By Jon Swartz
Check Point researchers demonstrate flaw in common database software by showing how it could be used on Apple smartphones
A major security threat for millions of consumers may be lurking in their pockets and throughout their homes.
Researchers at Check Point Software Technologies Ltd. (CHKP) have discovered a flaw in one of the most-deployed pieces of software in the world that undergirds the contacts list on Apple Inc. (AAPL) iPhones and plays an important in nearly every popular computing platform.
The SQLite database engine is used in operating systems, desktops and mobile phones -- including iOS and MacOS, Alphabet Inc.'s (GOOGL) (GOOGL) Chrome browser and Android operating system, Microsoft Corp.'s (MSFT) Windows 10, as well as Safari and Firefox web browsers. SQLite is also used in products from Dropbox Inc. (DBX) , Adobe Inc. (ADBE) , and others.
This has made the database a rich target for would-be hackers who can exploit SQLite code and gain administrative control of an iPhone, according to a report Check Point is expected to issue at the DEF CON security conference in Las Vegas on Saturday.
Check Point's research team proved through its own techniques of digital query hijacking and programming it is possible to "reliably" exploit memory-corruption issues in the SQLite engine. As a proof of concept, the researchers say they were able to surreptitiously gain greater access to iOS privileges.
"If successful, the intruder owns your iPhone" and the information on it, Omri Herscovici, the security research team leader at Check Point who authored the 82-page report, told MarketWatch in a phone briefing.
As part of presentation on Saturday, Check Point planned to demonstrate how an intruder can bypass Apple's trusted secure boot mechanism and gain administrative permissions on an iPhone. Contacts on iPhones are stored in SQLite databases, as well as some saved passwords on Macs.
Check Point said it informed Apple in March and the company issued a patch in May. Apple did not respond to an email message seeking comment. Check Point said it notified Microsoft as well about the SQLite flaw. Microsoft had no comment.
Check Point's disclosure of the SQLite vulnerability is part of a yearslong tradition at DEF CON, where hackers convene annually to share the latest trends and security secrets.
-Jon Swartz; 415-439-6400; AskNewswires@dowjones.com
(END) Dow Jones Newswires
August 12, 2019 07:11 ET (11:11 GMT)
Copyright (c) 2019 Dow Jones & Company, Inc.