A team of computer security consultants say they have found a flaw in Apple’s popular new iPhone that allows them to take control of the device.
The researchers, working for Independent Security Evaluators, a company that tests its clients’ computer security by hacking it, said that they could take control of iPhones through a WiFi connection or by tricking users into going to a website that contains malicious code.
The hack, the first reported, allowed them to tap the wealth of personal information the phones contain.
Although Apple built considerable security measures into its device, said Charles A. Miller, the principal security analyst for the firm, “Once you did manage to find a hole, you were in complete control.” The firm, based in Baltimore, alerted Apple about the vulnerability and recommended a software patch that could solve the problem.
A spokeswoman for Apple, Lynn Fox, said, “Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users.”
“We’re looking into the report submitted by ISE and always welcome feedback on how to improve our security,” she said.
The company said there was no evidence that this flaw had been exploited or that users had been affected, and it knew of no other exploits of this nature.
Miller, a former employee of the National Security Agency who has a doctorate in computer science, demonstrated the hack to a reporter by using his iPhone’s Web browser to visit a website of his own design.
Once he was there, the site injected a bit of code into the iPhone that then took over the phone. The phone promptly followed instructions to transmit a set of files to the attacking computer that included recent text messages — including one that had been sent to the reporter’s cellphone moments before — as well as telephone contacts and e-mail addresses.
A team of computer security consultants say they have found a flaw in Apple’s popular new iPhone that allows them to take control of the device.
The researchers, working for Independent Security Evaluators, a company that tests its clients’ computer security by hacking it, said that they could take control of iPhones through a WiFi connection or by tricking users into going to a website that contains malicious code.
The hack, the first reported, allowed them to tap the wealth of personal information the phones contain.
Although Apple built considerable security measures into its device, said Charles A. Miller, the principal security analyst for the firm, “Once you did manage to find a hole, you were in complete control.” The firm, based in Baltimore, alerted Apple about the vulnerability and recommended a software patch that could solve the problem.
A spokeswoman for Apple, Lynn Fox, said, “Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users.”
“We’re looking into the report submitted by ISE and always welcome feedback on how to improve our security,” she said.
The company said there was no evidence that this flaw had been exploited or that users had been affected, and it knew of no other exploits of this nature.
Miller, a former employee of the National Security Agency who has a doctorate in computer science, demonstrated the hack to a reporter by using his iPhone’s Web browser to visit a website of his own design.
Once he was there, the site injected a bit of code into the iPhone that then took over the phone. The phone promptly followed instructions to transmit a set of files to the attacking computer that included recent text messages — including one that had been sent to the reporter’s cellphone moments before — as well as telephone contacts and e-mail addresses.
“We can get any file we want,” he said. Potentially, he added, the attack could be used to program the phone to make calls, running up large bills or even turning it into a portable bugging device.
Steven M. Bellovin, professor of computer science at Columbia University, said, “This looks like a very genuine hack.” Bellovin, who was for years a computer security expert at AT&T Labs Research, said the vulnerability of the iPhone was an inevitable result of the long-anticipated convergence of computing and telephony.
“It’s not the end of the world; it’s not the end of the iPhone,” he said, any more than the regular revelations of vulnerabilities in computer browser software have killed off computing. “It is a sign that you cannot let down your guard. It is a sign that we need to build software and systems better.”
Details on the vulnerability, but not a step-by-step guide to hacking the phone, could be found at .exploitingiphone.com, which the researchers said would be unveiled today.
Hackers around the world have been trying to unveil the secrets of the iPhone since its release last month; most have focused their efforts on unlocking the phone from its sole wireless provider, AT&T, and getting unauthorized programs to run on it. The iPhone is a closed system that cannot accept outside programs and can be used only on the AT&T network.
The Independent Security Evaluators researchers cracked the phone’s software in a week, said Aviel D. Rubin, the firm’s founder.
Rubin said the research was not intended to show the iPhone was necessarily more vulnerable to hacking than other phones.
“Anything as complex as a computer — which is what this phone is — is going to have vulnerabilities,” he said.
© Copyright 2007 Globe Newspaper Company.
