Metasploit Creator Distributes Exploits for iPhone

Discussion in 'iPhone' started by Cleverboy, Oct 18, 2007.

  1. Cleverboy macrumors 65816

    Cleverboy

    Joined:
    May 25, 2007
    Location:
    Pocket Universe, nth Dimensional Complex Manifold
    #1
    They tried to warn you. They said, "we're trying to make the iPhone secure", and people skoffed, laughed and geered, and said "apple is just trying to take away our apps! Don't upgrade, oh, check out this new exploit, let's distribute the code for using it!"

    As Apple worked to close more holes, people questioned why apple still didn't feel the platform was ready for primetime 3rd party development, and why it may have released its 1.1.1 before giving it more tests... now, behold the form of the destroyer (okay, maybe a tad melodramatic, but...).

    READ THIS ARTICLE:
    http://blog.wired.com/27bstroke6/2007/10/metasploit-crea.html

    No... we don't need "certificate signing" at all. Malware and malicious scripts will only be comprised of daisies and fuzzy bunnies when it comes to the iPhone.

    Let's make sure we keep reporting problems to Apple, and upgrading our iPhones, and wait for February for secure 3rd party app support (or be responsible about what you're opening yourself up to, ok?) I really don't want to hear about the gnashing of teeth when your phone begins making calls by itself in your pocket, after a script successfully breaks in and starts dancing the jig on your mobile minutes, text messages, email and sending out your personal info.

    We need a secure platform, and considering 3rd party apps like Apollo and MobileChat store your Google, MSN, and AOL passwords in clearly readable (and transmittable) unencrypted text... apparently very few people are concerned enough to make it a priority.

    So... um, what DefCon are we at now?
    ~ CB
     
  2. kdarling macrumors demi-god

    kdarling

    Joined:
    Jun 9, 2007
    Location:
    Cabin by a lake
    #2
    Ironically, one of the first things high-powered WM phone users do, is look on the web and find out how to unlock their phone to all applications, signed or not.

    That way, they can use free programs written by developers who can't afford to buy the certificates.

    The boogeyman is much smaller than Apple's greed would have you believe.

    The difference and beauty of a handheld is that they're not as vulnerable as desktops for a good reason: even if it gets messed up, you can easily wipe and restore.
     
  3. Cleverboy thread starter macrumors 65816

    Cleverboy

    Joined:
    May 25, 2007
    Location:
    Pocket Universe, nth Dimensional Complex Manifold
    #3
    Crossing fingers that these same developers seem well-vetted by others who would dare to walk this road. For a consumer phone like the iPhone, this is a dangerous road indeed. Sites like Gizmodo or TUAW, regularly encourage folks that probably less than fit the definition of a "high-powered" user, to expose themselves to an open community not focused on making security any kind of priority.

    Interesting. The article doesn't seem to be about anything Apple is releasing to help people hack into iPhones... when you say Apple's greed, I get the impression that you're engaged in some significant speculation about how they'll implement the certificates.

    ~ CB
     
  4. kdarling macrumors demi-god

    kdarling

    Joined:
    Jun 9, 2007
    Location:
    Cabin by a lake
    #4
    Sorry, written before coffee. Make that "Apple's control freakhood".

    :p
     
  5. Cleverboy thread starter macrumors 65816

    Cleverboy

    Joined:
    May 25, 2007
    Location:
    Pocket Universe, nth Dimensional Complex Manifold
    #5
    Agreed. Cheers. :D

    The thing that gets me, is that all this time after Digg made it big breaking the deal with Paris Hilton's phone being hacked into and people publishing all of her contacts, here we are in an interesting NEW position. A friend and I had mused over the idea of putting up a webpage showing all the celebrities/personalities who have iPhones. Given this kind of news... and considering the popularity of sites like Gawker, that help to make everyone into a celebrity stalker... suddenly, you just need to find all the notables with highly exploitable devices, with non-updated software (or other exploits not yet plugged), and its a PR disaster in the making. --At least something that might make people take it more seriously.

    I mean, has identity theft stories begun to meet with the desensitization of the masses? A kid at a McDonald's drive-thru window showed me his iPhone, when he saw mine. He gotten super-excited when I showed him all the apps I'd installed at the time (and since have removed), and lent me his iPhone so I could type in the web address to his notebook. I was greeted with a horror show of personal information sitting in there (bank accounts, passwords, etc). People really don't know.

    ~ CB
     
  6. aristobrat macrumors G4

    Joined:
    Oct 14, 2005
    #6
    And the neat thing about the Paris story was that it had nothing to do with her device. T-Mobile's back-end systems were manipulated.

    http://www.washingtonpost.com/wp-dyn/content/article/2005/09/13/AR2005091301423.html

    It's a totally different ballgame to hack into a big system and go snooping through records for a celebrity than it is to specifically hack a celebrities personal device, no? :confused:

    A kid, as in he was under 18 years old?
     
  7. Cleverboy thread starter macrumors 65816

    Cleverboy

    Joined:
    May 25, 2007
    Location:
    Pocket Universe, nth Dimensional Complex Manifold
    #7
    True. Single point of failure and one security fix as resolution with thousands if not millions of records at stake versus multiple isolated security flaws with no centralized, forced security updates, and a series of single devices at stake. I'm not sure if anything gets better or worse for the distinction if you're the one who gets hit.
    Yeah. All I remember seeing were the words "account number", and a bunch of scattered info before I hit "plus" for a new note. So, I'm generalizing. I know I had my first bank account at 16. He looked around that age.

    ~ CB
     
  8. Sobe macrumors 68000

    Sobe

    Joined:
    Jul 6, 2007
    Location:
    Wash DC suburbs
    #8
    so the question is, are those who hack the iPhone part of the problem or part of the solution?

    Or is the water muddy and the answer lies somewhere in between?
     
  9. thomasfxlt macrumors 6502

    Joined:
    Oct 12, 2005
    #9
    Hack the phone and give the data to Apple and your part of the solution. Hack the phone and post it all over the internet and you ARE the problem.
     
  10. Cleverboy thread starter macrumors 65816

    Cleverboy

    Joined:
    May 25, 2007
    Location:
    Pocket Universe, nth Dimensional Complex Manifold
    #10
    Channel Web Network
    http://www.crn.com/security/202404419
    Interesting read.

    ~ CB
     

Share This Page