SECURITY: Newsweek - Spectre of the Great iPhone Epidemic

Cleverboy

macrumors 65816
Original poster
The phenomenal visibility of Apple's iPhone may spell the end of the cell-phone industry's age of innocence. Mobiles have been largely immune to the viruses and other "malware" now inflicted on PCs at the rate of 15,000 per day (up from five per month in 1990). So far, there has yet to be a major cell-phone virus.

Security experts worry, however, that all the excitement surrounding Apple's newest device will work on hackers like a red rag to a bull. "The hype around the iPhone's launch makes it almost certain that virus writers will attempt attacks if only to impress their cybermates," says Graham Cluley, consultant at the Web security firm Sophos.

So far most phones haven't been smart enough to support truly destructive viruses, which generally require a broadband connection to the Internet and a hefty memory. The popular BlackBerrys and Treos aren't vulnerable because most are issued by companies whose IT departments impose strict limitations on what employees are allowed to download. The phone viruses in circulation at present—mostly variations on just two main worms, Cabir and Commwarrior—can function only on a handful of smart phones that run the Symbian operating system. Both viruses require the phone user to accept the invading malware because the phones they target aren't capable of doing so automatically. As a result, neither virus has reached even close to epidemic proportions, leading technology experts to label them "proof of concept" viruses, rather than genuine threats. The iPhone, however, operates more like a computer than any mainstream mobile device ever has. It has a Web browser that works like a PC's, and it supports advanced applications like iTunes.

Apple CEO Steve Jobs acknowledges the problem. "People are going to try and break in," he said at the iPhone's London launch, "and it's our job to try and stop them." So far Apple isn't saying how. David Perry, global director of security education for the Internet security firm Trend Micro, isn't convinced there's an easy fix. Next year, he predicts, the world will see its first serious viral epidemic in cell phones. It will most likely make its way onto iPhone's Safari browser via the Web, and then compel the phone to call an expensive number repeatedly or download the same costly ringtone again and again—running up a massive bill.
READ MORE:
http://www.newsweek.com/id/41992

Is an epidemic coming to this self-described "always connected" device, with lots of processing muscle, and access to e-mail, text messaging, and Internet browsing? How hard will it hit when it arrives? Will legions of people refuse to upgrade when Apple releases the patch, because they're stuck to a specific unlock scheme, or afraid to lose installed apps not written by Apple?

I don't buy the scenario Newseek suggests for a number of reasons, but I agree that cold-hard cash is a very appealing motive. There are a number of ways to manipulate that result however, provided the virus obtains the right information.

~ CB
 

kdarling

macrumors P6
Thanks for the story.

Other phones have been "always connected" for years, have memory and cpu to spare.

The main reason the iPhone is currently extra susceptible, is because its Safari browser continues to have security holes. Close them, and it'd be safe from at least the web vector of hidden code.

I do think the iPhone (and Jobs' scary talk) has unfortunately raised the spectre of more phone viruses. It's a pity that it might be remembered for that in the future.
 
Comment

Cleverboy

macrumors 65816
Original poster
Other phones have been "always connected" for years. The main reason the iPhone is currently extra susceptible, is because its Safari browser continues to have security holes. Close them, and it'd be safe from the web vector of hidden code
Sure, but the Newsweek article specifically cites the WAY iPhone operates "more like a computer" along with its "always connected" status (which isn't new, but it is simply another piece to the "perfect storm" if you see the inference), along with processing power, root access and available system memory. John Gruber I think made a number of good points in post to his blog.
So clearly there is some merit to Jobs’s stated security concerns. As it stands in the current iPhone OS, all processes run as the root user; in broad layman’s terms, any process has access to everything else on the phone. So when a buffer overflow can be exploited to allow remote code execution, that code can do anything. To allow third-party iPhone apps to run today would be to trust those third-party developers not to write code with any security flaws.

What the iPhone needs before Apple will allow third-party apps to run is some sort of sandbox, a way to prevent application processes from being able to access things they shouldn’t be allowed to access.
From my understanding, most phones do NOT run under these conditions. As the Newsweek articles suggest, many of smartphones like Treos or Blackberries employ various security policies that the iPhone currently as a closed-platform, has not really begun to implement.

I know there's a distinct want to poo-poo everything, but I don't think this all goes away by simply wanting it to.

I love my iPhone. I just want a secure platform, and I really really don't want to hear the howling later, of a thousand people misled by snarky blogs and good intentioned rogues, who didn't see something preventable coming from a mile away.

~ CB
 
Comment

calvy

macrumors 65816
Sep 17, 2007
1,270
9
oh come on, I know I've heard abotu at least one Windows Mobile virus. I hardly even open safari on my iPhone, so hopefully that keeps me from most virus attempts that come along.
 
Comment

kdarling

macrumors P6
Well, it's true that Blackberries and Windows Mobile phones have several security tiers.

Many are set to a middle tier, wherein third party apps can run but not access the dialer, etc, unless they have a certificate. Other phones (and a lot of users run "app unlockers" to make theirs this way) allow running any program after the user is first asked.

I'm in the latter category. I app-unlock my WM phones, and only run third party apps that I've bought or that are well known. (And of course, my own apps that I write.)

I never heard of a WM virus outside of labs. Years ago, there was a Nokia one that vaguely sent itself around via Bluetooth once the owner accepted and viewed an MMS, I believe. That's all it did, though.

Again, mobile devices have a great way around problems, that desktops don't. You can much more easily wipe out and restore most handhelds. Got a problem? Zap the whole thing and reload.
 
Comment

Cleverboy

macrumors 65816
Original poster
oh come on, I know I've heard abotu at least one Windows Mobile virus. I hardly even open safari on my iPhone, so hopefully that keeps me from most virus attempts that come along.
It's funny. There was a digg article the other day that posted a URL Google search result page, displaying numerous network connected printers who's owners didn't realize they were exposed. Diggers from all around started attempting to utilize the printers, one amusing message reading "Small Animal Stuck in Paper Tray". It's really funny, until such a security problem results in something less that funny.

You don't necessarily need to enter Safari to cause a problem with arbitrary code execution. Did you notice the Bluetooth issue also fixed by the 1.1.1 update? Or, how about the Mail flaw?
When Mail is configured to use SSL for incoming and outgoing connections, it does not warn the user when the identity of the mail server has changed or cannot be trusted. An attacker capable of intercepting the connection may be able to impersonate the user's mail server and obtain the user's email credentials or other sensitive information.
For example, everyone with an iPhone is likely familiar with the "linksys" default name being used on far too many wireless routers. Your phone sometimes sees the familiar name, and tries to auto-connect to it. In some cases, this attempted connection might simply bring up a login webpage instead of the page/URL being requested. That WiFi hot spot is however now serving up your Internet access and could potentially capture your mail server host name and pretend to accept your credentials while simply recording them. There were a number of WiFi related exploits that work off of this "masquerade" principle.

Honestly, word to the wise.

Again, mobile devices have a great way around problems, that desktops don't. You can much more easily wipe out and restore most handhelds. Got a problem? Zap the whole thing and reload.
Mm. What happens if the problem persists through your User sync areas, and surreptitiously reapplies itself to your phone after a restore, without your knowledge? Food for thought anyway.

~ CB
 
Comment

Cleverboy

macrumors 65816
Original poster
Many are set to a middle tier, wherein third party apps can run but not access the dialer, etc, unless they have a certificate. Other phones (and a lot of users run "app unlockers" to make theirs this way) allow running any program after the user is first asked.

I'm in the latter category. I app-unlock my WM phones, and only run third party apps that I've bought or that are well known. (And of course, my own apps that I write.)
I get the impression that you're the one your family turns to when their computers go into meltdown. :) My caution, is that as is, the iPhone doesn't make those "security" distinctions yet. Until 1.1.1, even a webpage could trick you into dialing a wrong number without much effort.

I'm looking forward to a certificate system on the iPhone like these others have. Sure, there may be app-unlockers for the iPhone too, but hopefully websites like Gizmodo or Engadget don't encourage people to utilize these as a routine "first step" in getting into 3rd party apps. Right now, "power user" behaviors are being described to those folks that aren't power users, and people are becoming dangerously blind to securing their personal information.

As the platform matures, I don't believe anything occuring today will VANISH so much as it will evolve and be covered over by new ideas and things people will want to promote. The same wreckless abandon will still exist unless more people get on the same page about it.

~ CB
 
Comment

Similar threads

  • gta1216
1
Replies
1
Views
454
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.