New iPhone Vulnerability

Subscribe via: RSS EMAIL

Categorized | Announcements & News

Tags : Apple iPhone, Security and Privacy

New iPhone Vulnerability

Posted on 03 February 2010 by Carly Z

Hello there! If you are new here, you might want to subscribe to the Gear Diary RSS feed for updates on this topic.

(image courtesy TechCrunch)

TechCrunch is reporting on a new theoretical iPhone security hole, one that is potentially very messy. Essentially, it takes advantage of the over-the-air configuration process, creating a false certificate that claims it is installing a security update from “Apple Computer”. Of course, the download is not from Apple, and it can theoretically change all sorts of proxy settings on your iPhone.

From TechCrunch:

The particularly nasty part here, however, is that the anonymous hackers reporting the flaw were not only able to make the configuration file report back as “Verified”, but also indicate that it was straight from “Apple Computer” themselves. From that point, a pinch of clever web design and a dash of social engineering would be enough to convince the vast majority of users who stumble across a malicious update that it’s as legit as can be.

So once it’s installed, what harm can be done? In theory, it could be used to reconfigure the iPhone’s proxy settings, allowing hackers to redirect all traffic through a server of their choosing. It could also be used to wreak havoc on WiFi/e-mail settings, and disable the use of Safari, Mail, and a handful of other first-party iPhone apps. Worse yet, it’s possible to set the configuration file so that the user can’t remove it – so once it’s installed, getting it off the handset would require a full wipe.

Now, this seems to be just proof of concept, and it appears to just affect jailbroken iPhones…but it still isn’t a good thing, especially with the influx of iPads running iPhone OS in the future. As with many exploits, this relies to some extent on the user being tricked. Best thing to do is just be smart: if it seems fishy, don’t download it blindly. Remember that Apple always releases updates through iTunes, not OTA. And don’t forget to change your root password if you are jailbroken! And while the iPhone has been a huge target due to its popularity, there are bound to be similar issues coming along with other platforms, so everyone needs to keep a grain of common sense around!

Via TechCrunch

This post was written by:

Carly Z - who has written 472 posts on Gear Diary.

Carly has been a gadget fiend for a long time, going back to her first PDA (a Palm M100). She quickly went from researching what PDA to buy to following tech news closely and keeping up with the latest and greatest stuff. She loves writing about ebooks because they combine her two favorite activities; reading anything and everything, and talking about fun new tech toys. What could be better?

Contact the author