Security Firm: iPhone Can Be Hacked

Security experts were able to exploit a flaw in Apple’s iPhone in order to remotely control the device and divulge personal information like text messages, contact information, call history and voicemail. Such a hack could take place via a bad website or by tricking users into connecting to a malicious wireless access point, according to a team of researchers from Baltimore-based Independent Security Evaluators (ISE). For the test, the team—Charlie Miller, Jake Honoroff and Joshua Mason—inserted a bit of code through a vulnerability in iPhone’s Safari web browser to take control of the phone. The team created a malicious HTML document that, when viewed through the phone's Safari browser, forced it to make an outbound connection to one of ISE’s servers. Though the team only retrieved personal data, it said it could “just as easily have retrieved any information off the device,” according to an ISE release. Through a second exploit, researchers said they could program the phone to dial phone numbers, send text message or record audio (as a bugging device) and subsequently transmit it over the network for later collection. A serious problem with iPhone security is that all processes of interest run with administrative privileges, meaning a compromise of any application gives an attacker full access to the device, according to the release. Additionally, the iPhone doesn’t utilize widely-accepted practices like address randomization or non-executable heaps to make exploitation more difficult, the company said. ISE will today post details about the vulnerability (though not a hacker’s guide) on www.exploitingiphone.com. Full technical details will be disclosed on Aug. 2, after Apple has had sufficient time to create software patches.