toggle

AAPL Stock: 95.6 ( -2.55 )

Printed from http://www.macnn.com

iPhone security flaw offers complete control

updated 01:00 pm EDT, Mon July 23, 2007

iPhone security flaw

A new security flaw in Apple's iPhone could allow attackers to access personal information such as SMS text messages and voice mails stored on the device, and could even provide malicious users with a means of recording the iPhone owner or taking photos with the handset's built-in digital camera. The exploit, which was discovered by a group of security researchers who plan to detail the hole at the BlackHat conference in Las Vegas on August 2nd, offers complete unfettered access to the phone with administrator privileges. The experts who discovered the flaw at Independent Security Evaluators are refusing to provide extensive details on the security flaw but said iPhone users need only access a maliciously crafted website or forum post to hand over complete control of their phone to that site's owner.

Attackers gain access to the iPhone in one of three ways: any iPhone that automatically connects to an attacker-controlled wireless access point with the same name and encryption type as a trusted network would be compromised; an improperly configured forum on any website could allow insertion of the exploit; and iPhone users opening a link delivered via email or an SMS message could unknowingly open a hostile website.

ISE researchers have already alerted Apple to the presence of the security flaw, and have offered a patch to the Cupertino-based company to repair the issue. A video is available showing the compromise of an iPhone's security.




by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

  1. jhawk95

    Joined: Dec 1969

    0

    Give me a break!

    What the article failed to also say was......

    that the aforementioned hacker / attacker would have a better chance of success by simply jumping me on the street, putting a gun to my head, and jacking my iPhone from me.

    I mean, come on, all these "ifs and coulds" are enough to make me laugh. I know which networks I am connecting to and I know which websites I am browsing with my iPhone.

    If you carelessly jump around the internet and click on any and every link you come accross, then you might need to worry about this. However, just as on your computer, if you are a smart web citizen, you have nothing to worry about.

    By the way, I am sure this study / hacker group is being funded by MicroShaft to find this and any other flaw. I mean, who else has enough time to sit around for two weeks without pay and find an exploit... that even if it works in the wild... gets them information that most likely would not reap any financial rewards. I mean, once you get the names and numbers of my infamous friends and family... what are you going to do with them? Sell them for top dollar... or try to blackmail my mother to not post her meatloaf receipe that she emailed me on the net?

  1. SubPop

    Joined: Dec 1969

    0

    ...wow..

    And people seem to think Testudo doesn't have a point when he asks why people get so defensive when announcements like this are made.

    How bad would your world be rocked if you actually WORKED at Apple?

  1. PookJP

    Joined: Dec 1969

    0

    The question...

    The question isn't whether vulnerabilities will appear; of course they will. The question is, rather, how quickly can Apple respond and what do they learn from each security hole. If Apple has this patched by the end of the day, it will reflect positively on the iPhone as a product that is secure in the long-run.

  1. testudo

    Joined: Dec 1969

    0

    Re: give me a break

    If you carelessly jump around the internet and click on any and every link you come accross, then you might need to worry about this. However, just as on your computer, if you are a smart web citizen, you have nothing to worry about.

    Hey, everyone, stop trying to break the iphone! Its not possible, we all know this. Because every iPhone user knows exactly what he's doing, going, clicking on, etc, and would never fall for such a thing!

    Man, how stupid do these hackers have to be to think people would fall for this stuff? I mean, sure, you could consider the vast number of users who unknowingly download and install trojans, malware, spyware, etc, I would think this is a concern. Or those who fall for phishing scams. Or Nigerian treasury protection scams. Or ebay scams.

    But these people would never own an iPhone! So its pointless!

  1. fubar_this

    Joined: Dec 1969

    0

    no break for you

    I don't understand jhawk95 why issues like this are "no big deal". If you look at the past 3 years of Internet Explorer/Windows vulnerabilities, not a SINGLE ONE has been self spreading. Almost all PC malware these days relies on the user to initiate the sequence of events that allows it to infect the machine-e.g. by clicking on a link in an email or by going to a previously "safe" Web site that has since been compromised. That means that unless you are willing to give Internet Explorer and Windows a free pass on worms, this IS a big deal.

    Oh and just because you know the Web sites you visit doesn't mean you are safe. What happens if MacNN or some other "known" Web site is hacked so that when you visit it, you get infected? It's happened before to PC users, sometimes with some pretty well known Web pages (a lot of times it's with "blogs" that have not been properly locked down). Attackers simply insert an IFRAME into the existing HTML source so that unsuspecting victims go to the Web page, get infected with some malware using a hole in Internet Explorer (just like this hole in Safari) and boom, instant infection of a lot of people.

    Until people like you stop saying "Bah humbug!" to every security vulnerability that Apple has, people are going to target the Mac to prove the naysayers wrong.

  1. testudo

    Joined: Dec 1969

    0

    Phishing mails

    This bears another question. The text of the article includes "and iPhone users opening a link delivered via email or an SMS message could unknowingly open a hostile website."

    How does the iPhone's Mail and Safari handle these types of links (those that look like one thing, but go somewhere else)? I mean, in OS X, I don't recall ever being warned of a possible re-directed URL. Do you get any of that in the iPhone?

  1. hayesk

    Joined: Dec 1969

    0

    Re: phishing mails

    In MacOS X Mail, if you hover your mouse over the link, it shows you via a tooltip if the link is different than what it says.

    On the iPhone, if you "tap-hold" over the link, I think it does the same thing.

  1. glasshalffull

    Joined: Dec 1969

    0

    altered?

    First how do we know this is real? Second how do we know the hackers have not altered the hardware in order to allow their exploit. We've seen this kind of claim before only to find out that the hardware was altered in some way.

    These kinds of claims are beginning to numb users way more than they help. We'll have something to worry about when the headline says something like "iPhone has a confirmed vulnerability, by a third party, on a device that has never been in the hands of the hacker." Until then this is nothing more that a scare tactic for hacker's personal gain.

    I'll believe this when I see it in the wild. An no I don't believe either the iPhone or the Mac is impossible to hack into. But as long as the device has been in the hands of the hackers, physically, we have no idea what is actually real.

  1. testudo

    Joined: Dec 1969

    0

    stuff

    In MacOS X Mail, if you hover your mouse over the link, it shows you via a tooltip if the link is different than what it says.

    Yeah, but wouldn't it be nicer if they could do the comparison for you, and tell you when they're different?

    These kinds of claims are beginning to numb users way more than they help.

    That's the POINT! If you numb users to this stuff, they stop paying attention, so when some hackers do come up with a way (which might be the case here), people will have no defenses or cares (in their "wake me when its in the wild!" mood, which, really, is just funny, because that's a tad too late to protect you) and devices are exploited with nary a notice from the users.

  1. robttwo

    Joined: Dec 1969

    0

    more 'hacker' bs

    you know, I just found a way to hack into your testicles. I wont show you, but I really really do know how. I will demonstrate it in a week or so. I mean it, I really can do it. I have already turned the info over to your s******. Really, I can do it.

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

SMS Audio Sync Sport on-ear headphones

When hitting the gym or going out for a trail run, headphones can cause a number of problems. From the ear buds getting slimy with swe ...

Adesso Xtream S3B Bluetooth speaker

Finding a speaker purpose-built for a specific need is challenging. Even when a Bluetooth speaker can be paired with a mobile device, ...

JBL Synchros E40BT headphones

For all the different configurations of headphones on the market, it's always a tough choice for buyers to get something that is just ...

toggle

Most Commented