August 1, 2013 | 6
Search Apple’s app Store for iPhone or iPad antivirus software and you’ll find only a handful of security programs designed to defend these iOS devices from malicious software (malware). The search is just as likely to turn up game titles such as “OperationAntiVirus” and “AntiViral Lite,” in which you pretend to rid fictitious computers of intruders.
There’s a reason this software is so missing: Until now Apple’s mobile gadgets have yet to face a serious security threat. The iPhone and iPad are not immune to viruses, but Apple’s stringent app vetting process, the devices’ architecture—which partitions, or “sandboxes,” code to protect it—and relatively low demand for mobile malware (compared to PCs anyway) among cyber attackers have helped iOS fly under the radar of cyber attackers.
No longer. Apple has crept a little closer to the crosshairs thanks to two new research papers. One was presented this week at the annual Black Hat cybersecurity conference in Las Vegas. A second will be unveiled in mid August at the 2013 USENIX Security Symposium in Washington, D.C. Researchers from the Georgia Tech Information Security Center (GTISC) have written both papers, and they are using the shows to describe two different ways of exploiting flaws in Apple security and infecting an iPhone with viruses.
Such research has become common in recent years as so-called “white-hat” academic and corporate researchers hack away at computer systems to find security flaws before the bad guys do. Common practice is to alert the maker of the targeted hardware or software before publicly disclosing any problems, providing a reasonable amount of lead-time so the vulnerabilities can be fixed before any malicious attackers come calling.
One iOS attack is an end run around Apple’s mandatory app review process, which the company established to ensure that only approved apps run on iOS devices. Georgia Tech research scientist Tielei Wang and his colleagues discovered they could install malware onto iOS devices via a Trojan Horse-style attack that disguises malicious code that Apple would otherwise reject during the review. Once inside Troy—or in this case someone’s iPhone or iPad—the app, nicknamed “Jekyll,” lies dormant until an attacker remotely sends a signal instructing it to misbehave, posting tweets, taking photos, sending e-mail and SMS messages, and attacking other apps, according to the researchers. Any of these modes of communication could be used to divulge sensitive information stored on the device, including passwords and PINs.
For the other attack, Georgia Tech research scientist Billy Lau and his team built a phony plug-in charger they used to install malware onto iOS devices. They called this charger a “Mactans”—named after a type of black widow spider—and designed it to resemble a normal iPhone or iPad charger.
The researchers say they contacted Apple about their work in advance of the Black Hat and USENIX presentations, prompting the company to implement a feature in iOS 7 that defends against a Mactans-like attack by notifying users when they plug their mobile device into any peripheral that attempts to establish a data connection. Apple has yet to publicly release a way to counter Jekyll, the researchers add.
Audacious cybersecurity demos are nothing new—Microsoft, Cisco and other tech giants have suffered through years of their most popular products being publicly dissected during Black Hat presentations. What makes the attacks on smartphones and tablets more disturbing is the general lack of protection these devices have.
“There’s not much, security-wise, that antivirus apps provide because of the way the phone is architected,” says Charlie Miller, a security engineer at Twitter who is best known for testing mobile-device security when he was a principal analyst with Independent Security Evaluators. “On your PC, the reason your antivirus works is that it has access to everything—it can search for malware at the lowest levels in your computer. On my Android or iPhone, when you download an antivirus app, due to sandboxing there are limits to what it can do. So it turns out it can’t scan the entire device.”
Sandboxing is how Apple partitions iOS so a problem in one area, such as an attack against the mobile browser, will not spread to the rest of the device. As a result, iOS antivirus could neither scan the memory nor the file systems of other apps on a device, Lau says. Antivirus software on iOS, if available, would be “completely useless” in detecting the type of malware installed by Mactans and, likely, against something like Jekyll, he adds.
Mobile devices using Google’s Android operating system more compatible with the current, PC-based approach to antivirus, where they have access to more system resources, says Con Mallon, senior director of mobile product management at security software maker Symantec.
Antivirus apps running on Android can scan more of their respective devices than those running on iOS, Lau acknowledges. But, he adds, they still don’t fully protect users.