Monday, July 23, 2007

iPhone or spyPhone?

As we've all seen with Windows, it's no surprise that along with the power to work, rest and play on one's PC comes a glaring vulnerability to attack. One of the iPhone's purported strengths is also that it can act more like a full computing platform than many phones on the market, and in particular it runs the Safari browser which should enable all sorts of intersting capabilities to be available cross Mac/iPhone in the future. Alas, that very flexibility is also starting to become one of its weaknesses.

These issues covered in detail here. Basically, the attack dsicussed involves exploiting the fact that if the iPhone browser opens some evil web-page on a server somewhere, the code it finds will run with inherited administrator privileges. Not good, as anyone who has ever got even the mildest of PC viruses will atest.

Among the things this would open the device to would be copying and relaying all SMS messages received or posted, sending out stored passwords, even acting as an audio eavesdropping bug by placing an outgoing call without the owner being aware of it.

Redmond has spent years having the wider-world find countless vulnerabilities in Explorer, a level of hard-won maturation that Safari can't even begin to match. This may just be the start of what will soon grow into a wave of postings on this topic, throwing up who-knows-what in the way of further holes in the iPhone's defences.

Browsers beware in the meantime!

No comments: