In the world of
information security the new iPhone was recently released with vulnerability.
Cell phones carry so much of our personal data; therefore, it is critical to
secure individual’s information before releasing any device.
Evaluators decided to
investigate how tough it would be for a remote adversary to compromise the
private information stored on the iPhone. Within a short period of time, they had
successfully discovered vulnerability; they created a tool chain for working
with the iPhone's architecture and developed a proof-of-concept exploit capable
of delivering files from the user's iPhone to a remote attacker. Once this was
discovered, the evaluators notified Apple of the vulnerability and suggested a patch,
but Apple resolved the issue on their own.
How
the exploit works
The vulnerability is
sent via a malicious web page opened in the Safari browser on the iPhone. There
are several delivery vectors that an attacker might utilize to get a victim to
open such a web page; For example, the iPhone learns access points by name
(SSID); if a user ever gets near an attacker-controlled access point with the
same name (and encryption type) as an access point previously trusted by the
user, the iPhone will automatically use the malicious access point. This allows
the attacker to add the exploit to any web page browsed by the user replacing
the requested page with a page containing the exploit.
If a web forum's software is not configured to
prevent users from including sensitive data in their posts or web page, an
attacker could cause the exploit to run in any phone browser that viewed the thread.
For example, Attacker could manipulate a user into opening
a website that they control by sending the link via e-mail or SMS.
When the iPhone's
version of Safari opens the malicious web page, illogical code rooted in the
exploit is run with administrative privileges. In our proof of concept, this
code reads the log of SMS messages, the address book, the call history, and the
voicemail data. It then transmits all this information to the attacker. It
could also send the user's mail passwords, text messages that sign the user up
for pay services, or record audio that could be relayed to the attacker.
Even though Information
Technology is ever increasing to ensure protection of our personal data there
are still so many weak points and flaws that could bring harm to its users and
potential lawsuits. I believe that evaluators are needed to expose flaws and
vulnerability to ensure information security to users
No comments:
Post a Comment