Questionable iPhone ‘hack’…unless you’re a bonehead
NEWS FLASH: If someone steals your iPhone, they can see all your contacts and make calls and send SMS messages on your account.
Apparently there is a new iPhone hack that allows hackers to take control of an iPhone and send off personal data residing in the iPhone memory — but it’s about as big a threat as having your iPhone stolen and I assume you keep control of your $500-$600 device. Upon seeing a link to this New York Times article, I was initially and instantly concerned and thought “Oh, that’s just great….the first security problem with the iPhone.” until I read it thoroughly.
Upon reading the site Exploiting the iPhone, I thought “What’s the fuss all about?” The exploit is delivered via the Safari browser on the iPhone but the risks seem quite low. Read these three points very, very carefully before you get too excited or concerned about this so-called exploit:
1) An attacker controlled wireless access point: Because the iPhone learns access points by name (SSID), if a user ever gets near an attacker-controlled access point with the same name (and encryption type) as an access point previously trusted by the user, the iPhone will automatically use the malicious access point. This allows the attacker to add the exploit to any web page browsed by the user by replacing the requested page with a page containing the exploit.
2) A misconfigured forum website: If a web forum’s software is not configured to prevent users from including potentially dangerous data in their posts, an attacker could cause the exploit to run in any iPhone browser that viewed the thread. (This would require some slight changes in our proof of concept exploit, however.)
3) A link delivered via e-mail or SMS: If an attacker can trick a user into opening a website that the attacker controls, the attacker can easily embed the exploit into the main page of the website.
Are these real possibilities? Yes, but remote unless an iPhone user is a complete bonehead. Most forums disallow HTML in forum posts because of malicious stuff being put in and links in emails from those you don’t know should NOT be clicked on (and if you DO click on them, DON’T ANYMORE). Spurious links in SMS are rare, and who is getting spam SMS messages anyway?
Of course, I suppose most people are so naive and inexperienced that perhaps they don’t think critically about security online and I guess those of us more savvy have to protect them against themselves. I just don’t see the threat being all that big a deal unless you’re with that group of security researchers at Independent Security Evaluators who uncovered the ‘exploit’ and are certain to have done it to gain attention (which they got….thank you New York Times).