Questionable iPhone ‘hack’…unless you’re a bonehead
NEWS FLASH: If someone steals your iPhone, they can see all your contacts and make calls and send SMS messages on your account.
Apparently there is a new iPhone hack that allows hackers to take control of an iPhone and send off personal data residing in the iPhone memory — but it’s about as big a threat as having your iPhone stolen and I assume you keep control of your $500-$600 device. Upon seeing a link to this New York Times article, I was initially and instantly concerned and thought “Oh, that’s just great….the first security problem with the iPhone.” until I read it thoroughly.
Upon reading the site Exploiting the iPhone, I thought “What’s the fuss all about?” The exploit is delivered via the Safari browser on the iPhone but the risks seem quite low. Read these three points very, very carefully before you get too excited or concerned about this so-called exploit:
1) An attacker controlled wireless access point: Because the iPhone learns access points by name (SSID), if a user ever gets near an attacker-controlled access point with the same name (and encryption type) as an access point previously trusted by the user, the iPhone will automatically use the malicious access point. This allows the attacker to add the exploit to any web page browsed by the user by replacing the requested page with a page containing the exploit.
2) A misconfigured forum website: If a web forum’s software is not configured to prevent users from including potentially dangerous data in their posts, an attacker could cause the exploit to run in any iPhone browser that viewed the thread. (This would require some slight changes in our proof of concept exploit, however.)
3) A link delivered via e-mail or SMS: If an attacker can trick a user into opening a website that the attacker controls, the attacker can easily embed the exploit into the main page of the website.
Are these real possibilities? Yes, but remote unless an iPhone user is a complete bonehead. Most forums disallow HTML in forum posts because of malicious stuff being put in and links in emails from those you don’t know should NOT be clicked on (and if you DO click on them, DON’T ANYMORE). Spurious links in SMS are rare, and who is getting spam SMS messages anyway?
Of course, I suppose most people are so naive and inexperienced that perhaps they don’t think critically about security online and I guess those of us more savvy have to protect them against themselves. I just don’t see the threat being all that big a deal unless you’re with that group of security researchers at Independent Security Evaluators who uncovered the ‘exploit’ and are certain to have done it to gain attention (which they got….thank you New York Times).
6 Comments
Leave a Comment
About Steve Borsch
Strategist. Learner. Idea Guy. Salesman. Connector of Dots. Friend. Husband & Dad. CEO. Janitor. More here.
Connecting the Dots Podcast
Podcasting hit the mainstream in July of 2005 when Apple added podcast show support within iTunes. I'd seen this coming so started podcasting in May of 2005 and kept going until August of 2007. Unfortunately was never 'discovered' by national broadcasters, but made a delightfully large number of connections with people all over the world because of these shows. Click here to view the archive of my podcast posts.
Thanks for posting some insight/thoughts on this so-called “hack”…when I read about it this morning and went to the site (unfortunately adding to their site hits) and saw the youtube video and their explanation; it sounded really shaky. IF, the iPhone could be compromised via a web browser, couldn’t any mobile phone with a web browser?
jonz72: I’ve read most of the blog posts and so-called “news” articles (i.e., lacking any critical thinking or analysis) and everyone seems to simply be reporting on the hack vs. looking at the low risk.
But I guess the reason Las Vegas and the Powerball lottery do so well is that people don’t think about the staggering odds against them, but instead for the tiny chance they could win. The Bush Administration artfully using terrorism as justification for nearly half a trillion dollars spent and nearly 4,000 US lives (and an untold number of others killed in Iraq) is playing on a fear of death that is incredibly unlikely for any individual US citizen. So I guess having all these blogs and sites yell, “Oh my God! The iPhone has been hacked!” without critical thinking should come as no surprise.
I don’t know about other web browsers in phones but any Wifi phone could undoubtedly be spoofed with a Wifi access point in the same fashion as this so-called hack.
This isn’t critical thinking, this is burying your head in the sand. Why is okay to have to worry about which websites you visit? I expect a browser to protect against such attacks, and if it does fail, to not subsequently leave my phone at the mercy of a hacker. This is too much to ask?
Jonz72: If all phones used the same browser as the iPhone, they’d probably all be vulnerable in some fashion or other. However, I believe that Apple’s is the only mobile phone using the Safari browser. Part of this exploit targets the browser specific to the iPhone, though, that’s why this is an iPhone problem.
n00b: You are exactly the type of person Steve is describing. It is specifically not advised to browse suspicious sites on any browser, mobile or not. You should not expect it to replace safe browsing techniques. Also, Nokia uses WebCore for their S60 browser, same as Safari, so it too would be vulnerable to the same types of exploits.
That said, I think the wifi exploit is an actual threat. If you frequent a free hotspot (most are not secured), it is easy for someone to mimic it and catch you. Of course, this also applies to other browsers.
Questionable iPhone hack…unless youre a bonehead
The latest and greatest from Apple Computers, the iPhone, has been hacked. By getting your on-phone browser to goto a website with malicious code, Hackers can take control of your phone. Hackers can also break into your phone via the WiFi wireless card…
Jonz72: Why would you avoid a security research firm’s site, just because they found something that you don’t like?? It’s news because so many people are going to have the device… One of the guys who found the exploit was asked whether he would give up his iPhone because of the security hole… his response was pretty telling: “It’s like any other computer,” he said. “As long as you’re careful about the sites you visit and know what wireless access point you’re connecting to, you should be safe.”
They know it is up to the user to stay safe, they don’t hate the iPhone (he seems rather fond of it actually). However, security firms serve the common good by keeping manufacturers on their toes. Either they find this stuff and get it out there peacefully or more malicious folks get it out there and cause real damage. What kind of media coverage do you think it would get then?
Sumocat:
WebCore is an Apple product so it is still a problem with Apple’s code. I believe this iPhone hack illustrates how much Apple has benefited from their relatively thin market share. I’m not bashing Apple guys, so just give me a minute. All I am saying is that once Apple got something this close to a full-fledged computer out to the masses it was guaranteed that exploits would pop up. Any good designer knows that the best method for hardening your code is to have it attacked like crazy. When it comes to hacks and the like, Apple has enjoyed a honeymoon relative to Microsoft. Nothing ends that for you quite like putting your code out there and hyping it up. I think we will see a steady stream of stuff like this in the near future. I also think it is good for the consumer as all companies are in the business to make money, not to keep the consumer safe. It takes stuff like this to push corporations toward more secure products…