News has emerged that likely will not be appearing in Apple's iPhone commercials. The iPhone has a security  flaw that allows malicious hackers to turn the smartphone into a remote controlled zombie.
The New York Times reported on Monday that a Baltimore-based team of security consultants demonstrated the hack. Independent Security Evaluators (ISE), a company that tests clients' computer systems by trying to break into them, showed the newspaper how to take control of the iPhone remotely.
The attack is delivered through one of at least three ways, according to the researchers. The iPhone could allow a wireless access point, with the same name as a trusted one, to be used to deliver the attack by inserting malicious code in the place of a visited Web page.
A second way is through a forum, which can load an exploit when an iPhone user views a discussion thread. Or a user could be tricked through a link in an e-mail into visiting a fraudulent, "phishing" site that can deliver the malicious code.
"Once you did manage to find a hole," ISE principal security analyst Dr. Charles A. Miller told the Times, "you were in complete control."
Report on iPhone Security
ISE said that it told Apple about the vulnerability and sent a sample patch to fix the problem. A spokesperson for Apple said the company is looking into the issue. Miller will be presenting a full report on the vulnerability at the BlackHat security conference early next month.
In the demonstration to the Times, Miller used the iPhone's built-in Safari Web browser to visit a Web site that transferred code to the device. Afterwards, the iPhone obediently transmitted recent text communications, phone contacts, and e-mail addresses. The researchers said that the exploit could compel the iPhone to do anything, including becoming a spy by recording audio and then sending it to the attacker.
John Girard, a VP at industry research firm Gartner, said that the significance of this reported iPhone bug is that it is the first to be "escalated to a working demonstration." He noted that his company already published a report about vulnerabilities in the iPhone, especially for enterprise environments. For businesses, the report said, the first-generation iPhone does not achieve the level security of devices such as the BlackBerry.
The report found that the "iPhone's primary security defense rests on a restricted configuration that prevents user-installable applications." The report advised businesses to avoid storing enterprise data on the iPhone and to make other efforts to restrict its access until it can be more effectively secured as a business device.
Gartner said it expects Apple to improve iPhone security within the next six months, but that it will have to "open up a level of development tools in the platform ." (continued...)
|
