iPhone to Support Third-Party Security Exploit Applications
Here’s an unintended, but perhaps inevitable, corollary to the iPhone’s success: the proof-of-concept security exploit. Researchers at Independent Security Evaluators have discovered a vulnerability that could give an attacker unfettered access to an iPhone, with administrator privileges, and they have written a bit of code to demonstrate it. “In our proof of concept, this code reads the log of SMS messages, the address book, the call history and the voice-mail data,” the ISE team explains. “However, this code could be replaced with code that does anything that the iPhone can do. It could send the user’s mail passwords to the attacker, send text messages that sign the user up for pay services, or record audio that could be relayed to the attacker.”
The vulnerability, which can be exploited by an attacker-controlled WiFi point or Web page, hasn’t yet been reported in the wild. And Apple’s working on a fix for it. That said, we’re certain to see others in the months ahead now that the iPhone has been proved vulnerable.
“Anything as complex as a computer–which is what this phone is–is going to have vulnerabilities,” Johns Hopkins professor Avi Rubin told the New York Times. “The irony is that the more popular something is, the more insecure it becomes, because popularity paints a large target on its back.”
Added Steven M. Bellovin, a professor of computer science at Columbia University, “It’s not the end of the world; it’s not the end of the iPhone. It is a sign that you cannot let down your guard. It is a sign that we need to build software and systems better.”