Nicholas Allegra, better known as ‘comex’, the creator of the JailBreakMe website which made it child’s play for iPhone owners to jailbreak their devices, has been given an internship at Apple.
The 19-year-old from Chappaqua, New York posted the news of his new position on Twitter:
Allegra has given Apple plenty of headaches in the last couple of years, finding security vulnerabilities in Apple’s iPhone that allowed anyone to convert their smartphone into a device capable of running unapproved applications.
Normally jailbreaking requires users to connect their device to a computer before they can start to tamper with the set-up of their iPhone or iPad – but JailBreakMe made it significantly easier.
Just visiting the website with Safari would trigger a security vulnerability, allowing code to run which would jailbreak the iPhone or iPad.
Apple don’t like folks jailbreaking their iPhones, so it’s understandable that they would rather have the man behind the JailBreakMe website working for them rather than exposing their security weaknesses.
After all, whenever Allegra updated his JailBreakMe website to defeat Apple’s security he was given a potentially dangerous blueprint to more malicious hackers who may want to plant more dangerous code.
Each time Allegra has found a flaw in Apple’s software, the company has been forced to rush out a security patch.
So, what’s going to change now Apple has made jailbreaking expert Nicholas Allegra an intern?
Well, I would imagine that they’ll be strongly encouraging him to share with them any details of security flaws he finds with their software rather than updating his drive-by jailbreaking website. That way they’ll be able to work on patching any vulnerabilities he discovers before they are made public.
I’m sure they’ll be particularly keen to prevent Allegra from publishing details on how to jailbreak the next incarnation of iOS, version 5.0, or the much-mooted iPhone 5.
From Apple’s point of view it’s a case of: If you can’t beat ’em, hire ’em.
By Graham Cluley @ nakedsecurity.sophos.com
Right now, if you visit a web page and load a simple PDF file, you may give total control of your iPhone, iPod touch, or iPad to a hacker. The security bug affects all devices running iOS 3.1.2 and higher.
Update: Initially we thought that this exploit only effected iOS4 devices, but it turns out all iPhones, iPod Touches and iPads running 3.1.2 and higher are susceptible.
The vulnerability is easily exploitable. In fact, the latest one-click, no-computer-required Jailbreak solution for iOS 4 devices uses this same method to break Apple’s own security (although in a completely benign way for the user).
How it works
It just requires the user to visit a web address using Safari. The web site can automatically load a simple PDF document, which contains a font that hides a special program. When your iOS device tries to display the PDF file, that font causes something called stack overflow, a technical condition that allows the secret ninja code inside the font to gain complete control of your device.
The result is that, without any user intervention whatsoever, that program can do whatever it wants inside your iPhone, iPod touch or iPad. Anything you can imagine: Delete files, transmit files, install programs running on the background that can monitor your actions… anything can be done.
This is not the first time that something similar has happened. At the beginning of the iPhone’s life there was a problem with TIFF files that also caused the same security breach. Apple patched the bug after a while, but back then there were very few iPhones compared to the current installed base. Apple says that there are 100 million iPhones, iPod touches, and iPads in the world. Obviously, malicious hackers are racing to get a slice of that market.
How can you avoid it?
Right now, the easiest way to avoid this problem is by not going to any PDF links directly and not loading any PDF from any non-trusted source.
You can also jailbreak your iPhone and install a program that will ask for authorization every time your browser encounters a PDF (just look for “PDF loading warner” in Cydia).
While this doesn’t solve the security problem at all, at least it will remind you every single time.
Source : http://gizmodo.com
A website that has made it simple for iPhone and iPad users to jailbreak their devices may not just be a headache for Apple, but also a portent for future malicious attacks.
Owners of Apple gadgets who visit the JailbreakMe website in Safari have found that all they need to jailbreak their device is slide a button to give permission, opening up the possibility of installing apps that have not been approved by the official AppStore.
Previously, jailbreaking has required users to connect their device to a computer before they can start to tamper with the set-up of their iPhone or iPad and gain access to the Cydia underground app store.
The drive-by jailbreak is possible because the website exploits a vulnerability in the way that the mobile edition of Safari (the default browser used in the iOS operating system) handles PDF files – specifically its handling of fonts.
As a number of YouTube videos have demonstrated, it’s a pretty slick process:
What concerns me, and others in the security community, however, is that if simply visiting a website with your iPhone can cause it to be jailbroken – just imagine what else could hackers do by exploiting this vulnerability? Cybercriminals would be able to create booby-trapped webpages that could – if visited by an unsuspecting iPhone, iPod Touch or iPad owner – run code on visiting devices without the user’s permission.
iPhone-owning customers of Citigroup have been urged to update their mobile banking app immediately because of a security flaw that secretly stored account numbers, bill payments and security access codes in a hidden file.
The Citi Mobile app allows customers to check their account balances, transfer funds and pay bills from their iPhone, and is one of the most popular finance applications in the Apple App Store with approximately 120,000 users since it was launched in March 2009.
Citigroup told the Wall Street Journal that it had “no reason to believe that our customers’ personal information has been accessed or used inappropriately by anyone.”
However, there will undoubtedly be concerns that if users lost their iPhone the information could be accessed by an identity thief. Furthermore, it is believed that the sensitive data could also have been backed-up to customers’ Windows and Mac computers when they are synchronised with the iPhone. Certainly, there are many more chances for the typical malicious hacker to access information stored on a PC than on the controlled environment of an Apple iPhone.
Sophos has launched its first application for the Apple iPhone – designed to give you a better view of the security threats that are out there, with live hourly updates direct from SophosLabs.
The app, which also runs on the iPod Touch and the iPad, allows you to access Sophos information when you’re on the move or away from your desk, and includes the following supa-dupa features:
Threat Spotlight Experts from our labs detail some of the most interesting threats that they have analysed in the last week, explaining who is at risk, details of the attack and how to avoid becoming a victim.
Latest threats A dynamic list of the latest top ten threats analysed by the experts in SophosLabs, providing detailed information on their prevalence and a helpful link to further details on the Sophos website.
Stats Sexy graphs to bamboozle your boss with – showing in technicolour pie charts the latest stats for top email attachment malware attacks, spam and web-based threats.
Maps Now this is funky. Your iPhone will show you a world map, allowing you to view not just the latest email, spam and web attacks – but where they have been spotted around the world. You can even zoom in on particular countries, and view the subject lines of spams being sent around the globe.
Info Links to our blogs, our latest threat report, and loads of other good stuff.
So, what are you waiting for? Grab it from the Apple App Store now, or search for “Sophos” in the iTunes App Store.
We’re very interested in getting feedback as to what you think of this Sophos app. So please do leave us a rating and a review on iTunes, as it will help us decide if we should develop it further.
Also, if you have the time, why not quickly fill in the following survey to tell us what you’d like to see next from the Sophos Security Threat Monitor app?
Liviu Iftode and Vinod Ganapathy, two researchers at Rutgers University, have revealed some experiments they have been conducting, showing how rootkits could be used to take control of smartphones.
The scientists have shown that a malicious attacker could cause a smartphone to “eavesdrop on a meeting, track its owner’s travels, or rapidly drain its battery to render the phone useless”.
Watch the following YouTube video to learn more:
It’s a cute little video, but how realistic is this threat in reality?
I don’t think the kind of attack described by Iftode and Ganapathy is a big deal right now.
Yes, it is possible to change or put software onto a smartphone (by, for instance, installing a rootkit) so that the mobile device then performs malicious functions. For instance, code that enables covert remote surveillance, battery drainage or silently steals data.
Of course, this relies upon the smartphone allowing you to make changes to its low-level software. Popular smartphones like the Apple iPhone lock down that kind of meddling to a great extent.
So, the key thing to remember is that the bad guys have to somehow get the malicious rootkit onto your phone in the first place.
How are they going to do that?
They would either need to have physical access to your smartphone, exploit an unpatched security vulnerability or use a social engineering attack to trick you into installing malicious code. Even if they went down the “trick” route they would be relying upon the phone’s OS to allow you to install unapproved apps (iPhones, for instance, are strictly controlled by their Cupertino-based overlords, allowing users to only install code that has been approved and checked by the AppStore).
So it doesn’t sound like what Iftode and Ganapathy are describing is actually any different from the rootkits that infect traditional desktop computers. The main difference is that there are probably less opportunities (and thus much harder) to infect a mobile phone than, say, a computer running Windows.
Furthermore, I would argue that the typical mobile phone user is still typically less used to installing applications than their Windows counterparts, and so the chances of success via fooling the user into installing a dangerous application can be assumed to be even lower.
Iftode and Ganapathy have not demonstrated any revolutionary new way of getting round the biggest hurdle for those wanting to spy on smartphones: how are they going to get the malware onto the phone?
If I really wanted to snoop on someone’s phone I think it would probably be easier to swap my victim’s mobile phone for an identical (but bugged) device rather than go to all this effort with no promise of success.
Sure, the mobile phone malware threat is growing – but it’s a tiny raindrop in a thunderstorm compared to regular attacks that strike Windows computers. Slowly but slowly it’s becoming more serious (the recent discovery of financially-motivated malware that targets jailbroken iPhones is proof of that), and undoubtedly we will begin to see more users running anti-virus security on their phones in the years to come.
However, if I was responsible for securing my company’s mobile phones I would be much more worried about the real security threat of staff losing their phones in taxis or on the train, rather than the theoretical risk of surveillance rootkits.
It’s a nice video and presentation that Iftode and Ganapathy made, but I won’t be losing any sleep over it just yet.
More information on the topic of smartphone rootkits can be found in the paper Iftode and Ganapathy have produced: “Rootkits on Smart Phones: Attacks, implications and opportunities” [PDF]
By Graham Cluley, Sophos
An application for smartphones running the Google Android operating system has been reported to steal users’ banking information.
According to a blog post from the First Tech Credit Union, an app developer called 09Droid created applications which posed as a shell for mobile banking applications, and in the process phished personal information about the users’s bank accounts. The information would, presumably, have been usen for the purposes of identity theft.
SophosLabs has not yet seen a sample of the malware, which has now been removed from the Android Marketplace, and First Tech Credit Union is at pains to point out to its customers that it does not currently have an app for the Android phone.
A number of other financial institutions have also published warnings regarding the Android applications. For instance, here’s a similar warning about the Android app that was published on the website of Travis Credit Union, and this is what the credit union posted on its official Facebook page:
Although malware has previously emerged for jailbroken iPhones (such as the infamous Rick-rolling Ikee worm) the malicious applications have not made it onto users’ iPhones via Apple’s highly guarded AppStore.
The Android marketplace, however, is not as closely monitored as Apple’s equivalent, and adopts a more “anything goes” philosophy. This, combined with the current buzz around new phones running Android such as the Motorola Droid and the Google Nexus One, may make the platform more attractive to cybercriminals in future.
As more and more users inevitably take advantage of smartphones to access their bank accounts in the future, the temptation for hackers to exploit systems may become greater.
by Graham Cluley, Sophos
The author of the world’s first iPhone worm must be feeling pretty chirpy today, because he’s managed to get himself a job as an iPhone application developer.
21-year-old Australian Ashley Towns, revealed that he was going to join mogeneration (What is it with companies who insist on being spelt in lowercase? Does anyone really think that looks cutting-edge anymore?) on his Twitter feed earlier today.
Apple iPhone owners in Australia have reported that their smartphones have been infected by a worm that has changed their wallpaper to an image of 1980s pop crooner Rick Astley.
The worm, which could have spread to other countries although we have no confirmed reports, is capable of breaking into jailbroken iPhones if their owners have not changed the default password after installing SSH. Once in place, the worm appears to attempt to find other iPhones on the mobile phone network that are similarly vulnerable, and installs itself again
On each installation, the worm – written by a hacker calling themselves “ikex” – changes the lock background wallpaper to an image of Rick Astley with the message:
ikee is never going to give you up
What’s clear is that if you have jailbroken your iPhone or iPod Touch, and installed SSH, then you must always change your root user password to something different than the default, “alpine”. In fact, it would be a good idea if you didn’t use a dictionary word at all.
The worm will not affect users who have not jailbroken their iPhones or who have not installed SSH.
SophosLabs is analysing the worm’s code, which suggests that at least four variants have been written so far. One of the attributes of the latest variant (labelled the “D” version) is that it tries to hide its presence by using a filepath suggestive of the Cydia application.
The source code is littered with comments from the author suggesting the worm has been written as an experiment. One of the comments berates affected users for not following instructions when installing SSH, because if they had changed the default password the worm would not have been able to infect them.
Presently it appears that the worm does nothing more malicious than spread and change the infected user’s lock screen wallpaper. However, that doesn’t mean that attacks like this can be considered harmless.
Accessing someone else’s computing device and changing their data without permission is an offence in many countries – and just as with graffiti there is a cost involved in cleaning-up affected iPhones.
Other inquisitive hackers may also be tempted to experiment once they read about the world’s first iPhone worm. Furthermore, a more malicious hacker could take the code written by ikee and adapt it to have a more sinister payload.
iPhone users may rush into jailbreaking their iPhones in order to add functionality that Apple may have denied to them, but if they do so carelessly they may also risk their iPhone becoming the target of a hacker.
My prediction is that we may see more attacks like this in the future. Indeed, only last week we saw hacked iPhones in the Netherlands being held hostage for 5 Euros.
Who wrote the ikee iPhone worm?
The source code of the worm says at its start:
/ "ikee virus" by ikex
/ Revision: 10 (Variant D)
A quick trawl of the Whirlpool forum where users are reporting that their iPhones are unexpectedly displaying an image of Rick Astley, reveals a user calling themselves “ike_x”.
According to ike_x’s user profile on the Whirlpool forum he is based in Sydney. Further searching on the internet reveals other pages seemingly related to ike_x of Sydney, using the name “Ash” or “Ashley Towns”. For instance, here is a MySpace page and this appears to be Ash/ikex on Twitter.
The worm’s author appears to have realised that people might be interested to learn why he wrote the worm, and posted this explanation inside the code:
Why?: Boredom, because i found it so stupid the fact that on my initial scan of my 3G optus range i found 27 hosts running SSH daemons, i could access 26 of them with root:alpine. Doesn't anyone RTFM anymore?
There is a certain irony in the notion that a hacker who says he was trying to expose sloppy security by the owners of jailbroken iPhones has done such a bad job of covering his own tracks..
Source of image of affected iPhone: Batman from the Whirlpool forums.
By Graham Cluley, Sophos