iPhone Gets iHacked

The iDork

Everyone and their grandma is always giving Microsoft a hard time about their security (or lack thereof). Why? Because their software is used across the globe more than any other software, making it a prime target for hackers. I mean why would you try to hack Linux when only a handful of people are using it? Might as well get more bang for your buck by writing a virus that targets Windows users right?

Lookout Apple. Your success might just give you a taste of Microsoft’s medicine.

It was recently discovered that the beloved iPhone (the overpriced piece of plastic that makes you feel cool when others gawk at it) isn’t quite as secure as people thought. What? An Apple product isn’t secure? Nonsense! Steve Jobs would never allow that!

Believe it sister. It appears that someone can hack in via wi-fi, e-mail/text message, or malicious web pages allowing full access to your pretty little phone. Watch those nude photos of your girlfriend get swiped and uploaded to the web. Whoops! Sorry honey!

The way I see it, if you’re one of those in DC who owns an iPhone, you have three options:

1) Don’t keep any sensitive material on your iProduct.
2) Be careful of the websites you’re browsing as well as the wireless access points you’re connecting to. Use your best judgement on this one as to what “secure” and “safe” mean.
3) Do this.

17 Comments so far

  1. fedward (unregistered) on July 25th, 2007 @ 1:29 pm

    Against my better judgment, I’m going to respond to this.

    OK, so you hate the iPhone. Whatever. Have fun with that.

    I take issue, however, with your proposed solution to this exploit. If one goes to the Exploiting iPhone web site (that URL is at the end of the linked video), one reads:

    Should I turn my iPhone off and lock it in a drawer until Apple fixes this?
    Not unless you plan to do the same to all the other computers you own. The iPhone is an internet connected device running a relatively full featured software suite: this research shows that it is vulnerable just like many other similarly capable devices, both PCs and embedded systems.
    What can I do to avoid such attacks?
    The same things that you should do to avoid attacks on your laptop. Only visit sites you trust. Only use encrypted WiFi access points you trust. Don’t open web links contained in email messages.

    I’m not going to lose any sleep over this. The exploit as demonstrated is a man-in-the-middle attack using a WiFi access point. In my experience with WiFi networks a compromised access point is a known risk, and it’s not hard to figure out if you should be trusting any given network. Forgive me while I get back to using my iPhone.


  2. Max (unregistered) on July 25th, 2007 @ 1:34 pm

    You’re right, I hate the iPhone and I am having fun with it!

    I’m just happy to see someone finding a flaw in an Apple product. Wait – you mean they’re not perfect like the Apple-Koolaid-Drinkers think they are?


  3. Tom Bridge (unregistered) on July 25th, 2007 @ 1:35 pm

    Fedward’s covered the important part. The FAQ, and the actual hack itself, seem to indicate what we’re seeing in the classic compromise-the-access-point, compromise-the-device hack. Don’t visit sites you don’t trust. Don’t join access points you don’t trust.

    Those, and you’re good to go.


  4. Tom Bridge (unregistered) on July 25th, 2007 @ 1:37 pm

    Besides, since the hackers did the right thing, it’s not like the code’s in the wild either ;)


  5. Don (unregistered) on July 25th, 2007 @ 1:40 pm

    I don’t really give a crap and I think this is a pretty weak exploit, BUT, don’t visit pages you don’t trust? Don’t join access points you don’t trust? The whole point of the web is to spider from place to place, asking naive users to concern themselves with ‘trust’ in any but the most basic way is unreasonable. Asking users of a device that by default connects to any access point it finds to not join access points they don’t trust… that’s just insanity. The iPhone is designed in such a way that you’re expected to think about those APs only marginally more than you do which cell tower you’re connecting through.


  6. fedward (unregistered) on July 25th, 2007 @ 1:46 pm

    Hey Don, don’t look now but you’ve received a greeting card from a school friend. You better go click on that URL.

    Seriously though, I keep WiFi turned off on my iPhone except when I specifically intend to use it, and I have the thing ask me before it joins a network. That’s the same thing I’ve done for years with laptops. Yeah, EDGE is slow, but at least with AT&T I know the risks. Better the devil you know …


  7. Tiffany (unregistered) on July 25th, 2007 @ 1:52 pm

    1. Not even tangentially related to DC. Not that everything that gets posted here is uber-relevant, but most authors at least make some basic effort to relate Metroblogging DC posts to, you know, DC.

    2. 70% of the Internet runs on Linux servers. So much for not attacking it because of that “handful of users.” “No one attacks it because no one uses it” is, and has always been, an invalid argument, and only makes you look less informed for making it.

    3. ZOMGWTF, a WiFi access point owned by some nefarious person can put the ha4xx0rs on your machine! Well no kidding- that’s like saying “ZOMGWTF! That skeevy guy at Clarendon Ballroom who brought me a drink could have put GHB in it!” It’s a nice idea that users shouldn’t have to think about “trust,” but you wouldn’t tell your daughter not to think about that as she heads off to college. The mitigation all comes down to, “Don’t do dumb shit.”


  8. Tom Bridge (unregistered) on July 25th, 2007 @ 1:54 pm

    Don,

    This is the short-term solution to the problem until Apple issues the fix, and frankly, it’s good IT policy in general.


  9. Don (unregistered) on July 25th, 2007 @ 2:01 pm

    You only need to see how many machines have been hit by drive-by installs of spyware to recognize that it’s not just opening links in skeevy emails that gets you bothered, Fedward. I’m not advocating willy-nilly browsing but there’s a reasonable limit to how much you can pawn off on the user to prevent. I don’t write MS a pass for the flaws in IE that let so much drive-by install happen over the last four years and I’m not going to write Apple one for a flaw that will let a browser look at all the map lookups a phone user has done.

    Additionally, you as a much more savvy than average user (don’t get a swelled head :) may have auto-connecting to wifi turned off but my understanding is that it’s the default for the iPhone to connect as it finds. Plenty of people using Windows XP SP1 should have gone and turned their software firewalls on but for the most part people don’t go looking for those things, particularly not ones that are going to cause using the phone’s internet services to be more intrusive.

    I don’t think this is a big deal for the average user but soft-selling it doesn’t do anyone any favors.


  10. Don (unregistered) on July 25th, 2007 @ 2:22 pm

    I really don’t want to sound like I’m on a different side of this fight than I really am, Tom, but saying it’s good policy in general seems pretty weak when it’s NOT the default policy and setting on the iPhone. MS said the firewall should be turned on… but didn’t make it a default setting till SP2.

    Additionally, the exploit finders mention that there’s other ways a compromised page could be opened. I don’t know why they call out forum software in particular, but one way people get stuff in front of people is through ads. My most recent look at BoingBoing showed a story that had updates about some browser harassment done through code in a banner ad.

    Given that the exploit shows how the phone can be made to barf up information about your location (through the maps) as well as text messages and address book items I’d say sleazy ad jerks would be notably motivated to put out banner ads that exploited phone users.

    There’s no need to panic but there’s also no need to write software manufacturers a complete pass for poor security design by writing this off as a “don’t do stupid shit” problem. This isn’t a security problem that’s the equivalent of complaining about a weak lock on a closet door. The browser on that phone is a major selling point and meant to be the window into the world. Being peeved that Apple failed to sufficiently secure it when it contains a lot of very personal data isn’t just reasonable, it’s practically compulsory.


  11. Wayan (unregistered) on July 25th, 2007 @ 2:52 pm

    What y’all might not know is that Max is a Microsoft man – he even -gasp!- uses Explorer!


  12. david (unregistered) on July 25th, 2007 @ 3:09 pm

    Sigh. Maybe it was silly of me, but when I subscribed to the RSS feed of Metroblogging DC, I expected posts to be related, however thinly, to DC.

    I didn’t realize this served as a personal soapbox for the writers for any topic that comes to mind.


  13. Tom Bridge (unregistered) on July 25th, 2007 @ 3:12 pm

    David,

    The iPhone has come up in our posts prior to this one, and could be considered tangentially relevant. Please take a look at the coverage of the Fringe Festival, or some of our other posts that have been made today, and you’ll see that we’re not just “any topic will do” posters.


  14. Tiffany (unregistered) on July 25th, 2007 @ 3:19 pm

    The default behavior of the iPhone is to ASK before connecting to an unknown network, just like on my Mac. You get a little dialog box that says something to the effect of “Look at these WiFi networks I’ve found! Would you like to connect to one?”


  15. Max (unregistered) on July 25th, 2007 @ 3:23 pm

    I’ve updated my post to link to some previous DC/iPhone related posts.

    And yes I am a Microsoft man, do use IE (and love it), and have never had a security breach on any of my PC’s because

    1) I have a firewall.

    2) My wireless network is encrypted.

    3) I have antivirus software.

    My point is (for all of you DC people reading this DC blog), be careful using your new iPhones. Don’t keep your SSN or any other sensitive info on it!

    My other point is, if Microsoft had created an identical phone (the Zune Phone?) and it was hacked, the media would be all over it like white on rice.


  16. Tiffany (unregistered) on July 25th, 2007 @ 3:45 pm

    One shouldn’t keep that kind of data on a phone anyway, not just because it’s “hackable,” but because it’s a good idea to not keep sensitive personal data on *any* small object that can be stolen from you whilst you’re out and about, and to have a backup plan to protect that data for when carrying it around is unavoidable.

    Don’t keep your SSN on your phone, but don’t carry your Social Security card in your wallet, either. Don’t keep nude photos of your girl on your phone… but don’t carry them on a thumb drive on your keychain, either. It’s certainly worth being concerned about the possibility of having all your friends’ contact info swiped from your phone while it’s still in your hands, certainly, but taking reasonable steps to protect that data (like carefully considering which WiFi points to use) is as elementary a security precaution as not leaving your phone out on a restaurant table when you get up to go to the bathroom.

    To go back to the earlier metaphor… no one complains (or gloats) that my Jack’n’Coke is insecure just because some perv can slip me a roofie on its way to my table. They just warn me not to let strange men handle my drinks.


  17. Don (unregistered) on July 26th, 2007 @ 10:18 am

    As soon as I see an ad marketing the jack and coke as something that you are supposed to hand back and forth between yourself and other people I’ll consider that a remotely relevant metaphor.

    The exploit discoverers mention that with the acquired administrative access the attacker can do -anything- the phone can do, which includes dialing. For a period of time there was a pervasive run of malware that would use the PC user’s modem to dial out to very expensive telephone-based services in order to make money for the malware-writer. Do you really think they wouldn’t be interested in making the iPhone do this?

    This isn’t just a “don’t keep private stuff on your phone” issue.



Terms of use | Privacy Policy | Content: Creative Commons | Site and Design © 2009 | Metroblogging ® and Metblogs ® are registered trademarks of Bode Media, Inc.