Possible bug in Apple's iPhoneUpdated Friday, April 17, 2009 at 4:30 p.m. EST
A possible bug has been identified in Apple's iPhone, according to reports.
Charlie Miller, a well-known hacker and analyst at Independent Security Evaluators in Baltimore told SCMagazineUS.com Friday that he found a way to trick the iPhone into running code that enables shellcode -- which if successfully exploited would enable an attacker to run whatever code they wanted on the phone, according to reports. Miller described the potential bug on Thursday at the Black Hat Europe security conference in Amsterdam.
"This is a technique that would help someone if they wanted to write an exploit for the iPhone," Miller said. "It's not an exploit or vulnerability."
Shellcode, which was previously thought of as incapable of being run on the iPhone, is a piece of code used as the payload in the exploitation of a software vulnerability. It enables access to the entire file system as well as hundreds of different commands, according to Mac security vendor Intego.
To run shellcode, an attacker would first need a working exploit for the iPhone, however, Miller said.
“For now, this is more of a warning than anything else,” Intego spokesman Peter James wrote in a blog post Friday. “Mac OS X can run shellcode -- in fact, many trojan horses exploit this ability -- but this is an inherent part of the operating system. The real issue is exploits that may be able to launch this code on an iPhone, and we're waiting for those to arise.”
Apple did not respond Friday to a request for comment about this potential bug.
In 2007, Miller and a team of consultants from Independent Security Evaluators revealed a buffer overflow vulnerability in the iPhone that could have enabled malware writers to inject malicious code to steal personal information from a user's phone. Apple later patched this vulnerability.
Miller has gained notoriety for cracking other Mac products and winning the CanSecWest's PWN2OWN contest for the past two years. In this year's contest, which was held in March, hackers were challenged to crack web browsers and mobile devices. Miller found a vulnerability in a MacBook running with a fully-patched version of Safari. Though he could not reveal details of the vulnerability, he said it took him 10 seconds to perform the exploit at the contest, though he researched and planned the exploit ahead of time. He won $5,000 and the MacBook he hacked.