iOS security flaw allows PDFs to hijack and compromise an iPhone
Think that the shiny iPhone of yours is safe because Apple said so? Think again: for all you know, that seemingly harmless PDF file you are downloading may be just the thing a hacker needs to gain complete access to the device and ruin your entire day.
Read on to find out more.
Picture this scenario in your head: you are busy downloading a PDF file from a website to satisfy your literary desires. And after the download is complete, you load up the file, only to realize that your iPhone has now been completely taken over by a hacker, even if the device had not been jailbroken in any way. And the hacker now has the ability to do anything we wants with your iPhone, such as deleting your precious collection of baby pictures and MP3s while you can do nothing about it.
Sounds far-fetched? Apparently not, because the aforementioned scenario is very real, thanks to a security bug which can be found on all versions of iOS higher than 3.1.2. Yes, even the latest iOS 4 is affected by this security flaw.
Now, you might probably be scratching your heads, wondering how such an exploit could have been pulled off. Simply put, it is extremely similar to the jailbreak method we posted a couple of days back: all you have to do is visit a website on the iPhone’s Safari browser. And this is where the fun starts: the site would then attempt to load a PDF file which contains a program embedded in the PDF’s font When the PDF file is displayed, the embedded program goes to work by forcing a stack overflow, which subsequently allows for complete control of the device. As noted by Charlie Miller, the reigning champion in the annual Pwn2Own hacking competitions, the exploit was “scary” in its method of defeating Apple’s security measures.
Ironically, you can grant yourself limited protection from this security flaw by actually jailbreaking the iPhone. According to Gizmodo, users who have already jailbroken the iPhone can download a ‘PDF loading warner’ app from Cydia, which displays a warning message everytime the device attempts to load a PDF file. Think of it as a form of UAC for iPhones, if you will.
Of course, the thought of having your entire device compromised is already bad enough, but the fact that something similar happened to the iPhone before (TIFF files) can be rather unnerving. More importantly, it also highlights one thing: that Apple’s claims of the iPhone being secure enough for use in businesses should be taken with a very large serving of salt.