This post is from our new OS Attack author Andrew Seay. Please help him feel welcome – Paul
Charlie Miller, aka Safari Charlie, recently revealed the exploit code which allows an attacker to take complete control of any iPhone using a series of text messages which are not displayed on the receiving handset.
A two time winner of the MacBook in the annual Pwn2Own contest, Mr Miller informed Apple almost 2 months ago that he would be revealing his attack method at last week’s Black Hat security conference in Las Vegas. The attack, which uses several sequential SMS messages to invoke a memory overflow and execute the remote code contained in the messages, gives complete remote control of the phone including the ability to place phone calls, access the web, locate the owner via GPS, and possibly most disturbingly, the ability to control the camera and microphone remotely.
Apple was exceeding slow to respond, announcing just this past Friday that it has released a patch to protect it’s millions of users. The availability of the patch however, does not fully mitigate the threat as Apple does not push updates to its mobile handsets. By default iTunes only checks for updates once a week and once identified and downloaded, iTunes will automatically offer the optional update to users upon their next sync. Unfortunately this delayed deployment method coupled with allowing the update to be postponed and the fact that many users delay installing updates due to time constraints or simply because they use the phone predominately untethered may mean that a large segment of iPhone users will remain unpatched for much longer than needed.
As we become ever more dependant upon mobile platforms, I firmly believe that we have already reached the point that updates should be pushed to subscribers instead of relying on users to seek out protection. Failure to do so harkens back to the early days of Microsoft updates and disabled firewalls.
I fear that until mass quantities of mobile subscribers become compromised by similar types of attack, users will remain largely reliant upon security through obscurity (and the bliss of ignorance). Unfortunately, the rapid growth of these platforms and the potential monetary gains such attacks offer seems destine to very quickly turn our mobile lifelines into just one more very large and pervasive attack surface for evildoers.
Its a double edged sword. How many people want windows updates on their phone? At what point do you go from an update to an anti-malware app separately? At what point do people start downloading fake anti-malware apps?
Security is always going to be a give an take with no room for ignorance.