The whole FBI -vs- Apple kerfuffle is something that I’ve been trying to stay up-to-date on and, as a result, this post and video at Tech Crunch caught my attention (and then the Tech Crunch website caught my attention). The tease for the article was With all the hoopla surrounding the FBI-Apple controversy, it may surprise you how easy it is to hack into an iPhone. The video is a good example of how social engineering could be used to hijack a device but a) I don’t think that it has any bearing on the FBI -vs- Apple fiasco and b) it isn’t specific to the iPhone or mobile phones in general.
As far as it’s pertinence to the FBI -vs- Apple case, this type of attack isn’t really relevant because they don’t have a user that knows the PIN to log into the iPhone to install the malicious app. This attack requires a user to be enticed to install a malicious app that then allows an attacker remote access to the device. The attack that the FBI is requesting is one that would circumvent the data destruction after 10 failed attempts to log in.
As far as this being specific to an iPhone, this type of attack is relevant against any technology where a human is used as a defensive measure. We can use Alice, Bob and Trudy here in an example. Trudy sends Alice an email that Alice receives on her Android phone. The email contains either a malicious attachment or a link to a malicious website. Alice clicks on the link and, as a result, gets malware installed on her phone that gives Trudy some degree of access to the phone (either full access immediately or limited access, leaving it up to Trudy to elevate to higher privilege). Similarly, Trudy sends Bob an email that Bob receives on his computer. Bob opens the email and either opens the [malicious] attachment, views the [malicious] website, etc. and Trudy then has access to Bob’s computer.
The link above is to the HTTP (non-secure) version of the Tech Crunch website. I generally try to use HTTPS links to minimize the chances that we’re sending someone to a site that could be used in a man-in-the-middle (MiTM) attack to deliver malware to them but, when I tried to use HTTPS rather than HTTP for Tech Crunch, I found that the SSL Certificate for Tech Crunch throws an error (SSL_ERROR_BAD_CERT_DOMAIN). This is an article about security from a tech blog, it’s Friday, and I felt inclined to point out the irony.