Security Firm Reveals iPhone Vulnerability

[j/k/Andy]

link

FLAW LETS HACKERS EXPLOIT IPHONE, FIRM SAYS
Sun Jul 22 2007 16:03:45 ET

A team of computer security consultants say they have found a flaw in APPLE's popular new iPhone that allows them to take control of the device!

The researchers, working for Independent Security Evaluators, will report on Monday how they could take control of iPhones through a WiFi connection or by tricking users into going to a Web site that contains malicious code.

Developing...

or http://www.drudgereport.com/

[chrisdazzo]

that was the most excited post of the day. CAPS CAPS CAPS!

good thing i don't have an iphone, though, if this IS true.

[bigmac4ever]

Ouch...Im so very glad I didnt give up my Treo 700 wx for the apple joke of the year.I did come close though.

[mkrishnan]

Is this the same as or different from the SPI-announced web dialing issue?

It would be overly generous to call the Drudge report article uninformative, and the referenced company's website is shockingly even less informative... nor does this seem to have been carried by anyone other than the Drudge Report as of yet, which seems a bit odd to me....

[bxlewi1]

Quote:

Originally Posted by mkrishnan

Is this the same as or different from the SPI-announced web dialing issue?

It would be overly generous to call the Drudge report article uninformative, and the referenced company's website is shockingly even less informative... nor does this seem to have been carried by anyone other than the Drudge Report as of yet, which seems a bit odd to me....

Well, it being a Sunday and all - it's not terribly surprising it's nowhere but Drudge (the man never sleeps.)

[Dermot81]

From the few links up at Drudge on the iphone, most have been negative. Pretty biased reporting.

[j/k/Andy]

it is a classic Drudge flash, short and sweet, but more often then not he gets it nearly right, sorry for the all caps (copy and paste error)

[DMK]

Quote:

Originally Posted by Dermot81

From the few links up at Drudge on the iphone, most have been negative. Pretty biased reporting.

The Drudge Report is biased ?! what a shocker.

[kkachurak]

IMO, the Drudge Report has the same journalistic integrity as a tabloid.

[Littlebit]

The New York Times is reporting about it, as well...

http://www.nytimes.com/2007/07/23/te.../23iphone.html

[MacRumors]

The NY Times reports that researchers at a security firm Independent Security Evaluators have announced that they have found a vulnerability in the Apple iPhone that allows them to extract personal information and "take control" of the device from a malicious website or WiFi connection:

Quote:

The researchers, working for Independent Security Evaluators, a company that tests its clients’ computer security by hacking it, said that they could take control of iPhones through a WiFi connection or by tricking users into going to a Web site that contains malicious code. The hack, the first reported, allowed them to tap the wealth of personal information the phones contain.

The company has setup a website which provides a video demo of the exploit as well as answers to questions, but does not provide would-be hackers any detailed instructions. Apple has reportedly been notified of findings. A full disclosure of the hack will be released at the Black Hat conference on August 2nd.

According to the site, in their proof of concept, the exploit can read the log of SMS messages, address book, call history, voicemail data and transmit it to the malicious site.

The principal security analyst admits "It's not the end of the world; it's not the end of the iPhone" and it appears it hasn't changed their enjoyment of the iPhone itself. Even the security firm's founder states that while he may more cautious about using a random public WiFi network, "you'd have to pry it out of my cold, dead hands to get [the iPhone] away from me."




Article Link

[dfnj123]

looks like apple better come out with a firmware update fast

[jjarmoc]

Well, this should be fun. I'll be out at blackhat watching this one anxiously, with an iphone in my pocket the whole time.. heh

I'll hold off on judging this until we see some details of what exactly they've found.

[twoodcc]

Quote:

Originally Posted by dfnj123

looks like apple better come out with a firmware update fast

yeah they need to. and i'm sure that they will

[coumerelli]

Here's the deal - don't go to random websites that present themselves to you. Simple. I also don't go to dark alleys...at night...by myself....with my iPhone. I just don't. Now, I'm not saying this isn't important, but my parents didn't raise no dummy. It's called caution.

[JPyre]

Thank god... this should speed up a much needed update. I want to listen to my music while browsing the web like it's been advertised.

[retroneo]

This is great, you can check to see if your girlfriend is cheating on you without even asking! Just SMS her the link to your specially modified site, and then you can see her call history and messages!

or

This is bad, now my girlfriend can check to see if I am cheating on her without even asking! She just SMSes me the link the her specially modified site, and she can see my call history and messages!

[nimbuscloud]

Quote:

Originally Posted by JPyre

Thank god... this should speed up a much needed update. I want to listen to my music while browsing the web like it's been advertised.

Actually, you can. I'm listening to Depeche Mode while replying to your comment...all from my iPhone.

[jjarmoc]

Quote:

Originally Posted by JPyre

Thank god... this should speed up a much needed update. I want to listen to my music while browsing the web like it's been advertised.

Uhhh.. that feature's always worked fine for me.

[Analog Kid]

One of the risks of building this on a full OS X platform. Good news is that any fixes made to the desktop or iPhone should benefit the other...

[anaknipedro]

I don't believe this. A website crafted to force the iPhone to make unsolicited calls? These guys can't be for real. This is FUD FUD FUD.

[badtzmaru]

at least we know an iphone update is coming before, or around, august 2!!

[ErikGrim]

Quote:

Originally Posted by anaknipedro

I don't believe this. A website crafted to force the iPhone to make unsolicited calls? These guys can't be for real. This is FUD FUD FUD.

Why would this be FUD? Unlike the other recent claims of OS X worms and not to mention the whole Month of OS X bugs debacle, these are "ethical" hackers, disclosing the information to Apple FIRST so that they can issue a fix before releasing the information to the general public.

These kind of independent security analyses actually benefit the end user rather than harm them. There's no FUD here at all. Read their FAQ.

[Lancetx]

I'll bet Apple gets a fix out there before this August 2nd conference occurs. I'm not alarmed, as this will get fixed soon enough. In the meantime though, I'll just make sure not to connect to any unknown wi-fi networks.

[badtzmaru]

before anyone says "this is impossible" visit the firm's website and read their preliminary paper (ignore the part about the iphone being released on june 28

http://www.securityevaluators.com/