“A team of computer security consultants say they have found a flaw in Apple’s wildly popular iPhone that allows them to take control of the device,” John Schwartz reports for The New York Times.
“The researchers, working for Independent Security Evaluators, a company that tests its clients’ computer security by hacking it, said that they could take control of iPhones through a WiFi connection or by tricking users into going to a Web site that contains malicious code. The hack, the first reported, allowed them to tap the wealth of personal information the phones contain,” Schwartz reports.
“Although Apple built considerable security measures into its device, said Charles A. Miller, the principal security analyst for the firm, ‘Once you did manage to find a hole, you were in complete control.’ The firm, based in Baltimore, alerted Apple about the vulnerability this week and recommended a software patch that could solve the problem,” Schwartz reports.
Schwartz reports, “A spokeswoman for Apple, Lynn Fox, said, ‘Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We’re looking into the report submitted by I.S.E. and always welcome feedback on how to improve our security,’ she said. There is no evidence that this flaw had been exploited or that users had been affected.”
“The Independent Security Evaluators researchers were able to crack the phone’s software in a week, said Aviel D. Rubin, the firm’s founder and the technical director of the Information Security Institute at Johns Hopkins University. Mr. Rubin, who bought an iPhone the day after the cellphone was released, said in an interview that he had approached three colleagues, Dr. Miller, Joshua Mason and Jake Honoroff, and offered them an enticing prize if they would try to crack the iPhone. ‘I told the guys I would buy them iPhones,'” Schwartz reports.
Schwartz reports, “Mr. Rubin said, ‘I will think twice before getting on a random public WiFi network now,’ but his overall opinion of the phone has not changed. ‘You’d have to pry it out of my cold, dead hands to get it away from me,’ he said.”
More details in the full article here.
“Researchers at my consulting company, Independent Security Evaluators (ISE) have found serious security vulnerabilities in the iPhone. They were able to take complete control of the iPhone device and run arbitrary shell code (see NYT article). To demonstrate this, they built an exploit that downloads personal information such as SMS text transcripts, address book entries, and email from the iPhone whenever a user visits a particular web site or connects to a particular WiFi network. However, the vulnerability can be exploited in many other ways. For example, an exploit could be written that would cause the iPhone to make an unnoticeable phone call to an attacker, who would then be able to monitor conversations by the victim. In other words, the iPhone could be turned into a bugging device,” Avi Rubin blogs.
“We contacted Apple on July 17 and sent them all of the details of the vulnerability. We also promised not to release any specific technical details of the vulnerability that would allow someone else to exploit it until our Black Hat presentation on August 2. This gave them plenty of time to produce a fix, and we showed Apple how to patch the vulnerability,” Rubin writes.
Full blog entry here.
More info via “Independent Security Evaluators” here.
[Thanks to MacDailyNews Readers “Fred Mertz” and “TowerTone” and “doc” for the heads up.]
While we strongly disagree with the “Security via Obscurity/Microsoft Apologists*” thesis presented in The NY Times’ full article, anyone helping locate potential security issues and allowing Apple to correct them with updates before end-users are affected should be applauded, if indeed that is the case here.
Of possible related interest, on Saturday The Associated Press carried an article by Anick Jesdanun that reported, “For some security researchers who uncover flaws in leading computer programs, a nod of appreciation from software companies is no longer enough. Now they want money.”
Jesdanun reported, “Charlie Miller, now the principal security analyst at Independent Security Evaluators, said the demands for payments stem from frustrations that vendors’ in-house researchers ‘are making a lot of money to look for bugs and whenever someone from the outside finds something, they don’t get paid anything.'”
Jesdanun reported, “But Miller, after trying to sell two separate vulnerabilities himself including the $50,000 one to the government, concluded it wasn’t worth the trouble. He said it was difficult identifying potential buyers, and in one case the vendor had fixed the problem before he could complete the sale. ‘I would have loved to start a business out of it,’ he said. ‘One of the lessons I learned is that it’s impossible to do that.'”
Full article here.
*There are zero-percent (0%) of viruses for the Mac OS X platform that should, logically, have some 10-16% of the world’s viruses if platforms’ install bases dictate the numbers of viruses. The fact that Mac OS X has zero (0) viruses in the wild totally discounts “security via obscurity.” 23+ million Mac OS X installs is not an “obscure” platform at all, but 6+ years of Mac OS X users surfing unimpeded certainly is “secure.” There should be at least some Mac OS X viruses. There are none. The reason for this fact is not attributable solely to ‘obscurity,’ it’s attributable to superior security design.