iPhone Jailbreak Modified Into CC Sniffing Malware

chicksdaddy writes "In a presentation at the ToorCon Hacking Conference in San Diego on Saturday, Eric Monti, a Senior Researcher at Trustwave's Spider Labs, demonstrated how to turn the popular JailbreakMe Tool for iPhones and iPads into stealthy rootkit-style malware that can monitor voice and video activity or intercept sensitive data, such as credit card magnetic stripe data from an iPhone-based transaction."

Re:Yay!

It's a trojan, not a virus. The iPhone can't get infected by simply browsing to a website. You have to manually install it.

In my book, it's just another tool for Apple's marketing department: don't use jailbreaking tools, they're trojans that will steal your personal information!

Re:How much was he paid

[jo_ham]

Good God. Is the level of Apple hate so high that this has to be twisted into some sort of conspiracy about Apple?

Of all places, slashdot should be the sort of place that understands the nature of security exploits - which is exactly what the jailbreak takes advantage of. Colour me *utterly unsurprised* that the same exploit (and any tools created to make use of it) can be changed to do things that you really don't want.

Apple has nothing to do with this (apart from shipping software with a security flaw, but they are not unique in that respect).

This is trolling of the worst sort

[stecker]

Yes, and Adobe Photoshop could be modified to become a program that indoctrinates me in Marxist philosophy. What's the point? That a user installing an application needs to trust its source? This has been true ever since there has been third party software.

Shame on Slashdot for pushing this.

Fluff piece.

[Bill_the_Engineer]

The researcher took the obvious step of adding malware code to a jail break program. While the article reports that the Jailbreak app will lead the way for more malware, it also stated this which contradicts:

The program is harmless and the vulnerabilities in question were patched by Apple in early August. However, Monti warns that more and more high value applications on the iPhone will increase the attractiveness of the platform for malicious parties, including banking and e-commerce.

Emphasis mine.

Also the "more and more high value" application line warrants a "no shit sherlock". Willie Sutton robbed banks because that was where the money was.

Basically this just shows that you need to know the risks before you jailbreak your phone. This is true for any phone OS, since jailbreak is a political term for rooting. Check the source (as in where you downloaded) and compare the binary with a known reliable hash (eg. MD5, etc). When you leave the comforts of the installed ROM, you need to be more vigilant about your security.

Re:How much was he paid

[Yvan256]

I bet that most people using JailbreakMe or other variants don't realize they could be installing malware. They just want to install non-approved software or in most cases pirated software and heard about jailbreaking.

I've actually had someone reply to me that "there's no mention of anything else than jailbreaking on the webpage of the hack, and I'm not important enough for people to spy on me anyway". Most people don't understand technology and will believe what they are told, good or bad.

Just because Slashdot readers understand technology doesn't mean regular users do. Just two days ago I was discussing with someone in his 70's how "the blue E" wasn't the internet and how Wikipedia wasn't an competitor to Google Chrome.

Hell, the OLF (Office de la langue française) wants people to say "Sites internet" instead of "Sites Web" because web is an english word, even though internet is the network itself and isn't limited to the Web. If even official channels are messing up terms, how is the general public supposed to clearly understand the concepts? It's no wonder we still have people who think the "blue E" is the internet itself.

Re:How much was he paid

[dreamt]

I would take it a step further. You are inherently installing malware when using jailbreak/rooting tools. The fact that you are intentionally using and benefiting from the malware doesn't mean it isn't malware.

It's not about hatred.

I don't think it's about people like the GP "hating" Apple. It's more like a complete lack of trust in Apple.

These days, Apple is doing things that even Microsoft never stooped to doing. Microsoft never limited which programming languages developers could write applications in, for instance. In fact, with .NET, Microsoft has gone a long way towards vastly increasing the number of languages that can be used to create Windows applications.

Then there are rumors about hidden APIs that Apple won't share with other developers, which is something that Microsoft was also accused of doing.

Of course, then there are the numerous incidents with perfectly legitimate applications being rejected from the app store without any valid reason. The whole review process itself and the conditions associated with it are quite terrible. The whole process is about treating developers like shit.

So it's easy to see how people may distrust Apple so much that they might even believe Apple is involved in shady practices designed to make Apple's claims stronger. If this is indeed the case, I would like to see more evidence to support the allegations made by people like the GP, but at least try to see where people like the GP are coming from.

Re:It's not about hatred.

[RazorSharp]

These days, Apple is doing things that even Microsoft never stooped to doing.

I've seen many comments similar to this one recently and I just don't understand it. Look at how MS funneled money into SCO to attack Linux, how they strong-armed Novell into a "licensing agreement," how they pressured governments into making OOXML a standard, or intentionally selling defective XB360s. Those are things that Apple never stooped to doing, and that's just recent history. Halloween document anyone?

Apple retaining tight control over the Mac platform isn't stooping to anything. It's what they've always done and will continue to do, much to their users' delight. Why should Apple change their business model to appease geeks who won't buy their products anyway? It doesn't matter what Apple does, people who hate Apple will never buy their products. Why should they change because of disdain from non-customers?

Microsoft has, throughout the years, continuously engaged in unethical business methods. I challenge you to cite one case of Apple doing anything unethical that Microsoft "never stooped to doing." There is no moral imperative that requires software to be open and free. I can think of many economic and technical arguments for open and free, but no moral ones. It's morally wrong to sell a product you know won't last more than six months with just average usage because you're ripping people off (don't give me that warranty crap -- it was extended because the math declared it necessary). It's morally wrong to extort people (Novell, SCO). It's morally wrong (at least in most cases) to lie (everything associated with OOXML was a pack of lies). To the best of my knowledge Apple doesn't exploit, extort, or engage in dishonest business practices. And even if an instance or two can be found, it hasn't been their business model since the company was founded. So how exactly are they stooping below MS?

Re:It's not about hatred.

They both use their positions to bully 3rd parties and competitors. I don't see how one is any better than the other. Apple also has a habit (not that Microsoft doesn't) of getting patents on stuff that they know they didn't actually invent, then suing the bejesus out of everyone else (multi touch anyone?) including the original inventors. How is that ethical? Sorry, Apple is the new MS. Live with it.

Re:It's not about hatred.

[vadim_t]

I've seen many comments similar to this one recently and I just don't understand it. Look at how MS funneled money into SCO to attack Linux, how they strong-armed Novell into a "licensing agreement," how they pressured governments into making OOXML a standard, or intentionally selling defective XB360s. Those are things that Apple never stooped to doing, and that's just recent history. Halloween document anyone?

The GP's statement is correct though. Apple does annoying things MS doesn't. But both companies annoy me, and I avoid dealing with them, just for different reasons. Just that Apple doesn't fund SCO, or that MS doesn't control their hardware with an iron fist doesn't make either company automatically awesome in my eyes.

Apple retaining tight control over the Mac platform isn't stooping to anything. It's what they've always done and will continue to do, much to their users' delight. Why should Apple change their business model to appease geeks who won't buy their products anyway?

So that we buy their products, of course.

It doesn't matter what Apple does, people who hate Apple will never buy their products.

That's a mistake. I don't dislike Apple because it's Apple. I dislike Apple because of what Apple currently does. If they change what they do, I might change my mind. It's simple.

I change my mind on companies. Years back, in my mind, "Blizzard" equated with "awesome". These days it equates with "no way I'm paying". It could change back if they started making stuff I'd be willing to buy again.

Why should they change because of disdain from non-customers?

Because this non-customer could be a customer if they made something I like.

Re:It's not about hatred.

[Kilrah_il]

Thanks for the post. I wanted to say something to the same effect, but you beat me to the punch. Anyhow, people here just don't understand that Apple (under Jobs) has always believed in controlling every aspect of its ecosystem (Citation). The only time the MacOS was licensed was when Jobs wasn't in Apple, and that was their worst years.
People love Apple's products because they are easy to use from the get-go and part of that ease of use comes from controlling both the hardware and the software completely (or as much as possible). Yes, we geeks like it less, but we are not the main customers. Catering to us will bring about an OS that may be more powerful, but not as easy to use out of the box - I'm looking at you Linux.
So, yes, some of the people at /. (can I say "the guys" or do we have representatives of the fair sex here also?) don't like Apple for their strong-armed tactics, but these are the same tactics that brought about the products that so many people like. Face it, we are a minority.

And to think...

If Apple would just sell the thing SIM unlocked and with sideloading of apps, this wouldn't be a problem!

Heaven forbid Apple actually be forced to sell the thing on its merits and not have to resort to anti-competitive nonsense.

Re:How much was he paid

Slashdot dislikes microsoft's practices -- normal
Slashdot dislikes sony's practices -- normal
Slashdot dislikes ea's practices -- normal
Slashdot dislikes blizzard's practices -- normal
Slashdot dislikes riaa's practices -- normal
Slashdot dislikes mpaa's practices -- normal ...
Slashdot dislikes apple's practices -- OMG SOMETHING FISHY IS GOING ON IT HAS NOTHING TO DO WITH MY OWN BIASED VIEWPOINT OF THE COMPANY

iPhone2G are easy target

[Rastignac]

Apple stopped firmware updates for iPhone2G (edge). It is blocked at iOS313, forever.
So, iPhone2G misses a lot of security updates. The old edge iPhone is really full of holes.
And nobody will secure it.
Steve, please, help !!

Re:iPhone2G are easy target

[Arthur+Grumbine]

Apple stopped firmware updates for iPhone2G (edge). It is blocked at iOS313, forever.
So, iPhone2G misses a lot of security updates. The old edge iPhone is really full of holes.
And nobody will secure it.
Steve, please, help !!

You appear to have not purchased a new iPhone in over two whole years. I don't know what backwoods, 3rd world nation you come from that you expect the most expensive phone you've ever purchased to last more than two years, but you are obviously not our target demographic. Thank you for your money, and please return to us when you are willing to follow our clearly laid out expectations for making new purchases/upgrades.
Cheers!
Steve J.

Re:That sounds about right

[melikamp]

Rooting an iPhone does not give you full control over the device. At best, you get to run your code with the highest privilege, but you are still stuck with an opaque proprietary OS that will spy on you around the clock. No amount of rooting will help you to get rid of malicious "features" programmed by Apple itself.

Re:Yay!

And even better, there are some 6 million non-upgradable first-generation iPhones that are now a botnet waiting to happen.

We don't expect new features for such old phones, but we do expect you to not stop putting out security fixes after barely three years. Hell, even Microsoft is more serious about security. Fuck you, Steve.

Re:Giving Apple an excuse to kill jailbreaking

[ekhben]

I will applaud Apple for closing any hole used to jailbreak without a USB cable involved, whether it gets to malware stage or not.

Apple seem to respond faster to these sorts of vulnerabilities than they do to ones that are only usable if you have physical control over the device, so I don't think there's any cause for concern that Apple will step up their counter-jailbreak programme if theoretical attacks become reality.

Knowing your risks or your audience?

[swb]

I'd wager that for most people, there's no reliable way to "check your source" for most apps offering "something for nothing" (ie, cracks, rooting, jailbreaking, etc). Many are written by anonymous entities and distributed diffusely to avoid the wrath of whoever produces the device they're trying to circumvent. In some instances there's a reliable distributor, but in many cases not.

But I also wonder if going after a jailbeak app as a target they might be going after the right audience -- people willing to take a risk to get more than they paid for (running "unapproved" apps) or to get something for nothing (iPhone without AT&T contract).

Re:The "web browser" jailbreak only worked on iOS

[gl4ss]

jailbreakme works on firmwares up to 4.0.1

so you were wrong in your assumption - that the web browser gets hacked shouldn't grant you full root powers, but it does. and ironically for the older devices you need to jailbreak to close that hole or risk being jailbreaked by random sites you visit.