I've read lots of articles about hacking the iPhone lately. They're mostly focused on exploring the hardware, circumventing the intended activation process, or putting new software on the device. That's nice, and I like to see a technological marvel smashed open with a hammer just as much as the next geek, but I'm more interested in how the iPhone changes the balance of power when it comes to security.
Small items first: There are a few minor application issues that make a phisher's job easier. For instance, the email client does not display the URL you're going to visit when you click on a link, so a phisher can send out spam that says Click here to go to PayPal and point the link to http://paypal.fakesite.ro, and there's no way to know what's going to happen until you click. Once you do click, the browser displays only the first 20 or so characters of the URL, so its easy to hide a big gnarly cross-site scripting attack without arousing any suspicion. Alternatively, the phishing site can use JavaScript to scroll the URL bar out of site. (See Joe Hewitt's writeup.) I expect issues like these will be addressed soon enough, just as they've been with all of the major desktop mail clients and Web browsers.
Much more interesting is the way the iPhone connects the Web browser and the phone. As the author of a Web site, you can embed a telephone number in a web page like this:
<a id="phone_home" href="tel:1-900-867-5309">call me!</a>
You can also write JavaScript that causes the iPhone to initiate the dialing process:
<script>
window.document.url = "tel:1-900-867-5309"
</script>
When that code runs, the user will be prompted "1-900-867-5309 (call) (cancel)". If the user accepts, the phone dials. Now you can turn phishing into money faster than ever before because the payload is the product: victims dial a 900 number, and the money starts rolling in. By the way, setting up a 900 number is easy.
Alternatively, use a cross-site scripting vulnerability to have a banking Web site initiate a call to a fake technical support number. What's the first thing the fake support rep asks for? Your account information of course! After all, you called them, so they need to "confirm your identity". Once again, an old scam gets new legs with a little help from the latest technology, and once again the ante on cross-site scripting goes up.
I expect two things will happen in coming year:
1) We'll learn about more cute tricks that web applications can use to look more like native iPhone applications and to interface with the iPhone and allow access to things like contacts, photos, and maybe even the phone's physical location. All of these features will expand the horizons of enterprising attackers.
2) All of the other handset makers in the world will begin to deliver their response to the iPhone. At that point, they will all have been working around the clock in panic mode for the better part of a year, and the devices will contain a treasure trove of security vulnerabilities that make the iPhone look like Fort Knox. After all, Apple got plenty of things right: at least you have to confirm before the phone dials.
Comments (4)
with URL links, you can click & hold on the link. iPhone will popup a window that shows (most of) the underlying URL. You can confirm the domain, and tail of the link at least.
Posted by Jim Main | July 18, 2007 11:36 AM
Posted on July 18, 2007 11:36
Surely this problem is far worse in other mobile phones (including the Blackberry) in which the URL is not displayed on the browser page at all?
Posted by R Cross | July 20, 2007 4:40 AM
Posted on July 20, 2007 04:40
Annoyingly enough, the impoverished browsers on devices like the Blackberry actually offer a form of protection. Because of their limited ability to display web pages, they limit an attacker's options. Further, people don't try to use them the same way they'd use a regular browser. The iPhone changes things by promising a full-fledged browser. The iPhone also does something that other devices don't, (or at least they don't tout), and that's integrate the Web browser and the phone.
As I said in the original post, the iPhone could be much worse than it is with respect to security. I fully expect that other vendors will come along with products that prove my point.
Posted by Brian Chess | July 20, 2007 5:34 PM
Posted on July 20, 2007 17:34
The integration of the web browser to the iPhone brings additional security concerns beyond phishing, opening up the iPhone (and other smartphones that follow this model) to threats from viruses and other forms of malware. There are currently 300 mobile virus variants in the world, and in Europe 1 percent of all SMS traffic is spam. Obviously, the overall benefits for individuals and businesses from accessing the internet via a mobile device outweigh the risks. The immediate solution is for people to be aware of security vulnerabilities on mobile devices, and the ultimate solution will come from controls on the mobile operator network level.
Posted by Lorcan Burke, AdaptiveMobile | August 9, 2007 8:55 AM
Posted on August 9, 2007 08:55