AAPL Stock: 117.34 ( -0.96 )

Printed from

Pressure put on Apple to fix iPhone exploit

updated 11:25 am EDT, Fri July 27, 2007

iPhone and Black Hat 2007

Apple is facing pressure to fix a security problem with the iPhone in a matter of days, commentators say, to protect both customers and its reputation. The company has less than a week before briefings begin at the Black Hat 2007 conference, where members of Independent Security Evaluators plan to reveal the details of its iPhone exploit announced on Monday. Simply by loading a malicious webpage or forum post, according to ISE, users may accidentally grant a hacker complete access to their iPhone, even to the extent of allowing camera use.

While Apple representatives will not say whether the exploit can be patched in time for Black Hat, the conference's director, Jeff Moss, accuses the company of having had "plenty of time" to update the iPhone software. "It would be nice if they patched it," he says.

Errata Security CEO Robert Graham argues that a fix is important to preserve a superior reputation for Apple in the mobile phone world. Whereas most phone carriers handle software updates themselves, Apple has opted to accept that burden, increasing opportunities for success and faliure. "Right now other smart phones are full of vulnerabilities and they are not getting patched," Graham says. "This is actually a good test to see if Apple can do this better than the mobile carriers."

Meanwhile, Errata partner David Maynor is working on a zero-day attack that could appear at Black Hat, but which may be withheld on the grounds that he does not want a repeat of the wireless hack scandal. "We are trying to get something ready but there are no guarantees it will be stage-worthy in time," Maynor warns. "After last year...we make sure that it's painfully obvious or we don't do it."

by MacNN Staff




  1. eldarkus

    Joined: Dec 1969



    What a bunch of a$$holes.. hey, i know. lets threaten a company to fix something or we'll release the information to hackers all over the globe! you may as well lock down a corporate email system and bribe the company... same damn thing.

  1. smitch

    Joined: Dec 1969


    ...what a bunch of

    wannabees! I get so tired of so called 'security experts' who try strong arm tactics and coercion under the guise of public concern. It might just have already occurred to Apple that they should have these same concerns close to their vest, don't you think?

  1. Terrin

    Joined: Dec 1969


    Why complain

    You'd think these people would be a little more grateful. If it weren't for vulnerabilities, they might have to go do something useful with their lives.

  1. ttrostel

    Joined: Dec 1969


    security by obscurity

    This is akin to security by obscurity. An old way of securing a system was to just set it up in a way that wasn't standard and hope nobody could figure it out.

    Obviously someone can figure out how to get into an iPhone from the outside and compromise security. Is it better for you to know about the problem and the things you can do to minimize the risks or is it better to keep it hush hush until the problem can be solved?

    Personally since I own an iPhone its more important for me to know about the issue and thus ... what things I shouldn't do while Apple is working on fixing the problem. Hiding it so script kiddie #5 doesn't have it handed to them certainly does NOT negate the risk!

    I don't consider what they are doing as a way to blackmail Apple into action. Other folks however may see it differently and we have to respect their opinions even if we don't agree.

  1. eldarkus

    Joined: Dec 1969



    There is no real motivation to 'blackmail' Apple here. They have already alerted Apple and they made the issue public (announcement was made earlier this week). Why blackmail them? What if the fix causes much deeper issues on the phone? Should Apple (or anyone for that matter) rush to fix the issue and put out a half a**'d attempt at a fix, which could cause potentially more issues? It's absurd. I's just strong arm tactics which shouldn't be done. There is no motivation but making yourself look cool at the hackers conventions!

  1. ajhoughton

    Joined: Dec 1969


    the problem with this

    The problem with this "fix it by then or else" strategy is that it doesn't take account of the fact that releasing software (especially to a large user base) is a complicated process. If some of the security experts are to be believed, you can "just" fix something and ship it, which simply isn't true.

    Moreover, the impression of an external security expert as to what the most important thing to fix might be may not match the impressions of those people with access to the source code. So trying to force a quick fix is foolish because it might end up with users being exposed for longer to a much more serious bug that outside researchers don't know about (yet).

    Finally, in answer to ttrostel, the sad fact is that a lot of the research done by security researchers and published on CERT and Bugtraq is used as a source of vulnerabilities by hackers. After all, why bother finding your own vulnerabilities when other people will do it for free, and when many users don't patch their systems (even when vendors release patches quickly)?

    So there *is* a very real benefit to keeping security issues under wraps. It might not prevent their exploitation, but it makes it *much* harder, because only those capable of finding and developing an exploit are then able to use them.

  1. jbelkin

    Joined: Dec 1969


    The Only 'exploit' Is ...

    The Only 'exploit' Is the PR happy guy in the lab. Out of a lab, here's the count so far:

    Mac OSX: ZERO for 30 million users

    iPod: ZERO for 110 million users

    iPhone: ZERO for 1 million users.

    Apple: ZERO for 140 million devices out there.

    Of course, you can break into your own house or inject yourself with ebola and claim panic.

    JUst because Symantec, McAffee and others make nearly ZERO from Mac users is not a reason to create fake panic just to boost their sales.

    There is a platform where people just work and it just works. If you don't use a Mac or don't care to - that's fine - just stay on your side of the fence. You don't know what you are talking about.

  1. ttrostel

    Joined: Dec 1969


    knowledge vs ignorance


    I honestly understand the benefits of keeping security issues under wraps. What I was saying is that *I OWN* an iPhone.

    Personally I would rather know what flaws it has so that I can mitigate the risks. For the manufacturer ... or anyone else to not communicate these issues means that I am unable to mitigate them.

    Yes there are lots of people who do not patch their machines. Yes there are people who upon reading the vulnerabilities will seek to exploit them. Yes there can be a lag between when something is discovered and when something is fixed.

    I'm just saying that, for example, if my Pinto is susceptible to rear impact flaws or the deadbolt on the front of my house is susceptible to "lock bumping", I'd like to know about it ahead of time. Your opinion of course is your own ... we simply choose to disagree on what course of action is in the best interests of the consumers.

    Thats a good point ... how many of you actually know about lock bumping? Look it up ... choose to be informed!

  1. Tanker10a

    Joined: Dec 1969



    Isn't it amazing on how easy it is to dismantle and criticize anything that is a "FIRST" from Apple. When Microsoft and other companies put out their pieces of c***, no one seems to be concerned about that because that is "the norm". It's OK to accept that. So all this non-sense about an iPhone exploit is no different and any other devices filled with security holes. Granted, Apple has NOT come out with a press release on this issue and I am glad because that in of itself is a statement to all the whiners crying about the iPhone security exploit. Also, bear in mind that the iPhone grants the User a choice to connect to the WiFi or decline the WiFi and connect to the Cellular network. Therefore, it's up to the User to decide as to whether or not they trust the WiFi Connection. There are several other phones (UTStarcom PPC-6700 / XV-6700 / HTC Apache) that utilize WiFi connectivity but no one is talking about them...Now that the whole world has made me aware of unsafe WiFi; I will start practicing "Safe-WiFi-iPhone"...BIG DAMM DEAL :-()

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Ultimate Ears Megaboom Bluetooth Speaker

Ultimate Ears (now owned by Logitech) has found great success in the marketplace with its "Boom" series of Bluetooth speakers, a mod ...

Kinivo URBN Premium Bluetooth Headphones

We love music, and we're willing to bet that you do, too. If you're like us, you probably spend a good portion of your time wearing ...

Jamstik+ MIDI Controller

For a long time the MIDI world has been dominated by keyboard-inspired controllers. Times are changing however, and we are slowly star ...


Most Commented