exploitable on jailbroken and unjailbroken phones equally.

    The jailbreakme.com is not the "current" jailbreak. It's already been patched and we're onto using limera1n's bootrom exploit nowadays. "Opening the Door" describes the limera1n exploit, but it's an honest mistake, these things are coming out constantly and I get them mixed up all the time.

    As for Apple's lockdowns, there may indeed be some capabilities they have there. But the URL an attacker would use is not necessarily identifiable. A lockdown (if one actually exists) would be more likely to have a chance after infection has occurred and been detected somehow. Or... you can just patch. If you're a jailbreak user and need to stay on an earlier version of iOS for some reason, just download the PDF patch from Cydia. If you don't jailbreak, you'll have to upgrade your device to the latest version of iOS from Apple.

    Finally, I concede that I am, at times a "research dufus" (I think I'd like this added to my business cards actually), but my mom live's alone in a single-br bungalo ;-). That said, I can assure you, I am not the first person to weaponize online jailbreak processes. My intention isn't to spread malware, but to look into and open discussion on this attack (hopefully) before it got into the wild. Thanks for the points anyway, though!

     

  • Anonymous on

    How can you jailbreak your phone and not know how to use Safari?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.