There haven’t been too many iPhone exploits, it seems, despite the popularity of said devices. However, Charlie Miller, a security researcher, recently uncovered a vulnerability in the iPhone OS that could possibly “allow an attacker to run software code on the phone that is sent by SMS over a mobile operator’s network. The malicious code could include commands to monitor the location of the phone using GPS, turn on the phone’s microphone to eavesdrop on conversations, or make the phone join a distributed denial of service attack or a botnet.” Scary, isn’t it? They say it’s not very likely that others will exploit it even on a small scale before Apple issues the patch, but having a hole like that just sitting there makes me glad right now that I don’t own an iPhone.
There’s always a time for the poor paranoid being to be glad he’s got 20 different phones from different manufacturers and with different OSes. MMS/SMS vulnerabilities come and go and everybody has them.
P.S. There is a bug in the comment box. It claims (with a star *) that the Comment Title box is mandatory but it is not. Then again the Your Comment box is not marked as mandatory.
Edited 2009-07-04 05:35 UTC
Yeah it’s unfortunate that people never realize this.
People think, like this OSNews editor (no harm intended btw), that their computer/phone/whatever is secure because theres no big announcement saying “omg here’s a vulnerability”.
But if in 2 years someone releases one, it means your computer/phone/whatever has been open to this hole for 2 years.
And most likely, yours does have them. Mine too. Everyone’s in fact. We just hope as few as possible, and the product to be either as used as possible, so people actually find issues and fix them (iphone) or not very well known so no one take the time to research them.
But trust me, for webos, symbian, etc, there’s a lot of “known” exploits that didnt make it to the medias/vendors/etc and make your phone vulnerable. due to jailbreaking stuff the iphone gets quite a lot of review actually, which is a good thing. (yet light years from “very good”, but better than some)
I truly doubt the intent is to bad-mouth Apple or to disqualify Apple as a good product company. The intent is to inform users and make them aware and nothing else and let me not remind you that if this was MS’ Windows OS, this (or may be other site) thread would have been flooded with comments about how “bad” MS is.
…and tired of this kind of FUD.
“They say it’s not very likely that others will exploit it even on a small scale before Apple issues the patch, but having a hole like that just sitting there makes me glad right now that I don’t own an iPhone.”
There are too many people on the internet writing so much bullshit that sometimes I just want to disconnect.
OMFG!!!1!!! Th3r3’5 a s3cur1ty h0l3!?!11!!
Ugh. I apologize for being a jerk. But I’m already in a foul mood and…
Our company makes us take security training every year. We have some security professionals come in and teach our engineers (myself included) all the potential security risks we or bad people could exploit. We are taught HOW to hack a website (altho’ strictly advised to never ever do it to a REAL website) in the hopes that we will write better code. They then run a battery of tests against OUR website and provide us with a report on the various weaknesses open to exploitation.
They weight the results. They indicate the probability of exploitation and the level of damage that might be caused. In our case it turned out there were some smaller holes that could be exploited but that no chance that *real* damage (ie. credit card info stolen, etc.) would occur. There were a couple of potential exploitable holes that COULD cause severe damage but the caveat was that the person doing the exploiting would have to be VERY good, and VERY knowledgeable.
The LIKELIHOOD of this occurring was very very small.
The problems were immediately addressed for the next release.
But in a very real sense I think there is an entire business based on instilling FEAR in corporations based on potential security risks that are very very small.
What irks me more are when people respond with “well I’m so glad *I* didn’t use that software” or what-have-you, as if they have any idea what they are talking about in the first place.
I’m glad I don’t own an iPhone, and it’s not because of this one security flaw. It’s because Apple’s software has a history of poorly-designed security systems. It’s because Apple’s software often ships with really daft security flaws that should have been picked up by the original programmer, let alone Apple’s QA. And it’s because Apple sometimes takes its time to fix major security problems, and if the problem is due to the design and not the implementation they might just never fix it.