iPhone's Bluetooth bug under the hacker microscope

Metaploit's HD Moore focuses on the flaw

Almost lost in the hubbub over last Thursday's iPhone firmware update and whether it would "brick" unlocked phones was the fact that Apple patched 10 vulnerabilities -- twice the number of fixes issued since the phone's June debut.

The iPhone 1.1.1 update, which like previous upgrades is delivered through Apple's iTunes software, fixes seven flaws in the built-in Safari browser, two in the smart phone's Mail application and one in its use of Bluetooth, the short-range wireless technology.

The seven Safari vulnerabilities include several cross-site scripting (XSS) flaws, one that can disclose the URL of other viewed pages -- an online banking site, say -- and another that lets attackers execute malicious JavaScript in pages delivered by the SSL-encrypted HTTPS protocol. One of the Safari flaws, and an associated vulnerability in Mail, involve "tel:" links, which can be exploited by hackers to dial a number without the user confirming the call.

But it was the Bluetooth bug that got the attention of security researchers. Symantec's DeepSight threat network team pointed out the vulnerability in an advisory to customers Friday. "Reportedly, the Bluetooth flaw occurs when malicious Service Discovery Protocol (SDP) packets are handled; any attacker that is within Bluetooth range can exploit it remotely," wrote DeepSight analyst Anthony Roe in the alert. "Successful exploits are reported to allow the attacker to execute arbitrary code."

According to Apple's security advisory, the Bluetooth bug was discovered and reported by Kevin Mahaffey and John Hering of Flexillis, a Los Angeles-based company that specializes in mobile security development and consulting. Flexillis may be best known for its reverse engineering of the exploit used to hack into several celebrities' T-Mobile cell phone accounts in 2005, include Paris Hilton and Vin Diesel.

The Bluetooth bug may prove to be dangerous to iPhones, Roe speculated, since the potential range of the technology is much greater than most people think. While Bluetooth's potential range -- and thus the maximum distance between attacker and victim -- is about 400 feet, "Several proof-of-concept Bluetooth antennas have intercepted Bluetooth signals at almost a mile," he said.

Roe also pointed out that HD Moore, the driving force behind the Metasploit penetration framework, had recently demonstrated that shellcode could be run on an iPhone. Moore, said Roe, proved that "exploiting security vulnerabilities affecting the iPhone is by no means out of reach."

In a post to his blog -- and to the Metasploit site -- on Wednesday, Moore said that because every process on the iPhone runs as root, and so has full privileges to the operating system, any exploit of an iPhone application vulnerability, such as Safari or Mail or Bluetooth, would result in a complete hijack of the device. Moore also announced that he would add iPhone support to Metasploit, which would make it much easier for hackers to access a vulnerable phone.

Moore acknowledged that he's looking at the Bluetooth vulnerability. "The Bluetooth SDP vulnerability is the only issue I am focusing on," he said in an e-mail Friday.

He also hinted that locating vulnerable iPhones wouldn't be a problem. "The Bluetooth MAC [media address control] address is always one less than the Wi-Fi interface's MAC address," he said. "Since the iPhone is always probing for or connected to its list of known access points, the presence of the iPhone and its Bluetooth MAC address can be determining by using a standard Wi-Fi sniffer.

"Once the Bluetooth MAC address is obtained, the SDP issue can be exploited by anyone within range of the Bluetooth chip, or within range of the attacker's antenna, which can be up to a mile away in some cases," he said.

If Moore manages to craft an exploit and add it to Metasploit, it's probable that criminal hackers will quickly follow. "Once we see something in Metasploit, we know it's likely we'll see it used in attacks," Alfred Huger, vice president of engineering with Symantec's security response group, said in a July interview.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?