Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/26/2007
06:55 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Metasploit Adds iPhone Hacking Tools

Popular pen-test tool now comes with Apple iPhone payloads

The iPhone is now officially fresh meat: Metasploit creator HD Moore has added iPhone-hacking features to the wildly popular freebie penetration testing tool. (See Now Playing: Metasploit 3.0.)

Metasploit 3.0 now has Apple iPhone shellcode, with "payloads" for writing exploits using the Metasploit framework. "The addition of iPhone payloads to Metasploit makes it easy for a researcher to write exploits," Moore says. "The payloads also provide an example of how to develop new shellcode for the iPhone, which could accelerate exploit development for the platform."

In addition to a fun payload that lets an attacker make a victim's iPhone vibrate, Metasploit also comes with two other payloads that give an attacker remote shell access. Moore is also currently in the process of adding existing iPhone exploits, such as one in the Perl Compatible Regular Expressions (PCRE) library in Safari, to Metasploit -- as well as some zero-day ones. Moore, who is also director of security research for BreakingPoint Systems, says he hopes to complete these exploit modules this weekend: "I have a few crashes in various apps -- MobileSafari and MobileMail [for instance] -- and with any luck, these will turn into working exploits."

It was only a matter of time before the iPhone became part of the Metasploit hacking arsenal. The minute the iPhone hit the street, researchers were clambering to be the first to find bugs in the device. Most recently, hackers have been focused on unlocking the phone's ties to exclusive carrier AT&T. (See i Caramba! iPhone Hacked Already and Apple: Bypassing AT&T Can Break Your iPhone.)

The underlying problem is that most iPhone users don't realize their phones are basically a "portable Mac," says Barnaby Jack, staff security researcher for Juniper Networks and an expert in exploiting embedded devices. "People tend to not realize that they're walking around with a portable computer that can be compromised. As well as data theft from the phone itself, the phone can also be used as a platform to launch additional attacks over the Internet."

"I think the real eye-opener will be when malware targets the actual cellphone capabilities. It is not far-fetched that software could be developed to remotely bug the phone calls of the user, or remotely track a user's location," Jack says.

Meantime, the new Metasploit iPhone payloads give attackers full control over the device when they get integrated into a remote exploit, he says. "Once shell access is obtained, any software may be downloaded and installed."

Even more unsettling, however, is the potential for a rootkit to be set loose in an iPhone -- every process runs as "root" on the iPhone, with full root privileges. "What will be more interesting, in my opinion, is the rootkit-style software that will no doubt be developed for installation on the iPhone after it has been compromised," Jack says.

That's a risk that Moore is well aware of. "A rootkit takes on a whole new meaning when the attacker has access to the camera, microphone, contact list, and phone hardware. Couple this with 'always-on' Internet access over EDGE and you have a perfect spying device," he wrote last night in a blog post on Metasploit.

Meanwhile, Moore says the most significant Metasploit features for hacking the iPhone are still in the works. "The shellcode itself is neat, but having a working exploit to play with is much more interesting."

"I hope that support for the iPhone in Metasploit will kick-start exploit development and result in the discovery of new attack vectors."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Apple Inc. (Nasdaq: AAPL)
  • Juniper Networks Inc. (Nasdaq: JNPR)
  • BreakingPoint Systems

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    News
    Inside the Ransomware Campaigns Targeting Exchange Servers
    Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
    Commentary
    Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
    Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-27235
    PUBLISHED: 2021-04-13
    An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the description parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability.
    CVE-2020-27236
    PUBLISHED: 2021-04-13
    An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the compnomenclature parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability.
    CVE-2020-13566
    PUBLISHED: 2021-04-13
    SQL injection vulnerabilities exist in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability In admin/edit_group.php, when the POST parameter action is “Delete�, the POST ...
    CVE-2020-13568
    PUBLISHED: 2021-04-13
    SQL injection vulnerability exists in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability in admin/edit_group.php, when the POST parameter action is “Submit�, the POST p...
    CVE-2020-27227
    PUBLISHED: 2021-04-13
    An exploitable unatuhenticated command injection exists in the OpenClinic GA 5.173.3. Specially crafted web requests can cause commands to be executed on the server. An attacker can send a web request with parameters containing specific parameter to trigger this vulnerability, potentially allowing e...