In a demonstration of what can happen when someone hacks your iPhone (or any computer-like phone, for that matter), Fast Company commissioned a security expert to to show what is possible:
So we purchased an iPhone for Rik Farrow, a UNIX specialist and consultant from Sedona, Arizona, and commissioned him to crack through its defenses, which he did using H D Moore’s Metasploit, a popular platform for testing security systems. The result is this video, in which Farrow was able to take complete control of an iPhone and demonstrate the ability to eavesdrop on conversations, intercept voice mail and e-mail, and upload nefarious software programs. “Physical access to an iPhone,” Farrow points out, “is not required.” Although in Farrow’s demo the Wi-Fi was turned on — common enough for iPhone users, since AT&T’s EDGE network makes Web surfing slow and laborious — Moore says his exploit can work on EDGE, too.
If you know your target’s phone number, you could text message a link to a malicious Website, which would covertly install a third-party application executing malicious code. The corollary would be to send your target an e-mail with a nefarious attachment; he clicks on it and the attacker “owns” the phone. Or there’s always the “man-in-the-middle” (MITM) attack, which is perhaps the most James Bondian: You sit in, say, Starbucks with a laptop set up, as part of the ruse, to operate as a Wi-Fi access point, so a target’s Web browsing and e-mail pass through your computer first. (How can you tell who has an iPhone as opposed to someone with a standard laptop, rival smartphone, or PDA? Simple — the exploit only works on iPhones.)
The Metasploit hack refernced above has since been closed in the latest patch to the iPhone’s software. But the more iPhones that are out there, the more appealing targets they become. Here’s the video of the hack (warning: watching someone write code in a 6-minute video is worse than watching paint dry—unless you happen to like that sort of thing).
This is a great example of why you should always be careful with where you keep sensitive data.
Paris Hilton better patch up her iPhone
Any of these security issues are easily avoided with common sense. If you don’t have enough sense to not click on suspicious links or use suspicious networks by now, I would imagine you’re not in a position to have conversations that are worth spying on.
Paly, Paris Hilton has no common sense, yet her conversations can be very profitable to spy on.
Can’t wait for the GPS enabled iPhone to show up!
hahaha this is rediculous!
But I do agree with comment #3, Paly – you really need to be a moron to click on a random link from a random text message!
Apple’s still got a long way to go with fixing up all of these iPhone problems
psychiatrist consultations afterwards will eat all your profits
trust apple. apple knows best. ignore the man behind the curtain, you don’t need an open mobile platform. ease of use is more important than security.
ease of use
ease of use
ease of use
we apple droids will just beat you over the head with this non-sequiter no matter what the criticism
I didn’t realize that things like email and voicemail are stored locally to the phone in db files – for email I could see as a way of caching, but voicemail? I assumed these were requested from a server for playback – same as normal phones.
WOW!
I can assure you this guys reads AstroPhysics magazines for a hobby, whereas, most of us given the choice would opt for EZPN Zone magazine or Playboy.
All the hedge funds ears are now perking like a deer in the woods. These are some of the tactics they could use to gain “research information”. Of course I’m not saying they would.
scary !
Watch the last 10 sec. “This is not just a problem for the iPhone. This is a problem for any smarthphone. For any widely distributed computing device.”
One very interesting technique you can do to completely get around the ‘make a user click on a link’ aspect is the man in the middle attack. There are some open source projects that allow you to inject / replace data in wifi networks that were shown at Defcon. So what you can do is replace images that are being requested with an actual link to your exploit on the net, and now safari has loaded the link (thinking its an image..) without your consistent.
It’s from AT&T … It’s already a spy phone.
Anyone who can patch into your phone number can listen through your cell-phone’s microphone even if the phone is turned off. This is true of any cell phone. The only true safeguard is removing the phone’s battery.
iPhones are and always have been evil and insecure!
Get windows mobile, even the owner can’t get into it sometimes!
What is so special about iphone this time? If there is a security problem, it must exists on all other smart phone as well as Macs too.
The funny thing is from the video I did not see how did he break into that iphone, seems he have physical access to a iphone and run some pre-installed software on that poor iphone by click a link from Safari. The problem is how did the link get into Safari in the first place?
Just want to say of course it is very easy to break into a computer (iphone in this case) if you have physical access to this computer. But the question is in most case do you really have physical access to somebody else’s iphone?
that is insane to the membrane.
@17
He is simulating someone getting a link via an email message on their iPhone and clicking on the link. That would take that user to Safari. Physical access is not required – the user has to only take a physical action (clicking on the link).
Kudos to Apple/Jobs for withstanding the whiplash and trying to take the time to secure the phone before opening up the SDK. Most consumers prefer/need that peace of mind more than the ability to add 3rd party apps immediately.
Fake Ballmer:
The really cool thing about Lyons is that he could post and behave in the voice of Jobs; you read Lyons, you thought there was a chance Steve might be behind it. It was that good. Not perfect, but real close.
You, on the other hand, do not make the faintest attempt at sounding like Ballmer; your posts here, on CNet and elsewhere are just two-liners that are a) not funny, b) not believable, c) not even mildly interesting. There is no redeeming value whatsoever to reading you. Either give it up or do it right, will you ?
This is the same security hole that iPhone hackers were using to install their own applications. Jailbreak anyone???
http://www.enga...an-also-be-use/
Another bit of drivel from Erik!
Is there no editorial sense anymore in this blog.
First of all, the guy wasn’t writing ‘code’.
Second, this exploit has been known since close to the iPhone being launched.
Third, why should anyone care. What are the SPECIFIC items to be aware of, and also how can I fix it.
Erik, a fine piece of grade A drivel I could find on any recent computer science graduates personal blog.
Obviously, common sense beat me to the “Erick is somewhat dense” observation, but I came here to make that point so I’ll chime in as well. There wasn’t any code authoring in that video. You really need to raise the level of your game a bit.
is some way that i can record the phone call conversation from the ipod
and how this work