troubleshooting/tutorials/security
07/23/2007, 1:00pm, EDT
Monday, July 23rd
iPhone security flaw offers complete control
A new security flaw in Apple's iPhone could allow attackers to access personal information such as SMS text messages and voice mails stored on the device, and could even provide malicious users with a means of recording the iPhone owner or taking photos with the handset's built-in digital camera. The exploit, which was discovered by a group of security researchers who plan to detail the hole at the BlackHat conference in Las Vegas on August 2nd, offers complete unfettered access to the phone with administrator privileges. The experts who discovered the flaw at Independent Security Evaluators are refusing to provide extensive details on the security flaw but said iPhone users need only access a maliciously crafted website or forum post to hand over complete control of their phone to that site's owner.
Attackers gain access to the iPhone in one of three ways: any iPhone that automatically connects to an attacker-controlled wireless access point with the same name and encryption type as a trusted network would be compromised; an improperly configured forum on any website could allow insertion of the exploit; and iPhone users opening a link delivered via email or an SMS message could unknowingly open a hostile website.
ISE researchers have already alerted Apple to the presence of the security flaw, and have offered a patch to the Cupertino-based company to repair the issue. A video is available showing the compromise of an iPhone's security.
Filed under: troubleshooting
, 
, 19
, 
, 
, 
, 
, 
Top
subscribe to comments
for this article
that the aforementioned hacker / attacker would have a better chance of success by simply jumping me on the street, putting a gun to my head, and jacking my iPhone from me.
I mean, come on, all these "ifs and coulds" are enough to make me laugh. I know which networks I am connecting to and I know which websites I am browsing with my iPhone.
If you carelessly jump around the internet and click on any and every link you come accross, then you might need to worry about this. However, just as on your computer, if you are a smart web citizen, you have nothing to worry about.
By the way, I am sure this study / hacker group is being funded by MicroShaft to find this and any other flaw. I mean, who else has enough time to sit around for two weeks without pay and find an exploit... that even if it works in the wild... gets them information that most likely would not reap any financial rewards. I mean, once you get the names and numbers of my infamous friends and family... what are you going to do with them? Sell them for top dollar... or try to blackmail my mother to not post her meatloaf receipe that she emailed me on the net?
How bad would your world be rocked if you actually WORKED at Apple?
Hey, everyone, stop trying to break the iphone! Its not possible, we all know this. Because every iPhone user knows exactly what he's doing, going, clicking on, etc, and would never fall for such a thing!
Man, how stupid do these hackers have to be to think people would fall for this stuff? I mean, sure, you could consider the vast number of users who unknowingly download and install trojans, malware, spyware, etc, I would think this is a concern. Or those who fall for phishing scams. Or Nigerian treasury protection scams. Or ebay scams.
But these people would never own an iPhone! So its pointless!
Oh and just because you know the Web sites you visit doesn't mean you are safe. What happens if MacNN or some other "known" Web site is hacked so that when you visit it, you get infected? It's happened before to PC users, sometimes with some pretty well known Web pages (a lot of times it's with "blogs" that have not been properly locked down). Attackers simply insert an IFRAME into the existing HTML source so that unsuspecting victims go to the Web page, get infected with some malware using a hole in Internet Explorer (just like this hole in Safari) and boom, instant infection of a lot of people.
Until people like you stop saying "Bah humbug!" to every security vulnerability that Apple has, people are going to target the Mac to prove the naysayers wrong.
How does the iPhone's Mail and Safari handle these types of links (those that look like one thing, but go somewhere else)? I mean, in OS X, I don't recall ever being warned of a possible re-directed URL. Do you get any of that in the iPhone?
On the iPhone, if you "tap-hold" over the link, I think it does the same thing.
These kinds of claims are beginning to numb users way more than they help. We'll have something to worry about when the headline says something like "iPhone has a confirmed vulnerability, by a third party, on a device that has never been in the hands of the hacker." Until then this is nothing more that a scare tactic for hacker's personal gain.
I'll believe this when I see it in the wild. An no I don't believe either the iPhone or the Mac is impossible to hack into. But as long as the device has been in the hands of the hackers, physically, we have no idea what is actually real.
Yeah, but wouldn't it be nicer if they could do the comparison for you, and tell you when they're different?
These kinds of claims are beginning to numb users way more than they help.
That's the POINT! If you numb users to this stuff, they stop paying attention, so when some hackers do come up with a way (which might be the case here), people will have no defenses or cares (in their "wake me when its in the wild!" mood, which, really, is just funny, because that's a tad too late to protect you) and devices are exploited with nary a notice from the users.