Security guru: iPhone malware highly likely

Right. Just because one is able to "hack" into THEIR OWN iPhone is absolutely no reason to proclaim that someone else can do it remotely. This statement by F-Secure just made me shake my head is disbelief. And these guys are security experts? Or are they trying to sell me something?

I'd like to agree with wings_rfs, but the truth is that the last round of jailbreaking relied on the TIFF overflow vulnerability-- The code was run over the web in a way that any malicious hacker could have exploited as well.

That vulnerability was fixed with 1.1.2. So unless you're aware of another vulnerability like that, then wings_rfs is exactly right. Patrik Runald is spreading FUD, because he has no proof that there's a vulnerability on the iPhone (updated to 1.1.2) that would allow malware to run.

He's speculating, nothing more, and it's not even informed speculation, apparently. If he had even a sliver of proof that such a vulnerability existed on the iPhone (again, updated to 1.1.2), I'm sure he would have shared it with us. Right?

Wake me when this opinion comes from an -independent researcher-, not someone with an agenda or something to sell.

We had iPhone since end of June. Early versions of firmware were plagued with bugs, as we know from many security experts. TIFF bug was known to everyone and hasn't been patched until this week. The question: where's malware on this highly insecure device, mr. Runald? Perhaps mr. Runald knows any secure device that can't be hacked, so he could point Apple where to direct their security efforts? I highly doubt that. Or maybe even better, mr Runald knows a solution for doomed iPhone? Of course! He hints at it: there will be security software that will negate negative SDK impact on security. We are saved!

I wonder, who will provide us this can't-live-without-it kind of software. Maybe some capable company called F-Secure? After all, they are experts...

yes, 1.1.2 fixed the tiff exploit, which was an incredibly open and exploitable vulnerability - and *could* have been exploited for planting malware.

It didn't and hopefully most phones upgrade to 1.1.2 -though bear in mind that many, many unlocked phones will continue running 1.1.1, and a great many if those are not fixed with jailbreakme.com - so they remain potentially vulnerable. Also, those improperly jailbroken and with ssh left on could potentially get hacked in over the air/wifi. Newer methods close these openings, but those running earlier hacks could pose (an ever shrinking) target.

Now, if nothing changed, and Apple would not work towards securing the phone more, he may have more of a point - but I have a feeling that by the time the SDK ships, the iPhone will be a hell of a lot more secure - I would hope that at one point it would stop operating everything in root mode.

Please note that in order to jailbreak your iPhone you must DOWNGRADE it to version 1.1.1 which had the TIFF bug.

Since this individual works for a company that sells anti-virus software, it is possible that his statements are biased. It is 80-90% sure that when third party apps are allowed for the iPhone, F-Secure will want to sell you their software for $$$.

ttrostel claims: "Please note that in order to jailbreak your iPhone you must DOWNGRADE it to version 1.1.1 which had the TIFF bug. "

Not really, it is also enough to *NOT UPGRADE* from 1.1.1, seeing as how plenty of phones will remain in the channel that come with 1.1.1 out of the box, and many phones that won't upgrade because they are unlocked one way or another.

These will remain vulnerable, though obviously their numbers are decreasing as more updates become available.

This is scary. I never realized the danger. If I consider the ease with which I can install programs on my Mac, then it is a miracle it still works. Does the same also apply to other devices. My DVD player gets infected with movies almost on a daily basis, and not only DRM movies but sometimes with movies that have no protection at all...

Seriously, what a piece of nonsense. If Mr. Runald knew how difficult the jailbreaking process on the iPhone really is, I'm sure he would realize that such an "infection" would hardly go unnoticed.

What Patrik Runald was really trying to say.

" LOK!11!1!!1 LOL WE R HOPNG TAHT W3 CAN R ENOUGH PEOPL3 IN2 THINKNG THEY MAY B AT RISK SO WA CAN ACTUALY HAEV SOME NU WORK OUT TH3RE!!11! OMG WTF WUT I DIDNT EXPLANE SI TEH SITUATION SI SO HIGHLEY UNLIEKLEY TAHT ONLEY A FOL WUD DO TH3M AND NO SACURITY R CAN PROTECT A COMPLATE IDIOT!!11!!1 OMG ALSO FOR THOS3 TAHT UESD HAX 2 UNLOK THEYRE PHONE MAY B VULN3RABLA BUT OF COURSA THEY R VULNERABL3 B/C THAY HAEVNT UPDAETD 2 DA MOST RECENT SACURITY PATCH NOR HAEV TH3Y MAED SUR3 TEH HAK TH3Y UESD DIDNT COMPROMIES DA SECURITY OF DA DEVIEC IN TEH FIRST PLAEC!111!1!!1 WTF BUT I HAEV A QUOTA 2 MET AND INSTEAD OF ACTUALY HAVNG 2 WORK FOR MAH PAYCHEK AND 3ARN IT I WUD RATH3R DRUM UP FUD F3AR AND SE IF TEH DROVES OF MINDLES GULIBL3 IDIOTS WIL COMA 2 M3 FOR TEH SOLUTION!1!!!!111 LOL "

Ironic that one that works for an "antivirus" company would make an announcement of the likes of this one. Lets see.

(1) Feed people useless fear. (2) Let the paranoia build. (3) Release a "security software app" in February. (4) Profit.

F-U-D