Hacking The iPhoneGroup 17

Shelby Allen

Richard Denney

Outline Introduction Lab goals Procedure Results Conclusions Defenses References

Introduction Proliferation of mobile devices Popularity of iPhone Soon-to-be released SDK

Lab Goals Show that the iPhone, and by extension all

future mobile devices, are locked away computers and so they should be given the same security precautions as a computer.

Procedure Buffer overflow Copy and edit disk image Install SSH Copy files

Results Installer

Community sources Easy install Easy update

Results MobileFinder

Explore file system Fully functional

Results MobileFinder

Explore file system Fully functional

Results Term-vt100

Terminal that won’t go away

Partial functionality expandable

Results Sysinfo

Task Manager equiv. Can kill processes All processes ran as

root

Conclusions A computer in a mobile device’s body The default user is the only user – root Serious vulnerabilities

Default user name and password All programs ran as root

A vulnerability in any program compromises the entire system

Buffer overflow

Defenses Change user name and password Download newest firmware Same practices as a computer Lobby for better security

Lab Structure Student will:

Jailbreak iPod Touch Load custom applications Explore architecture Evaluate device security

References For more information on iPod/iPhone hacking,

visit: Instruction guide to hacking iPod Touch

http://forums.macrumors.com/showthread.php?p=4308881&nojs=1

Installer.app Homepage http://iphone.nullriver.com/beta/

Ipod Touch hacking wiki http://www.touchdev.net/wiki/Main_Page

Iphone security evaluation by consulting firm http://www.securityevaluators.com/iphone/

Questions?