Too bad that the IPhone 3.0 OS is coming out in the next month or so, but some intrepid researchers have figured out a way to get unsigned code to run in memory for people using IPhone 2.0 software. This opens the door to unsigned third party apps running on your IPhone without the need to jailbreak the thing.
Two security researchers from ISE (Independent Security Evaluators) have cooked up a way to get a chunk of code into the IPhone 2.0 memory block, flip a switch, and make it executable code and then run it. Technology review goes into detail on how the hack works, which will be presented at Black Hat. This should be an interesting talk to learn how to bypass the code signing restrictions. The theoretical on this one is that this might just be a generalized way of bypassing code signing as a security measure across a number of other devices, not just the IPhone.
“If you want to attack iPhones, you have to be able to run code to do whatever it is you want to do,” Miller says. “Maybe that is grabbing credentials, maybe it is listening into phone calls, maybe it is turning on the microphone. Who knows? But this all requires that you be able to run code.” “Charlie found those particular places where changing permissions is allowed on the factory iPhones,” says Sergio Alvarez, a security consultant with Recurity Labs and a fellow iPhone hacker, who is familiar with Miller and Iozzo’s research. “[These parts of the phone] make our lives easier and give us more freedom to code generic and reliable second-stage [attacks].” Source: Technology Review
What will be interesting to see if the methodology can be extended into other platforms, devices, and systems that rely on signed code to run in memory space. That is what the next step is on this one, if the technique is not apple specific, but can be extended into other systems using the same technique that works on an Apple IPhone. This is going to be something that hackers latch onto after Black Hat, because there is some real potential here to manipulate the data/memory structures that rely on signed code as a way to ensure that malware cannot get a foot hold.
The other interesting bit is will this be fixed in the IPhone 3.0 system. Apple should be watching this one to see if they can replicate and defeat the attack here. But for other vendors, this is also something that they need to take a look at and make sure that if the code is signed, might want to make sure that the data is just data, and that programmatically it cannot be switched from data to executable code.
