Loading A PDF Could Give Hackers Total Control Over Your iPhone

Better not load any PDFs on your iPhone for a while, not unless you want to risk handing over total control of your device to hackers. The exploit affects all iOS 4 iOS 3.1.2 and higher devices, including the iPod touch and the iPad.

The malicious code lurks inside a font inside the PDF and when you go to view the document, it causes something called a “stack overflow” which fills up the memory. During the ensuing crash, the program can slip into your device and do anything it wants. Anything, from deleting files, to install secret monitoring programs, to automatically calling 911 every time you make a phone call, to constantly shouting insults at you. Anything that can be programmed can be done.

So until they patch this bug, best just wait to view any PDFs until you’re at your home computer.

Apple Security Breach Gives Complete Access to Your iPhone [Gizmodo] (Thanks to GitEmSteveDave!)

Comments

Edit Your Comment

  1. Destron says:

    Stack overflow? Really? That’s so Windows 98.

    You would a company that manufactures computers could get this right.

  2. edicius is an acquired taste says:

    Ten bucks that Apple instantly blames Adobe.

  3. GuyGuidoEyesSteveDaveâ„¢ says:

    I honestly didn’t even know I could view PDF’s on my iTouch.

    • aka Cat says:

      Yup, you can view a pdf from an email attachment or web link.

      I really don’t understand why so many people buy the pdf viewers from the app store.

  4. danmac says:

    This article is ridiculous…everyone knows that apple products are immune to hacking and viruses. It’s more likely that hackers broke into the Consumerist’s server, which is PROBABLY a PC, and uploaded this fake story to freak everyone out.

    Shame on you, hackers!

  5. AnonymousCoward says:

    True enough, but what the article isn’t really saying is that you have to load a special, evil pdf file. The pdf that your boss just emailed you is probably okay. Unless your boss got it from the wrong place.

    • domcolosi says:

      While that’s true, a malicious ad on a website could open such an evil PDF in a small iframe.

  6. kompeitou says:

    Zach Galifianakis has three iPhones?!

    • the Persistent Sound of Sensationalism says:

      Heh, heh, heh. Just watched his special on Netflix over the weekend. That guys is too funny.

  7. Promethean Sky says:

    You would think by now that programs would have a built in feature to handle stack overflows. I’m a programing rookie, so I don’t know if that’s feasible, but it sure would be nice.

    • Samuel Kadolph says:

      There are many languages that don’t allow for buffer overflows. Usually any language that has managed memory is immune.

      • Happy Tinfoil Cat says:

        And for others you can create or buy libraries that do not have this problem. There are programs to check the final executable for buffer overflows, memory leaks etc. And even still, there are some hardware implementations that handle things like this. Since Apple has complete control over the hardware and software they should fix this vulnerability. …unless of course they want to not only control what apps you can buy, ebooks you can read, but also any content you can read from the internet.

  8. brianary says:

    Apple bears some blame in using a language/platform from the ’80s that still allows buffer overflow (Objective-C).

    However, Adobe has shown time and again that their code (Reader or Flash) can make any system unstable. My PS3 will lock up after watching too many Flash movies in the browser!

    • brianary says:

      Oops, I guess this is all Apple code. Apple bears the full responsibility here!

      But… but… walled garden!

  9. Mike says:

    “You’re opening your PDFs wrong”

    -Steve

  10. MustWarnOthers says:

    A Heavenly and Divine Exploit, for your Magical and Revolutionary Smartphone.

  11. DariusC says:

    Not that you would want to read a PDF on your phone anyways unless it was only a couple pages… Same logic as to why you would not watch the Lord of the Rings trilogy on your iphone. Personally, I enjoy my neck, back and eyes.

  12. RDSwords says:

    You have to hold press your hand over a little gap on the edge of the phone to keep from achieving a full stack.

  13. Rob07 says:

    I don’t know… I’m a bit skeptical considering the source of the article.

  14. aleck says:

    Can we finally accept the fact that viruses did not affect Apple products because very few people cared about Apple products. Not because Steve Jobs touched each one personally, infused it with his divine powers and thus made it immune from any virus.

    Now that Apple products are used by many people, they make a good target.

    • mac-phisto says:

      to be fair, no one in the apple camp (that i know of) ever bet on infinite immunity. this article states that at least since 2002, apple was recommending AV software to its mac users.

      http://news.cnet.com/8301-1009_3-10110852-83.html

      fanboys certainly purport immunity, but the truth is that the assholes that write malware will exploit whatever they can, whenever they can. too bad they lack the cognition to put any of that energy toward anything productive – except maybe that ATM jackpot exploit – that seems pretty productive. =P

  15. Quatre707 says:

    Apple can just release a security patch whenever they feel like breaking the latest popular jailbreak. What a load of crap.

  16. maztec says:

    Totally true. Except, how many people are not going to notice that their phone is suddenly rebooting and behaving weird?

  17. CharlesJBarry says:

    I’m surprised that nobody’s mentioned that there are only about a half dozen people in the world that know how to make use of this exploit and they’re all pert of the jailbreaking community. They’re not talking about how it’s done to anyone and they used it to create http://www.jailbreakme.com the jailbreak for all iOS devices running all firmwares that is executed by going to the site from your device’s Safari browser. There’s also a fix for jailbroken devices that helps prevent this from happening IF anyone else figures out how to do it.

    But yeah, way to fear monger.

    • CharlesJBarry says:

      I should clarify, the Gizmodo article mentions that stuff, but who ever clicks through to the source articles?

      • Destron says:

        Actually, there is information on how to do this on the newsgroups, and that’s also where the hackers hang, so at this point several thousand at minimum know how to do this.

  18. tz says:

    I DON’T THINK THERE IS ANY WARNING THAT YOU ARE ACCESSING A PDF!

    The “jailbreakme.com” site uses it and it just briefly says it is downloading, but nothing about a PDF.

    Unlike firefox, or even most browsers on windows, there is no way to alter the behavior of Safari so as to not try to download/view PDFs (Thank you Steve Jobs for locking us in with the flaws).

    You can theoretically disable javascript but then sites don’t work (nothing like noscript that disables on a per-site basis), but you won’t be able to tell shortened URLs point to PDFs, so if someone tweets one? Buys a banner ad?

    As far as I know, the only way to prevent the problem is not to surf anywhere that you don’t trust has secured things.

    Or jailbreak the phone using the exploit and disable PDF viewing.

  19. TardCore says:

    I’m jailbroken and have a file to prevent this from happening.

  20. pot_roast says:

    There have been security problems with PDF files for a while now. Adobe has one that up until very recently was exploitable.

    It’s a new found issue. It will get fixed.

    But because Apple is involved, the haters are out en masse, as expected.