About the SA Blog Network



Opinion, arguments & analyses from the editors of Scientific American
Observations HomeAboutContact

Hackers Crack the iPhone, and AntiVirus Software Won’t Help

The views expressed are those of the author and are not necessarily those of Scientific American.

Email   PrintPrint

Apple, mobile, security, antivirus

Image courtesy of Apple Inc.

Search Apple’s app Store for iPhone or iPad antivirus software and you’ll find only a handful of security programs designed to defend these iOS devices from malicious software (malware). The search is just as likely to turn up game titles such as “OperationAntiVirus” and “AntiViral Lite,” in which you pretend to rid fictitious computers of intruders.

There’s a reason this software is so missing: Until now Apple’s mobile gadgets have yet to face a serious security threat. The iPhone and iPad are not immune to viruses, but Apple’s stringent app vetting process, the devices’ architecture—which partitions, or “sandboxes,” code to protect it—and relatively low demand for mobile malware (compared to PCs anyway) among cyber attackers have helped iOS fly under the radar of cyber attackers.

No longer. Apple has crept a little closer to the crosshairs thanks to two new research papers. One was presented this week at the annual Black Hat cybersecurity conference in Las Vegas. A  second will be unveiled in mid August at the 2013 USENIX Security Symposium in Washington, D.C. Researchers from the Georgia Tech Information Security Center (GTISC) have written both papers, and they are using the shows to describe two different ways of exploiting flaws in Apple security and infecting an iPhone with viruses.

Such research has become common in recent years as so-called “white-hat” academic and corporate researchers hack away at computer systems to find security flaws before the bad guys do. Common practice is to alert the maker of the targeted hardware or software before publicly disclosing any problems, providing a reasonable amount of lead-time so the vulnerabilities can be fixed before any malicious attackers come calling.

One iOS attack is an end run around Apple’s mandatory app review process, which the company established to ensure that only approved apps run on iOS devices. Georgia Tech research scientist Tielei Wang and his colleagues discovered they could install malware onto iOS devices via a Trojan Horse-style attack that disguises malicious code that Apple would otherwise reject during the review. Once inside Troy—or in this case someone’s iPhone or iPad—the app, nicknamed “Jekyll,” lies dormant until an attacker remotely sends a signal instructing it to misbehave, posting tweets, taking photos, sending e-mail and SMS messages, and attacking other apps, according to the researchers. Any of these modes of communication could be used to divulge sensitive information stored on the device, including passwords and PINs.

For the other attack, Georgia Tech research scientist Billy Lau and his team built a phony plug-in charger they used to install malware onto iOS devices. They called this charger a “Mactans”—named after a type of black widow spider—and designed it to resemble a normal iPhone or iPad charger.

The researchers say they contacted Apple about their work in advance of the Black Hat and USENIX presentations, prompting the company to implement a feature in iOS 7 that defends against a Mactans-like attack by notifying users when they plug their mobile device into any peripheral that attempts to establish a data connection. Apple has yet to publicly release a way to counter Jekyll, the researchers add.

Audacious cybersecurity demos are nothing new—Microsoft, Cisco and other tech giants have suffered through years of their most popular products being publicly dissected during Black Hat presentations. What makes the attacks on smartphones and tablets more disturbing is the general lack of protection these devices have.

“There’s not much, security-wise, that antivirus apps provide because of the way the phone is architected,” says Charlie Miller, a security engineer at Twitter who is best known for testing mobile-device security when he was a principal analyst with Independent Security Evaluators. “On your PC, the reason your antivirus works is that it has access to everything—it can search for malware at the lowest levels in your computer. On my Android or iPhone, when you download an antivirus app, due to sandboxing there are limits to what it can do. So it turns out it can’t scan the entire device.”

Sandboxing is how Apple partitions iOS so a problem in one area, such as an attack against the mobile browser, will not spread to the rest of the device. As a result, iOS antivirus could neither scan the memory nor the file systems of other apps on a device, Lau says. Antivirus software on iOS, if available, would be “completely useless” in detecting the type of malware installed by Mactans and, likely, against something like Jekyll, he adds.

Mobile devices using Google’s Android operating system more compatible with the current, PC-based approach to antivirus, where they have access to more system resources, says Con Mallon, senior director of mobile product management at security software maker Symantec.

Antivirus apps running on Android can scan more of their respective devices than those running on iOS, Lau acknowledges. But, he adds, they still don’t fully protect users.

Larry Greenemeier About the Author: Larry Greenemeier is the associate editor of technology for Scientific American, covering a variety of tech-related topics, including biotech, computers, military tech, nanotech and robots. Follow on Twitter @lggreenemeier.

The views expressed are those of the author and are not necessarily those of Scientific American.

Rights & Permissions

Comments 7 Comments

Add Comment
  1. 1. David Cummings 5:31 pm 08/2/2013

    I know it’s not the same thing but still, it strikes me as pathetic and sad that the first comment on this article about hackers is one of these disgusting paycheck spams.

    Give me (and selected others) a delete button. We’ll keep this place clean for you.

    As for the article, my iPhone is an important part of my day. It’s interesting to read how the concept of sandboxing is applied to these devices. Thanks.

    Link to this
  2. 2. HowardB 10:54 am 08/3/2013

    No reporting button for spam anymore ??

    Link to this
  3. 3. HowardB 10:54 am 08/3/2013

    As for the article – it’s meaningless for the ordinary user.

    Link to this
  4. 4. gmperkins 5:56 pm 08/5/2013

    No suprise, security concerns are always the last to be thought about (rather than what all good security books teach: make it part of the design process). They add to cost so managers always decide to put them off until they are needed.

    Link to this
  5. 5. karl 11:36 am 08/9/2013

    gmperkins, sandboxing was a security meassure (as far as I get it), because you could only trash your sandbox, but the rest of the phone and it’s resources and data were safe.
    Security measures are usually thought or built upon what is already known, hackers work on finding NEW loopholes.
    anyway, how much of a leap forward is to have your passwords on a paper on your pocket? or better yet, on your head, and use some haptic interface to enter the data on the device (something like blinking an eye while tapping your password on the device)

    Link to this
  6. 6. Kiyan 7:29 am 10/30/2013

    Iphone is an important device in today era and it is also important to prevent this from hackers & malware threats.

    Link to this
  7. 7. iPhone Optimist 11:53 am 12/24/2013

    I don’t know how or why but I’m in deep trouble. Neither my wife or myself have great credit. Nor great jobs. We rent a condo and have 2 old cars that barely run. 4 kids including a 1 year old. However, My iPhone as well as my wife’s, my entire home network, laptop, PC, EVERYTHING was taken over by hackers. We lost all of our information to them (they could easily use our identity at this point), MARRIAGE PHOTOS, ALL THE PHOTOS OF OUR 1 YEAR OLD DAUGHTER, EVERYTHING… I try and try, but I can’t even keep them out of our phones! It’s been 2 months. I’ve changed phones, carriers, SIMS, phone numbers, countless Gmail accounts and Apple ID’s, the way I configure my phone, EVERYTHING. Still they persist, and SUCCEED! I was with one carrier and had an iPhone 4S and an iPhone 5, once they were hacked we switched them out at Apple, a few days later I noticed they were in my diagnostics and usage copying binary images to “pretend” the apps I had were real. After that, Apple was of very little help despite me being an iPhone customer since the iPhone3, so we switched to Android Galaxy S3′s, and within a day I caught 5 VPN’s going into my phone giving them complete control over it, eventually locking me out. Only app downloaded was Lookout mobile security. Opened another account with another carries, this time with iPhone 5S and 5C, new SIM’s, new numbers, new Apple ID’s, gave up all my apps, they STILL found a way to get into my phone. In my usage and diagnostics there are a lot of “this” = “false” and it turns on wifi at will, asks me to turn on GPS features, I even have gotten into “battles” using swiping motions to get past a fake lockout screen and battle with whomever is trying to control my phone to get them out. The only way to do this seems to be a DFU and start over but every time I do that they are right back in within a few days. I don’t have a mac, so how can I stop other people from using fake certificates to bypass my iPhones security and build a fake springboard, all by some sort of remote? I thought this only to be possible through wifi so I stopped using it, but same results. I’ve been through a dozen trips to Apple, AT&T, T-Mobile, and it’s getting to the point where nobody wants to help. I rely on technology heavily. How do I get rid of them?

    Link to this

Add a Comment
You must sign in or register as a member to submit a comment.

More from Scientific American

Email this Article