updated 10:45 am EDT, Fri September 28, 2007
iPhone root exploit
A recent weblog post, made by one of the participants of the Metasploit hacking project, details how an iPhone might be turned into a mobile hacking tool complete with root access. The post author notes that every process on an iPhone is run as root, including Mail and Safari, and that even a single flaw in one of them can lead to an iPhone being completely exploitable. This bears resemblance to the webpage exploit fixed by Apple in the v1.0.1 firmware, but notably, a general vulnerability appears to remain with the v1.0.2 firmware. There is no word yet on whether this has been solved in the new v1.1.1 release.
One hacked iPhone can in theory be made to target another, forcing it to take photos, share contact lists, or even dial phonecalls without the owner's consent, a particular problem since "always-on" EDGE access means this can be done any time an iPhone is not powered down. Compounding the danger is that mDNSResponder, also known as Bonjour, ZeroConf and Rendezvous, runs by default. The service broadcasts a user's hostname over Wi-Fi, giving hackers a target; it is noted however that active discovery of hostnames may not be easy.
The weblog poster observes that some modifications allow the installation of the Metasploit Framework, which in turn can be made to load iPhone executables. This however does not constitute an exploit by itself, since it is left up to other coders to determine the minute details of breaking into other phones.