by Timothy Lee
Mon, Nov 19th 2007 9:23pm
A security expert claims that he's managed to remotely crack the iPhone. All that's required to pull off the crack is to get the user to visit a specially-crafted website that exploits vulnerabilities in the iPhone's Webkit-based web browser. Once the iPhone has been cracked, the attacker has complete control over it, including the ability to download the user's email and voicemail, and even to surreptitiously activate the iPhone's microphone and transform the iPhone into an eavesdropping tool. It's scary stuff, and it illustrates an important point about the iPhone and other smart phones: as our phones get more and more computer-like capabilities, they're going to face more and more computer-like security problems. And that means that phone manufacturers and users will need to be more aware of the risks of security breaches and take appropriate precautions. In this case, it appears that Apple's choice to lock out third-party applications has actually backfired. Because all of the apps on the iPhone are written by Apple, they apparently all run as the "root" administrative user. That means that there's no attempt to protect the phone from a misbehaving application. As soon as you compromise one application, such as its browser, you've cracked the whole phone and can do anything you want with it. That's in contrast to Mac OS X, which typically runs applications as a non-privileged user, giving the OS an added layer of protection in case an application gets compromised. Had Apple designed the iPhone as an open platform from the ground up, it's likely they would have paid more attention to the iPhone's security model, limiting the damage that one rogue application could do. Presumably, with the announcment of a third-party development platform for the iPhone, Apple is hard at work implementing those kinds of security precautions. But this isn't a threat that's amenable to a quick fix. Apple and other smartphone developers are going to have their work cut out for them trying to add new functionality to their products without exposing their customers to new security threats.
If you liked this post, you may also be interested in...
- That Story About Uber Tracking People After They Deleted The App? Yeah, That's Not Really Accurate
- Malware Hunts And Kills Poorly Secured Internet Of Things Devices Before They Can Be Integrated Into Botnets
- Self Driving Taxis Are Going To Be A Nightmare To Secure, Warns Ex-Uber Security Researcher
- The Teddy Bear And Toaster Act Is Device Regulation Done Wrong
- Apple Takes Heat For Software Lock That Prevents iPhone 7 Home Button Replacement By Third-Party Vendors