So the folks over at Independent Security Evaluators claim to have found a remote iPhone exploit. Evidently this is big news as it has already garned an article in the New York Times (talk about media whoreing) and been granted a coveted speaking spot at the Blackhat Security Briefings early next month. Must be a pretty bad spl0it to get all this attention, right? Doesn’t sound like it, more like they were just the first folks to find a decent sized hole.
Sure there have been other holes found, like figureing out how to change the color of your charging battery from green to neon pink or bright blue, or managing to hack in a custom ringtone or the big one of being able to bypass the AT&T activation but still be able to use the phone. These are all kind of rinky dink holes though, nothing that puts your personal data at risk. This new hole claims to do just that.
According to the folks at Independent Security Evaluators thier proof of concept code can read the log of SMS messages, the address book, the call history, and the voicemail data. Pretty damning stuff to be sure. So why is this not a big deal?
First of all the delivery method is little convoluted and requires some social engineering to convince the user to visit a compromised web page or to use an untrusted wireless network. These are the same attack vectors that plaque laptops and other PDAs, nothing new here. What is new is that this effects an iPhone, that is why it is getting the press. I also suspect that this will be pretty trivial to fix. From the details that have been released so far I suspect that just by altering iPhone’s Safari to prompt the user when downloading and running applications should do the trick.
So basically continue safe computing practices, don’t be complacent and don’t put to much trust in your devices and you’ll be fine. Vulnerabilities that require user interaction like this one aren’t what you should be worrying about, attacks that compromise entire cell sites and infrastructure like the one that hit the Greece Olympics or the hack that hit Paris Hilton are what should be keeping you awake at night.