Written by tjchan on Wednesday, July 25, 2007

iPhone Gets Owned by Security Vulnerabilities


iphone

According to InfoWorld, Charles Miller, Jake Honoroff, and Joshua Mason just found the Apple iPhone’s first security vulnerability.

Research trio claims the iPhone’s data can be stolen and the device can even be turned into a remote surveillance tool

This exploit comes from a vulnerability in iPhone’s Safari and proof-of-concept has been implemented. The result?

The iPhone is owned. “In our proof of concept, this code reads the log of SMS messages, the address book, the call history, and the voicemail data, it then transmits all this information to the attacker.”

So what can be done? Nothing right now as Apple has been notified and they have just a mere 2 weeks before details of the exploit get released at a Black Hat 2007 security conference in Las Vegas.

Technorati Tags: , , , , ,

Be Sociable, Share!

Related posts:

  1. Security Vulnerabilities Hit Apple
  2. Unofficial Fix Released for Major Palm Security Flaw
  3. T-Mobile: Security Fix Leaves Some Customers In the Dark
  4. Exploit Now Out There for MMS Vulnerability
  5. iPhone Users…Don’t Answer That Text

More in iPhone/iPod Touch | 3 Comments


« »

3 Comments

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.


PatrickJ
Jul 25, 2007

The security researchers’ paper on all of this is very good – it’s at: http://www.securityevaluators.com/iphone/exploitingiphone.pdf.
They also detail a second level of exploit where the iPhone can be made to execute system commands, like playing an alert sound or making a call.


Brandon Steili
Jul 25, 2007

FUD ….

It’s a safari vulnerability that affects Windows and OS X:

Is the new vulnerability in the Mac or Windows versions of Safari?

The vulnerability is also present in both the Mac and Windows versions of Safari, though it may or may not be exploitable there.

Source: http://www.securityevaluators.com/iphone/


PatrickJ
Jul 25, 2007

I don’t totally agree. One key security flaw they discuss is that ALL processes on the iPhone run with SuperUser privileges. So, if you manage to exploit a single app like the browser (as they have), you completely own the device. Now I haven’t used a Mac in quite a while, but if the same horrific SuperUser flaw exists on a Mac, then Wow, that ‘Macs can’t be hacked’ theory really looks silly. Then again, that has been looking less and less true anyway.

And actually, with UNIX under its hood, obviously Mac OSX does not share this flaw with the phone device … 

Leave a Reply

You must be logged in to post a comment.