FSF Sets Up Fund To Pay For Experts Who Can Show How Flimsy RIAA Evidence Is
The Infringement Age: How Much Do You Infringe On A Daily Basis?
Kindle's Overpriced Content
WiBro's 'Success' Not Boding Well For WiMax

Turning Phones Into Computers Means They'll Have Computer-Like Security Issues

Predictions

from the hack-me dept

Mon, Nov 19th 2007 9:23pmTimothy Lee
A security expert claims that he's managed to remotely crack the iPhone. All that's required to pull off the crack is to get the user to visit a specially-crafted website that exploits vulnerabilities in the iPhone's Webkit-based web browser. Once the iPhone has been cracked, the attacker has complete control over it, including the ability to download the user's email and voicemail, and even to surreptitiously activate the iPhone's microphone and transform the iPhone into an eavesdropping tool. It's scary stuff, and it illustrates an important point about the iPhone and other smart phones: as our phones get more and more computer-like capabilities, they're going to face more and more computer-like security problems. And that means that phone manufacturers and users will need to be more aware of the risks of security breaches and take appropriate precautions. In this case, it appears that Apple's choice to lock out third-party applications has actually backfired. Because all of the apps on the iPhone are written by Apple, they apparently all run as the "root" administrative user. That means that there's no attempt to protect the phone from a misbehaving application. As soon as you compromise one application, such as its browser, you've cracked the whole phone and can do anything you want with it. That's in contrast to Mac OS X, which typically runs applications as a non-privileged user, giving the OS an added layer of protection in case an application gets compromised. Had Apple designed the iPhone as an open platform from the ground up, it's likely they would have paid more attention to the iPhone's security model, limiting the damage that one rogue application could do. Presumably, with the announcment of a third-party development platform for the iPhone, Apple is hard at work implementing those kinds of security precautions. But this isn't a threat that's amenable to a quick fix. Apple and other smartphone developers are going to have their work cut out for them trying to add new functionality to their products without exposing their customers to new security threats.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: iphone, mobile, security
Companies: apple

14 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 19 Nov 2007 @ 10:43pm

    Obvious headline is obvious

    link to this | view in chronology ]

  • identicon
    Overcast, 20 Nov 2007 @ 5:39am

    Does he *have* to use AT&T to crack it? Or can he use any Telco/ISP?

    link to this | view in chronology ]

  • identicon
    jon, 20 Nov 2007 @ 6:02am

    Meh, sounds like it's using the tiff exploit that was recently patched with the 1.1.2 update. Anything that communicates with the outside world is in danger of being hacked. Hopefully Apple and the rest of the folks can stay on top of things and keep the boogie man out.

    link to this | view in chronology ]

  • identicon
    Ed Wrenbeck, 20 Nov 2007 @ 6:03am

    Falling into the 'root' trap

    There has been much made about the fact that apps run as root on the iphone. The reality is that the interesting things on the phone are the users data. Any vector that was able to infect an Application running as root or as a user account would have the same effect for that user on any system. In the case of a phone, the difference is that there is only one user.

    link to this | view in chronology ]

  • identicon
    ProphetBeal, 20 Nov 2007 @ 6:08am

    Only a matter of time

    It was only a matter of time before this issue came to light. As technology changes and evolves so must the security for this new innovations.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Nov 2007 @ 6:52am

    Very old news

    Charlie Miller created a remote exploit within a month of the iPhone's release.

    http://www.forbes.com/security/2007/08/04/iphone-apple-mac-tech-cx_ag_0804miller.html

    link to this | view in chronology ]

  • identicon
    Adam Slagle, 20 Nov 2007 @ 6:54am

    This "security expert" managed to use a well-documented flaw in the .tiff handler - one that everybody and their mothers know about, as that's exactly how some of the jailbreak applications open the iPhone up to third-party applications.

    Apple patched this in 1.1.2, and and if you want to stay on 1.1.1, you can use a jailbreak that fixes the flaw behind itself, or use a third party application to fix it.

    Is it news if you take a well-publicised flaw that's already been patched and attach a payload to it? Or is it just someone capitalizing on the fact that most people don't read past headlines?

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Nov 2007 @ 7:34am


    Presumably, with the announcment of a third-party development platform for the iPhone, Apple is hard at work implementing those kinds of security precautions.


    Not if they are going to require the applications to be code-signed by Apple to run, as has been indicated.

    link to this | view in chronology ]

  • identicon
    Freedom, 20 Nov 2007 @ 10:44am

    Wrong Headline...

    The right headline should be 'iPhones are prone to attack'.

    After all, haven't we heard that if you just buy a product from Apple instead of the evil-MS Empire you don't have to worry about viruses, spyware, and/or trojans? I hope this helps stop the common belief that one particular setup is immune from this c*ap.

    link to this | view in chronology ]

  • identicon
    OKVol, 20 Nov 2007 @ 11:51am

    How many people just want a cell phone to call som

    I don't want e-mail and web browsing 24 hours/day. I don't want to make Sprint rich by downloading new ring tones, I don't text anyone, I only attempted twice to use PTT with Nextel and it sucked worse than CB radios in the 1970s. The only cool use I have for my RAZR is playing MP3s while I work out.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Nov 2007 @ 4:05pm

      Re: How many people just want a cell phone to call

      Right on. The iPhone is an expensive useless mini computer that's hard to do anything on.

      link to this | view in chronology ]

  • identicon
    Hackers, 20 Nov 2007 @ 2:45pm

    All your iPhones are belong to us!

    link to this | view in chronology ]

  • identicon
    Phil, 20 Nov 2007 @ 3:51pm

    Turning Phones Into Computers Means They'll Have C

    Take a look at the crystal ball: As the amount of Mac users increase, so will security attacks on the computers. All members of the "Mac cult" will learn this lesson soon. Maybe not today, maybe not tomorrow, but it's only a matter of time before Macs become prone to virus and spyware just like PCs. Apple will soon find out their impenetrable fortress of security with no security software will just leave Macs open to attack in the future, because it's not a result of the greatness of Apple software just the fact that the market share of Macs is so low that it's not worth it to build malicious software for it.

    It's happening on the iPhone now, it's going to happen on Macs in the future. Anyone who thinks otherwise is delusional.

    link to this | view in chronology ]


FSF Sets Up Fund To Pay For Experts Who Can Show How Flimsy RIAA Evidence Is
The Infringement Age: How Much Do You Infringe On A Daily Basis?
Kindle's Overpriced Content
WiBro's 'Success' Not Boding Well For WiMax
Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

Friday

19:39 Important Announcement: Techdirt Is Migrating To A New Platform (0)
More arrow

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.