Dark Reading

The iPhone is now officially fresh meat: Metasploit creator HD Moore has added iPhone-hacking features to the wildly popular freebie penetration testing tool. (See Now Playing: Metasploit 3.0.)

Metasploit 3.0 now has Apple iPhone shellcode, with "payloads" for writing exploits using the Metasploit framework. "The addition of iPhone payloads to Metasploit makes it easy for a researcher to write exploits," Moore says. "The payloads also provide an example of how to develop new shellcode for the iPhone, which could accelerate exploit development for the platform."

In addition to a fun payload that lets an attacker make a victim's iPhone vibrate, Metasploit also comes with two other payloads that give an attacker remote shell access. Moore is also currently in the process of adding existing iPhone exploits, such as one in the Perl Compatible Regular Expressions (PCRE) library in Safari, to Metasploit -- as well as some zero-day ones. Moore, who is also director of security research for BreakingPoint Systems, says he hopes to complete these exploit modules this weekend: "I have a few crashes in various apps -- MobileSafari and MobileMail [for instance] -- and with any luck, these will turn into working exploits."

It was only a matter of time before the iPhone became part of the Metasploit hacking arsenal. The minute the iPhone hit the street, researchers were clambering to be the first to find bugs in the device. Most recently, hackers have been focused on unlocking the phone's ties to exclusive carrier AT&T. (See i Caramba! iPhone Hacked Already and Apple: Bypassing AT&T Can Break Your iPhone.)

The underlying problem is that most iPhone users don't realize their phones are basically a "portable Mac," says Barnaby Jack, staff security researcher for Juniper Networks and an expert in exploiting embedded devices. "People tend to not realize that they're walking around with a portable computer that can be compromised. As well as data theft from the phone itself, the phone can also be used as a platform to launch additional attacks over the Internet."

"I think the real eye-opener will be when malware targets the actual cellphone capabilities. It is not far-fetched that software could be developed to remotely bug the phone calls of the user, or remotely track a user's location," Jack says.

Meantime, the new Metasploit iPhone payloads give attackers full control over the device when they get integrated into a remote exploit, he says. "Once shell access is obtained, any software may be downloaded and installed."

Even more unsettling, however, is the potential for a rootkit to be set loose in an iPhone -- every process runs as "root" on the iPhone, with full root privileges. "What will be more interesting, in my opinion, is the rootkit-style software that will no doubt be developed for installation on the iPhone after it has been compromised," Jack says.

That's a risk that Moore is well aware of. "A rootkit takes on a whole new meaning when the attacker has access to the camera, microphone, contact list, and phone hardware. Couple this with 'always-on' Internet access over EDGE and you have a perfect spying device," he wrote last night in a blog post on Metasploit.

Meanwhile, Moore says the most significant Metasploit features for hacking the iPhone are still in the works. "The shellcode itself is neat, but having a working exploit to play with is much more interesting."

"I hope that support for the iPhone in Metasploit will kick-start exploit development and result in the discovery of new attack vectors."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.