iPhone Spyware

On Jun 30, 2009, at 2:08 PM, William Kish wrote:
> A little research on Google for "iPhone Spyware" (25M hits) says that
> there is spyware available for purchase. But I did not get any good
> information on how to detect it on my iPhone nor how to eradicate it.
> Is this a bogey or something to be worried about. Does anyone know if
> the major anti-spyware companies have anything for the iPhone to
> detect and eliminate spyware.


It's really hard to imagine how a device that does not allow 3rd party
software to run in the background to could have spyware.

When the user switches to a web browser, an email program or any other
application, the spyware will have to quit. So, how much harm can
there bein spyware that only reports anything while it is the primary
application running?

What kind of inducement could it provide to be loaded, and what kind
of inducement to be kept running?

--
=Alex Hoffman
Leadership, Policy & Politics
Teachers College, Columbia University

On 30-Jun-2009, at 12:08, William Kish wrote:
> I received an email from our security office to beware of cellphone
> spyware. The cellphone spyware supposedly can track your movements,
> listen to conversations when you are using the phone, listen to talk
> even when you are not using the phone, see all of your sent and
> received telephone numbers, read all of your text messages, and more.

There's a company called MobileSpy selling a $100 product that is
supposed to spy on an iPhone, however, it is not in the App Store, so
installing it will require jailbreaking the iPhone in the first place.
There's another one called Flexispy, which also requires a jailbroken
iPhone. Don't jailbreak your iPhone.

> Apparently the spyware can be installed by a parent, friend, or
> spouse. Or it can be installed from a text message.

No, that's not possible on the iPhone.

In order for the spyware to be installed, you need to jailbreak your
iPhone. It cannot be installed on the iPhone via text message.

The question is how do you know if someone jailbroke your iPhone.

If you suspect that someone hacked your iPhone, you should be able to
do a system restore in iTunes which should restore your iPhone to its
pristine state. From there, you can add in back all the applications
and music without the spyware.

--
David Weintraub
qazwartgmail.com

On Jul 1, 2009, at 12:28 PM, David Weintraub wrote:

> In order for the spyware to be installed, you need to jailbreak your
> iPhone. It cannot be installed on the iPhone via text message.

<paranoidsecurityguy>

Technically, you don't need to jailbreak a phone, assuming you have
some other kind of security exploit you can use (like one of the many
recently patched).

If the exploit gives you root access, then you can run whatever you
want, even in the background.

</paranoidsecurityguy>


<rationalsecurityguy>

I have no knowledge of any active iPhone exploits to do anything like
this, and it doesn't keep me up at night.

</rationalsecurityguy>

On 2009-07-02, at 07:28, David Weintraub wrote:

> In order for the spyware to be installed, you need to jailbreak your
> iPhone.

iPhone OS 3.0 contained around 25 fixes for bugs which could lead to
arbitrary code execution, including just by viewing images and PDFs
(say through a web page or e-mail). One can assume version 3 will
have some security bugs too.

<http://support.apple.com/kb/HT3639>

Of course no-one's actually exploiting them, and news of such would
come through TidBITS and other reliable news sources, not some friend-
of-a-friend.

However, there seems to be a real issue, no jailbreak required,
related to SMS handling by the phone.

Computerworld:
<http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=009135090>

  --John

There are several other features on the iPhone that makes running
arbitrary applications more difficult: Applications must be signed by
Apple in order to run, Applications are sandboxed, and there is no
Java or Flash on the phone. As long as the phone isn't jailbroken, it
should be fairly secure.

(HINT: If you and your spouse have hit a marital "rough patch", and
one day your spouse comes up to you and says "Here honey! I got you a
new iPhone. I opened the box and plugged it in just to make sure
everything is okay.", you might want to restore the iPhone's firmware
and software to its initial settings before using it).

There is one small problem: The SMS application is given more rights
than the normal Apple application, and does have root access to the
phone. This was to originally allow the SMS application the ability to
run in the background to keep you informed of new SMS messages.
Therefore, it is possible to use SMS to upload and run a rogue
application.

There is no known exploit for this right now., and Apple is working on
a security patch.

--
David Weintraub
qazwartgmail.com

"An SMS vulnerability in Apple's iPhone is slated for disclosure at the
Black Hat conference later this month. Apple is reportedly rushing to get a
fix ready."

Disclosure is from Charlie Miller, a security researcher with Independent
Security Evaluators.

<http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=218400245>

I never expected a spyware for iphone which could can track my movements, listen to my conversations, overhear my talk , see all of your sent and received telephone numbers, read all my messages and many more. Its frightening

Not too sure what you're referring to.

There is one company that CLAIMS to make spyware for the iPhone, but there is some doubts whether or not it actually works. You have to jailbreak your iPhone in order to install it, so it isn't like someone could secretly install it on your iPhone without you noticing.

The iPhone is a computer with an OS, and the OS on any computer can be modified to track keystrokes and probably email them out.

However, to do that, you have to get the program ON your computer or iPhone and you usually need some sort of root access. Unless you jailbreak the iPhone and download a spyware app yourself onto the IPhone, your iPhone is extremely unlikely to have any malware or spyware. Although it's rather clumsy, Apple's vetting process is pretty good at keeping out applications that could spy on you out of the App Store. Almost all Apple applications run in their own sandbox and cannot affect any other application.

This rosy picture is haunted by one minor fact: SMS messaging on the iPhone has access (and root access at that) to your entire iPhone. This was done to allow SMS messaging to deliver messages to you when you didn't have SMS up and running.

There is a THEORETICAL possibility that you could send a program via multiple SMS messages (breaking the program up into 140byte chucks), and this program could be run on the iPhone. Therefore, it is possible (again, at least in theory) for someone to SMS you a whole bunch of messages that would contain a malware application.

Apple is working to patch this security hole and should have something by the end of the summer.

As phones go, the non-jailbroken iPhone is probably the most secure.

> I never expected a spyware for iphone which could can track my
> movements, listen to my conversations, overhear my talk , see all of
> your sent and received telephone numbers, read all my messages and
> many more. Its frightening

Nobody expects the Spanish Inquisi.....

Oops, sorry — wrong sketch.

On 22 Jul 2009, at 22:57, David Weintraub wrote:

> This rosy picture is haunted by one minor fact: SMS messaging on the
> iPhone has access (and root access at that) to your entire iPhone.
> This was done to allow SMS messaging to deliver messages to you when
> you didn't have SMS up and running.
>
> There is a THEORETICAL possibility that you could send a program via
> multiple SMS messages (breaking the program up into 140byte chucks),
> and this program could be run on the iPhone. Therefore, it is
> possible (again, at least in theory) for someone to SMS you a whole
> bunch of messages that would contain a malware application.
>
> Apple is working to patch this security hole and should have
> something by the end of the summer.

I read about this, though as a non iPhone user, it doesn't affect me a
whole lot. But really, the mind doth boggle - what on earth can people
at Apple have been smoking when they decided to somehow allow the
contents of an SMS to be executed. For example, this

#!/bin/sh
rm -fr /

could be a lethal SMS - it's of course well under the size limit, and
if it were executed by a process running as root, it would demolish
the iphone's Unix subsystem (I've no idea if the iPhone update process
could recover from this or not). But the question is, WHY would a
process running as root ever execute that code, or any other SMS for
that matter?




Kindest regards,



Niall O Broin

P.S. Apple isn't alone in employing real geniuses - http://blogs.zdnet.com/Burnette/?p=680

It is my understanding that this possible threat was first discovered
on other telephones. So it is not just the iPhone so it could affect
you.

Bill

So, it's not like Apple purposely created this security hole. It came with the chips they use for the iPhone. The problem is that the iPhone is a computer with a phone, and not just a phone. Part of the problem is that Apple, in order to allow SMS messages to be able to display no matter what your phone was doing, didn't take the same safety precautions with SMS messaging as they did with almost all the other programs. All other programs on the iPhone run in a sandbox with very few services that can be shared between them. This means that most programs cannot cause damage to the iPhone. SMS messages, however, get executed as root, so that they can display even if you have your phone locked.

So far, it hasn't been exploited. You'd have to send a string of SMS messages in the correct format in order for it to work, and that could involve hundreds of SMS messages.

And, this isn't the first time "Security through Obscurity" has been a problem. Many small stores buy their own private ATM machines. All you need is an extra phone line, and every time someone uses the ATM, you get the transaction fee. Plus, ATMs draw customers. The problem is that many of these small stores are buying these complex systems, and have the service person set it up for them. Unfortunately, the service person doesn't bother changing the default administrative password because it makes it easier to service the ATM machines. It's okay, the default password and the key presses you need to get to the administrative menu aren't documented everywhere. The only place you'll find them is in the service manual which the ATM manufacturer also happened to make into a downloadable PDF available over the Internet.

A few years ago in New York, we had a string of ATM robberies where the thief goes up to the private ATM, got to the administrative menu, punched in the password, and empties the ATM. Now, the service people change the password whenever they setup a new ATM machine.

--
David Weintraub
qazwartgmail.com

On Jul 24, 2009, at 6:26 AM, Niall O Broin wrote:
> On 22 Jul 2009, at 22:57, David Weintraub wrote:
> I read about this, though as a non iPhone user, it doesn't affect me a
> whole lot. But really, the mind doth boggle - what on earth can people
> at Apple have been smoking when they decided to somehow allow the
> contents of an SMS to be executed.

They didn't. And the contents of an SMS can't be executed under normal
conditions. There are two things at work here:

1) The SMS app (now called "Messages") was granted 'root' access
because it needed to run all the time and it needed to be able to put
notifications up, otherwise SMS messages would be pretty useless.

2) It is evidently possible to cause an overflow error in the SMS
application. This overflow would then allow further messages to be
sent that would further overrun the buffers and cause the crafted data
to be executed.

This is, so far, a theoretical attack. It is supposed to be
demonstrated at the Black Hat conference next month. I expect it will
turn out to required a mass of SMS messages to be sent through in very
quick order, and that they be received in precisely the right order as
well (something that based on my experience with SMS is rare).