The game's afoot. Hordes of security specialists and hackers are currently probing Apple's iPhone to discover any weak spots for delving into the activation system or provider lock to run it on networks other than that of AT&T. On various security mailing lists, people are busy exchanging results from port scans, fuzzing tests, bluetooth investigations and analyses of the iPhone Restore package. A wiki in which all the information is beeing collected centrally, was overloaded after readers listed it on Digg.
Those who have discovered holes in the beta version of Safari 3 for Windows were looking for similar holes in the iPhone version. Indeed, Errata Security has apparently confirmed to the US media that it is possible to acquire a "certain degree of control" over the iPhone from outside via a buffer overflow in Safari - even to the extent of dialing billable numbers. Errata Security also locked up the iPhone by attacks on the Bluetooth stack -- although it offers very limited services anyway. Apple has apparently been informed about the problem but has not yet responded.
On top of this, resourceful tinkerers are also trying to reveal the passwords for the iPhone Root and Mobile user accounts from the Restore package. The iPhone OSX 1.0 apparently encrypts the passwords stored in the password file using DES alone instead of, for example, the far more secure 3DES. According to the reports, it has proved easy to discover the root password "alpine" and the "dottie" used for the mobile user using the John the Ripper password cracker.
Not much use can be made of the passwords at present since, apart from the bug in Safari which is still barely documented, it is not possible to access the iPhone directly. However, it may only be a question of time before another hole is discovered in the iPhone which allows root access - analyses have shown that almost all applications run with root rights. Hackers may also succeed in installing their own applications on the iPhone by manipulating the Restore package.
Meanwhile, other users are attempting to improve the useability of the iPhone. There is a tailor-made web-shell for servers on the iPhone, Ajaxterm iPhone users can use this to access a server with the Safari browser and enter and start commands in one shell. In this case, WebShell is orienting itself to the limited entry features of the iPhone in order to make it easier to work in the shell.
- Our first iPhone bugs, blog from Errata Security
- iPhone OS System Restore Image, thread to hackint0sh.org
- iPhone Root Password Cracked, thread to hackint0sh.org
- iPhone security settings, analysis by Xeno Kovah