While chatting with Nick DePetrillo we came up with a few more highly unpleasant things to do using the new Iphone vuln.
Using Chris Pagets work demoed at Blackhat this year, for $1500 (a totally reasonable price point for an attacker looking to make money with spy/ad/fraud ware on an iphone) it's possible to build a custom cell tower / IMSI catcher.
What does that get you? The ability to masquerade as AT&T.
And to send SMS messages directly to the phone.
A man-portable microcell carried around a major metropolitan area may be able to catch a significant number of Iphones, immediately sending a spoofed SMS ("iOS update, click here"? "More porn"? "bank alert"? "look at this funny cat"?)
IMSI catching: Not just for spying and phone sniffing, now you can use it as a direct attack.
Since the current USRP code doesn't support data, the phone is forced into
voice only mode, preferring wifi for data. Not only can an attacker
directly spoof a URL in a message, but by forcing wifi (and bringing, for
example, an access point running karmetasploit which redirects all URLs via
MITM attacks) along with the USRP, users which do NOT respond to the URL are
still grabbed via the next website they visit.
Once inside the phone, what horrible stuff is on the menu? Sending a worm-style SMS to everyone in the contacts list to then own their phones? Installing trojans to dial high-rate numbers (already a problem with advertising services and a few apps)? Snooping logins and personal data? Targetted tracking via hidden apps?
Pass me a guinness.