Exploit of iPhone Relies on Social Engineering; Threat Exaggerated

By

post-1036-image-bede60c05ef97283576c1a2c0961178f-jpg


Watch the video up top. It’s a pretty terrifying video of a totally compromised iPhone through a new exploit of Safari, both on iPhone and likely PCs and Macs. A fix is already in the works, but I have to say I’m not that bothered. Why? Because it, like every other really dangerous exploit of a Mac or Apple product I’ve seen is heavily reliant on social engineering. For your iPhone to freak out and possibly shoot your cats with an iLaserbeam, you first need to go to a website specifically designed to make your iPhone freak out and kill your kittens. And I’m sorry, there’s no amount of protection that can protect people who are dupes for fraud. You can only go so far. This hole needs to close, no doubt, but if people vulnerable to harm on the web don’t know to only go to links they can trust, they probably shouldn’t be using the web at large.

Now, when people can make this happen over WiFi without the use of an exploit-focused website, then I’ll panic. And probably go back to landlines.

Via NY Times.

Newsletters

Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.

24 responses to “Exploit of iPhone Relies on Social Engineering; Threat Exaggerated”

  1. Alex says:

    You can easily set up an open Wifi that redirects all web page requests to a malicious one containing the exploit. If your iPhone automatically connects to it and you try to go to google – you are hit.

  2. Ben says:

    Just a quick correction, while it’s true you need to go to a specific website to get compromised, the average iPhone user is likely to let their iPhone hop on any open network. A hacker can use a captive portal (like what happens when you try to use a WiFi network that requires you to pay or sign in at a hotel or coffee shop) as a honey pot to intercept your initial URL request, do their dirty deed, then hand the iPhone on to the actual address you requested. You’re mostly none the wiser but the iPhone is completely compromised. This is a very real vulnerability, though it applies to more OSes than just the iPhone. This one is simply tailored to the iPhone. The lesson here is to set your iPhone to check with you before using an open or unknown WiFi network.

  3. cparker says:

    LOL, this is hilarious. “if people vulnerable to harm on the web don’t know to only go to links they can trust, they probably shouldn’t be using the web at large.” First off, this doesn’t scale. If you are a brand new user, you haven’t been to any websites. Therefore you have no links you can trust. Under your suggestion, this person shouldn’t go anywhere, since they can’t trust anybody. Face it, EVERYBODY free surfs. Why do you think it was called “Web surfing” back in Web 1.0 days?

  4. MINI Vanilli says:

    “Now, when people can make this happen over WiFi without the use of an exploit-focused website, then I’ll panic. And probably go back to landlines.”

    are we watching the same video? its looks to me like when you are connected to an attackers wifi, you can go to any site, and will be unknowingly redirected to a site where your info is stolen. then the browser (safari) quits. so it looks like what you say would be bad if it happens is actually what happens. watch the video again.

  5. J says:

    This doesn’t seem to be a social engineering trick at all.
    Maybe you can look at the video again.
    The exploit is an exact demonstration of the exploit you mention:
    “Now, when people can make this happen over WiFi without the use of an exploit-focused website, then I’ll panic. And probably go back to landlines.”

    J.

  6. Pete Mortensen says:

    I have looked at the video many times. It requires the iPhone to visit an exploit-focused website. You’ll notice he navigates there with Safari. It’s not a sudden hostile takeover while I’m making a phone call with a WiFi connection open. This is a bunch of hype.

  7. Paul Lustgarten says:

    Hmmm, that’s odd. When *I* listen to the video, I hear them say very clearly that, when going to a *trusted* web site, “such as the New York Times”, the rogue *wi-fi base station* will substitute a different URL, thereby directing the iPhone to a rogue web site, but withOUT the user’s participation or endorsement. So the initial rogue element in this scenario is the wi-fi base station. It does NOT require the user to select a rogue web site – that part is done by the wi-fi base station, out of view or control of the user.

    So … it still doesn’t seem like an overwhelmingly horrible vulnerability, but the opening for the exploit is for the user to make use of an untrustworthy/compromised wi-fi hotspot – something that a lot of users may not ever think about.

  8. Tom says:

    The user has to be connected to the exploiter’s wi-fi network. That’s the first sentence he mentions. The lesson isn’t to use only trusted web pages (what a sad, small world you would occupy), but to use only trusted wi-fi networks.

  9. imajoebob says:

    This is almost as much a threat as those “worms” that require you to click Yes to download, select the folder to copy it to, enter your system password, and click Yes to install. Almost.

    “Run away! Run away!”
    – King Arthur (well, in Monty Python and the Holy Grail)

  10. Michael Easter says:

    Is there anything significant about the pretzel, blue post-it notes and tape?

    Purple monkey dishwasher.

  11. Al Gore says:

    Maybe you posted a different video then.
    The scenario is see is: ‘hostile WiFi access point’, ‘access trusted website (via Safari)’, ‘iPhone is now under outside control’.
    So, no ‘exploit-focused website’ is used. It could be ‘http://www.google.com‘ etc.
    No social engineering is needed, it could be a notebook with WiFi in a coffee shop, pretending to be the public WiFi access point of the coffee shop (how would you know?). No ‘system’ password or other acknowledgment is needed either.
    And the claim of the video is that the iPhone can be hijacked in normal use, not necessarily while calling.

    If the claim is true, it is a very serious exploit that reveals more than one problem with iPhone (and OS X) security.

    J.

  12. prill says:

    Hmm..
    So..
    Lets say I am an attacker.
    and I make my access point called “linksys” and open with no password – Just like many coffee shops and dorm rooms here in Boston. Any there are many.

    As the user, I have connected to a “linksys” wap before in coffee shops therefore it has been saved in my preferred networks on the iphone. So anywhere I go now, iphone will automatically connect to linksys if it finds it.

    As the attacker, I decide to change the google.com (maps,mail,news,www) dns a records in the dhcp scope of the my “linksys” wap to point to my frontpage with iphone exploit.

    Now I can steal anyones info who walks through my access point and tries to access *.google.com per the video. How many times do you think people goto google? And how many people who have an iphone are psyched when they find an open wireless network in the wild, when the edge perfomance is so sloooooow.

    Best way I can see right now to prevent this, is to turn off the automatic joining of wireless networks, and then decide when prompted if its safe or not- which stinks because the automatic switching between wireless and the edge is a cool feature.

    Yes you do have to goto a harmful website – but since when has google.com put a trojan on your phone?