The Register® — Biting the hand that feeds IT

Feeds

iPad and smartphone rootkits demo'd by boffins

Computing boffins say they have demonstrated rootkits which can be used to turn your smartphone or "upcoming tablet computer" into a remotely-activated bugging or tracking system. “Smart phones are essentially becoming regular computers,” says Vinod Ganapathy, computing prof at Rutgers uni in New Jersey. “They run the same class …

This topic is closed for new posts.
James 47
FAIL

J'Accuse!

So, what are they really saying here? They managed to run a rootkit on any smartphone, or just those that are Linux based?

What about Symbian?

Thought not.

Blain Hamon
Grenade
Reply Icon

Someone hasn't heard of Google

http://www.google.com/search?q=symbian+rootkit

Not only are there rootkits, trojans, and virus, but there's even anti-virus for Symbian dating back to 2006 or before.

Security by obscurity doesn't work. Not on Linux, not on Symbian, not on iPhone, not on Windows Mobile (or whatever they're calling it this week).

Bilgepipe
FAIL

"Upcoming Tablet Computer"

So they've installed a rootkit on a tablet computer no-one has access to?

“They run the same class of operating systems as desktop and laptop computers, so they are just as vulnerable to attack by malware.”

Not necessarily - one does not follow on from the other. I sense scaremongering, and perhaps a teensie bit of attention-seeking.

mantle
Reply Icon

Sowing the seed ..

What is the purpose of this PSA? There is money to made by being the first University to openly demonstrate and warn the public of the potential security risk to these PDAs. As more businesses shift their attention to these PDAs to conduct commerce, they will soon realize they will need a better security frame-work. These corporate titans will march to their respective government officials to fund a research/project to better secure these systems. Governments usually go to their universities for research related activities ..

Well, guess which university is going to be on the top of that list ?

Jeremy Chappell
Happy

iPad?

Err, iPad? Where the hell is the iPad? The researcher uses an iPhone to send the message - that phone ISN'T infected. Where did you get the headline from?

This is EXACTLY why Apple run the security model they do. An iPhone (or iPad) can't run more than one application at a time (this is a choice - the hardware or OS could do this - Apple have chosen not to allow it) so if you get some app running that does "bad stuff" it stops doing "bad stuff" as soon as you hit the home key. Such an attack can't happen on an iPhone.

Of course, if you jail break the phone - well then you get the ability to infect it. Don't want that, then don't jailbreak it. Interestingly Microsoft's new Windows Phone 7 Series takes exactly the same approach as the iPhone (or iPad).

Anonymous Coward
FAIL
Reply Icon

@ iPad?

of course the whole point of a rootkit would be that it would run under the OS the one app limit wouldn't apply as the OS wouldn't even be aware of the running rootkit.

Anonymous Coward
FAIL
Reply Icon

one app limit

The iPhone is perfectly capable of running multiple processes/apps at a time by default - how do you think the music keeps playing when the web browser's running?

Apple blocks multiple apps by telling dev's they can't do it and not allowing access to the APIs needed, not by any actual 'physical' limitation.

A model such as Symbian's - only signed apps can access sensitive stuff etc. is far more secure.

Jeremy Chappell
Happy
Reply Icon

Attack surface

Where's the attack surface? How does the rootkit get in? All iPhone apps are run in process isolated sandboxes, the environment isn't rich enough for malware. We've seen exactly zero rootkit infections on the iPhone (unless it's jailbreaked - there have been a limited number of those).

Anonymous Coward
Stop

Shock news - sun rises in the morning, sets in the evening

"In general, mobile experts hold that such malware must be inserted into a phone by gaining physical access to it, or perhaps by traditional victim-operated means such as email attachments, bluetooth transfers etc. Remotely inserting malware via a mobile voice or data link without cooperation by the phone user is said by most experts to be impossible, and certainly Ganapathy, Iftode and their crew demonstrated no such capability."

Nothing to see here then?

Good news for iPhone users - until the day Apple start allowing rootkits on the app store.

Michael C
Dead Vulture
Reply Icon

Exactly

So the idea is, that if someone theoretically gets past the FIRST hurdle (actually getting a root kit on your phone without first stealing it), then it;s possible that if it was running (can't run in the background), it might respond to a signal that the carried already blocks in their network (blank or malformed SMS messages), and even then they'd have to know your phone number.

Yea, nothing to see here... The author knew it had "Apple" and iPhone" in the title, so we knew we'd get advertising hits, and they threw in iPad for good measure even though the article didn't mention it (since the attack vector is SMS, which the iPad doesn't have support for!!!)

Robert Carnegie

Smartphone rootkits are scary. Good job they don't exist.

Like Daleks. They're scary too.

Look, this story is NOTHING. You're just exercising your fingers across a keyboard.

Furthermore, on a real-life phone, off is OFF. The thing is dead and can't be activated except by pressing the button or, maybe, some fantastic induced electric current that makes it -think- you pressed the button. And that isn't really possible.

As for rumours about how the U.S. assassinates its enemies, there's about as much real information content there as there is when France, Israel or Russia does it.

I want three minutes of my life back. Including this one.

Ross 7
Reply Icon

Ummm no

Soft off is not hard off. Unless you take the battery out of your phone or hardwire a hard off switch between the battery and phone then off is most definitely not off. It's in standby.

My phone has an annoying habit of lighting up like a Christmas tree for a second or so at midnight and 14:00 when it is turned off.

The GSM standards aren't terribly open so it's more than possible that remote network activation is possible at the request of various governments.

Anonymous Coward
Black Helicopters
Reply Icon

Off is not Off

Most phones these days will turn on if you have an alarm set... my WinMo phone does it, and so did the Motorola, Nokia, NEC and LG phones I've had in the past.

As for the features of the rootkits mentioned in this article, they sound like a great idea for phone security...

- enable you to track your mobile if it's stolen.

- enable you to listen in on the thief

- turn on the camera so you can see the thief (if they don't currently have it in their pocket)

- email out any new files they've created (pictures, movies etc)

- delete your personal data off the phone (which was all encrypted right).

- make it turn on at specified times

- turn the speaker volume up or done (all sorts of mischief could be had with this).

I can think of plenty other cool features too, but I think I'll keep them to myself for if I ever get access to the source for a phone rootkit ;)

Anonymous Coward
Stop

Smartphone OS != Desktop OS

I don't see how this is relevant to running any kind of malware on a current model of smartphone. Most operating systems found on these devices are heavily edited to allow them to run on this hardware in the first place.

Never mind the fact that they are using OpenMoko releases of Linux (unrelated to iPhone, Symbian, Android et al) to showcase this in the video, this is so far off happening it's unreal.

DZ-Jay

Extra! Extra!

SHOCK! HORROR!

An already compromised mobile device could be used to, er, compromise it even more!

News at 11.

-dZ.

Neal 5

ring 0 on a mobile?

If you are saying smartphone OS's are equivalent to desktop OS's which in themselves arn't too far removed from server OS's then this should help you understand what a rootkit is, and thence understanding why it isn't totally unfeasible to root a smartphone.

However, I should think some intrepid security firm like *hmmmmm* Symantec or such will offer protection against this, at a price of course.

The below is a long read for those of you who struggle to read one page of El Reg correctly.

http://www.securityfocus.com/columnists/402

chr0m4t1c
Thumb Down
Reply Icon

That horse has already bolted.

>.However, I should think some intrepid security firm like *hmmmmm* Symantec or such will offer

>protection against this, at a price of course.

Symantec already offer it:

http://www.symantec.com/business/mobile-security-for-symbian

Came free for 3 months with my original N95. In return for protecting me against the one piece of malware in the wild it slowed the phone to about a tenth of it's normal speed and drained the battery in about half a day.

In addition, you had to perform a factory reset of the phone to remove it.

Not surprisingly on balance I decided to live with the risk, fortunately you could delete the installer so I also managed to steer clear of the risk of accidentally re-installing it. Never again.

amanfromMars 1

Real Common Sense

In those such cases, Lewis, it is Always Best to Helping the Good Guys and Gals.

Robert Carnegie

@ Jeremy Chapell iPad is the reassuringly expensive "upcoming tablet computer".

Obviously.

Jeremy Chappell
Reply Icon

Expensive?

Is $500 expensive? Really?

DZ-Jay

Re: ring 0 on a mobile?

@Neal 5:

If you read the article once more, you'll realize that the claims are not that the devices can be "rooted", but that assuming they already are, they could be used to track down or compromise its owner.

The "experts" then go on to acknowledge that physical access to the device would likely be required to "root" it first. However, the shock (SHOCK!!!) and concern of this particular vulnerability, as presented by these experts, is the volatile potential of an already rooted device.

So then tell me, what else is new? It's like announcing with horror and dismay that a loaded gun, in the hands of an unstable user, could be used not only to threaten and harm people, but to murder children and the elderly as well.

-dZ.

Michael C
FAIL

Lemme get this straight...

We've identified a risk that:

should someone get a root kit onto your iPhone OS device (which requires physical access, or doing something dumb like running open SSH without a unique password),

then someone could send a custom formatted text message like a blank message (which AT&T knows about and openly blocks malformed messages used for such, so the signal would have to come from a hacked SMS transmitter, not the carrier network itself),

for which they'd need to know your phone number in the first place, and have a server/deviec ready to receive the call, so obviously this isn't useful for a mass hack or botnet,

they could make your phone do simple thing like place a call (which could be traced, and which would show up in logs and call history), or enable background hardware (without a foreground app? this is at best a theory and has yet to be demonstrated as even possible).

So, if I let someone hack my device, have not synced it recently with a PC (firmware version check), someone knows my number, and sends a signal through another hacked device, then they can possibly drain my battery, or have the device make a call or send data to a traceable system. Gee, sounds like a horrible risk to me, especially since the only part demonstrated is getting a manually rootkitted device to respond to a simple signal, but they didn't actually do anything with the firmware outside of that because even still, the root kit itself is limited to the proper use of Apple's internal function calls and security model, and everything else, including how to actually get a rootkit in there in the first place, is still a thory?

Neal 5

@DZ-Jay

I fully agree, there is no shock and horror in the story, unfortunately, everone has become so overwhelmed by the plethora of these horror stories that they fail to scare anymore.

The point I was trying to make was that it doesn't matter what the OS is, it can be rooted, it doesn't matter what the device is, it can be rooted.

It isn't the story itself that merits concern, but the fact that this type of story is still considered newsworthy. By itself it may not be common, but of it's genre it is as rare as, well dog poop.

Too many comments lacking surprise already, perhaps that's a good indication of the shock and awe these stories now invoke.

Anonymous Coward
Anonymous Coward

Hmmm....

So this is the modern version of the infinity transmitter, then? Old news.

mafoo

Old problem

I think it turned out half the mobile phones in the UN had this kind of exploit installed on them, and that was a good 6 years ago.

Nokia's were a particular favourite of hackers turning mobiles into baby/diplomat monitors.

Lou Gosselin

Root access

Any phones which support remote updates can theoretically be remotely exploited. An update mechanism is effectively a back door into "ring 0".

It's not a stretch to believe that the manufacturer/provider have the ability to target a specific phone (or any other device for that matter) with a root kit.

If the military uses this technique, I wonder if they possess the authentication keys themselves or ask for the assistance of manufacturers each time?

Unus Radix
Headmaster
Reply Icon

Nitpick

ring 0 :

The term for Intel (tm) processors for a CPU mode with full access to the machine. "Supervisor mode" might be a more general term. Most importantly this means the control of the protection mechanisms (e.g. page tables) themselves.

root access :

Unix concept for when your (E)UID == 0 in which case, basically, access is granted directly, omitting regular checks.

Note that Unix can run on hardware with no proper supervisor mode / HW protection, e.g. Minix & embedded Linux versions. It is argueable whether these are real Unixes, but at least this should demonstrate that the concepts, in themselves, are distinct.

Lou Gosselin
Reply Icon

@Nitpick

You're absolutely right of course, it just got mixed up in parlance.

The firmware updater, which would likely run with root permissions, is able to update the bootloader which runs in "ring 0". For the purposes of installing trojans, root access is probably sufficient.

ian 22
Jobs Horns

Fanbois beware!

The Taliban are HUGE iPhone fanbois! They are truly doomed if this article is to be believed.

Death comes by remote control.

DZ-Jay

@Neal5

>> The point I was trying to make was that it doesn't matter what the OS is, it can be rooted, it doesn't matter what the device is, it can be rooted.

Given infinite resources and infinited time, perhaps. There are practical design, implementation, environmental, and other factors that mitigate the risks and an attack.

Sometimes it may be easier, more practical, and cheaper to just bang the user over the head with a mallot than to try to subvert his mobile device.

-dZ.

Lionel Baden
Heart

Hah my windows phone is Immune !!

I flash the Rom so often Nothing has a chance to survive

Oh god im such a geek ......

/selfconfesion

Robert Carnegie

$500 is expensive for a big phone that you can't use as a phone.

The phrase is explained at http://en.wikipedia.org/wiki/Reassuringly_Expensive - it's an advertising slogan (not Apple's).

It's a bit expensive for a media player. It's comparable to the price of a fully capable netbook PC.

Outcome will depend on how much people enjoy the touchscreen experience, I think.

JaitcH
Heart

I love my Mitsubishi more and more

The most comfortable telephone I have is a 6-year old Mitsubishi (made in France) that fits my hand like a glove, only makes calls and some basic WAP features.

It can't be tracked, can't be hacked and when I switch it - it stays off.

This topic is closed for new posts.