The Price of Power: Hackers Hit the iPhone

Posted by: Stephen Wildstrom on July 23, 2007

I’ve caught a lot of flak over the years from Apple fans for maintaining that the relative freedom of the Mac from hacker attackers was due in part to the fact that Windows was a more tempting target. The speed with which hackers have punched holes in the security of the iPhone suggest the Mac itself may be more vulnerable than its ardent fans believe.

As reported by John Schwartz in today’s New York Times (registration required), security firm Independent Security Evaluators has demonstrated an attack that lets a hostile Web page take full control of an iPhone and capture a user’s personal data. Although there is no indication that the vulnerability is being exploited in the wild, computer scientist Steven M. Bellovin of Columbia University is quoted as saying “it looks like a very genuine hack.” (You can watch a video demonstration of the attack here.)

Bellovin points out that this sort of attack is inevitable as operating systems on phones get more and more computer-like. The iPhone runs a version of Mac's OS X operating system, though Apple has been extremely stingy with details on just which pieces of OS X are included. It's not clear whether the iPhone attack, which exploits a vulnerability in the Safari browser, might also work against Macs.

To date, attacks against phones have been relatively rare and not very damaging. The Symbian operating system, which is little used in the U.S. but is popular on European and Asian handsets from Nokia and Sony Ericsson, has probably been hit the hardest. I have not heard of any successful attacks on Research in Motion's BlackBerrys. And hackers have only struck a couple of glancing blows on Microsoft's Windows Mobile software, though the threat is taken seriously enough that you can now get protective software for your smartphone from Symantec and others.

I expect Apple will move swiftly to plug the hole with a patch that can be downloaded to iPhones. But this incident is a clear sign that the cat and mouse game between security experts and hackers that has long been a part of life in the world of personal computers is going to become commonplace in phones too.

Reader Comments

KennX

July 23, 2007 2:11 PM

By "I have not heard of any successful attack on RIM Blackberrys" I take it you mean you didn't take the 30 seconds necessary to find out on Google. Bet YOU have a Blackberry. :)

Billy

July 23, 2007 2:46 PM

It was only a matter of time before someone figured out a way to hack those iphones. I'm surprised it was found out so quickly, but as you said, the phones are becoming more computer-like and we should expect the same issues and constant upkeep that we've learned to accept with our computers as we demand more features and just more in general from the phones. This is really only the beginning. The iphone is the applie IIe of what will come as people raised on phones come of age and the dependency on the devices grows.

Tony R. Farley

July 23, 2007 3:09 PM

I'm surprised it took this long!

Sonichka

July 23, 2007 3:19 PM

Gee, I wonder who hired these "scientists" to hack into an iPhone? Was it Microsoft?! Or was it Research In Motion (Blackberry)?!!! Hhhhmmmm... It must suck to work for a company when you know Apple is about to wipe the floor with you.

Big Brother

July 23, 2007 3:25 PM

Here are a bunch more iPhone hacks:

http://iphone.corank.com

Smittie

July 23, 2007 3:25 PM

The headline says, "hackers hit the phone." Then the only offering of 'hackers' hitting the iPhone is a proof on concept done by a security firm, primarily for the purpose of gaining publicity and convincing more people to be paranoid, thereby promoting the computer security business. However, there is no offering of evidence that real hackers have figured out how to hit phones. Of course, now that a computer security company has made it public how to do it, they've increased the likelihood that it will happen. Which is a pleasant eventually to contemplate if you're a security firm. Thank you Mr. Wildstrom for contributing to the advertising of computing security firms everywhere.

It is also worth noting that (http://digg.com/security/How_to_hack_Symbian_mobile_phone) hacking cell phone operating systems has been done and presumably continues. So, this is nothing new. It is only note worthy for Mr. Wildstrom because it suits his agenda with regard to Apple.

Smittie

Jeremy

July 23, 2007 3:47 PM

What a train-wreck of an article.

It purports to be about the old saw regarding market share and the frequency of virus attacks, and the first sentence sets it up as if this ridiculous idea has now been somehow proven.

We then lurch around, through a few more myths, alternately criticising Macs or the iPhone (make up your mind what you are talking about!), for poor security but without referencing any real world numbers or actual attacks.

Then we read some unrelated junk about virus problems on cell-phone OS's in general (irrelevant here because this attack is actually a browser vulnerability not a virus and not specific to the iPhone OS or cell-phone OS's at all).

Then the article ends without ever telling us what this "proof" of the increased visibility of the iPhone leading to virus attacks is.

The market share argument always was, and still is, bogus. The proof is twofold.

First, the Mac OS-9 ("Classic Mac") *did* have virus action in pretty much direct proportion to it's market share at the time. Secondly, OS-X (the OS for the last five years or so), has had *zero* virus problems despite the vastly increased market share over OS-9.

If the market share argument were true, then OS-X should by rights have about 10% of the virus market. It doesn't. It does not currently have any real, working, in circulation, actually-going-to-hurt-your-computer virii at all, period.

bill

July 23, 2007 4:15 PM


You use "it's" twice in your article:

"than it's ardent" WRONG!

"It's not clear" RIGHT!

Raman

July 23, 2007 4:48 PM

I'm experiencing a perverse sense of glee that the iPhone is vulnerable to hacking. All these years, Apple and the little groovy Apple corps have maintained an aloof stance that their products are beyond attack. Finally, we get to experience Apple hogwash firsthand.

Steve Wildstrom

July 23, 2007 5:33 PM

@bill--Shame on me. I'm guilty of what my son calls apostrophe abuse. I've corrected the error; thaks for pointing it out.

Steve Wildstrom

July 23, 2007 5:37 PM

@KennX--About a year ago,a BlackBerry attack of sorts was demonstrated. But it actually used a modified BlackBerry device to attack a BlackBerry Enterprise Server. It was not an attach on the device itself. As far as I know, there has been nothing since, which is quite a good record for the leader, and therefore the most prominent target, in the field.

James

July 23, 2007 7:25 PM

Though many of you may think this extreme, I would bet almost anything if we made all this malicious hacking and destruction of property punishable by something such a impalement, or drawing and quartering, the problem would vanish overnight and the world would be a better place! What makes anyone think they have some God given right to attack people just because they can? I don't think it's exreme in any way, and I'm dead serious.

Yacko

July 23, 2007 8:08 PM

As previous comments note, this is a publicity stunt with little proof. But if a hack has been executed, just for srguments sake, note the hack affects the browser and not the phone. It is not a direct hack to the operating system. It is a hack that uses a malicious web page. The user must make a conscious decision to be fooled. Savvy users tend to avoid security problems in the first place. Are any other people but me also wondering whether other browsers, regardless of platform, are vulnerable to an identical exploit? Hasn't this kind of circumstance been shown before with full Win/Mac browsers?

Visitor

July 24, 2007 1:22 AM


So, the iPhone makes an attractive target for hackers (as does Safari apparently now that it runs on Windows..) yet Mac OSX with 22 million users is of little interest to hackers?

Mac OSX is certainly targeted much less then Windows which controls over 90% of the market. However that is only part of the reason there is less successful hacker attacks and malware for Mac OSX. OSX simply has a more secure architecture (excellent autoupdating patch system, real permissions model, disk encryption, secure deletion, encrypted keychain, etc.)

On Windows it is very common for a single vulnerability in a web browser leading to a full system compromise. On OSX, even if a virus was able to gain access to the system via a web browser vulnerability, it would typically require an administrative password before being able to make any system changes.

But in any case, if MacOSX is a safer platform because of its smaller marketshare, or because of its secure architecture (or both), the bottom line for consumers is that it is a safer platform.

jp

July 24, 2007 7:48 AM

i think this article and the comments prove that apple fans are among the most insecure people in the world. So what, anything can be hacked! Deal with it and don't put your personal info where people are going to look for it..duh!

Anthony Garza

July 24, 2007 8:02 AM

Macs dont get hacked as much because they suck. Os 10 is only more secure because it is a port of BSD an operating system that is very old and very secure. Macs arent worth the money people spend on them and I wouldnt doubt if the i-phoine is the same.

Peter

July 24, 2007 8:08 AM

I agree with Mr. Wildstrom. The iPhone (which, contrary to many of the above posters, is not a superior smartphone beyond its touch-screen interface) has had many many problems with security. Whether it be the in-browser calling function, which might end up giving you a slew of 900-number charges, or the potential to access the user's information through browser holes, the iPhone is a fairly insecure device.

On top of that, it has had problems with its Wi-Fi as well. Just take a look at what happened at the Duke campus as iPhones requested improper MAC addresses thousands of times a minute.

Apple has always had problems when releasing software for mainstream use. The iPhone is evident of this, as is the Safari browser for Windows which had 30+ security threats in the first 48 hours.

To some of the above posters - give the conspiracy theories a rest. Apple has become incredibly mainstream due to their multimedia devices and is no longer the "little company doing it right" that you claim it is. These investigations are independent and aren't part of some huge plot by Microsoft and RIM to quash the iPhone.

The iPhone is cool. It has a cool touchscreen and looks awesome. But don't treat it as a Blackberry-killer. It has plenty of shortcomings (lack of a removable battery, no 3G network, etc.). RIM has put out many outstanding products, and will continue to do so as is evident with the upcoming 8820. Apple brought a touchscreen, nothing more. I would stick with my Blackberry any day; it has better functionality and isn't just a cool toy.

Steve Wildstrom

July 24, 2007 8:35 AM

@Peter
In fairness to the iPhone, it was exonerated in duke's network problems. A closer look showed the difficulties were due to configuration issues with Cisco routers.

Steve Wildstrom

July 24, 2007 8:39 AM

@yacko
What ISE demonstrated--you can watch it happen in the video--was a classic drive-by Web attack in which a malicious Web site plants code on the host. It requires no user action other than visiting the site. And once the iPhone is compromised, it happily transmits contact data, voice mail messages, and logges SMS messages back to the attacker. If it can be replicated in the wild--an important if--it is ugly and dangerous.

Sam

July 24, 2007 8:51 AM

Facts Facts Facts....
>>>"It's not clear whether the iPhone attack, which exploits a vulnerability in the Safari browser, might also work against Macs." Any prove or your opinion? Then why say it?
>>>Peter - "Just take a look at what happened at the Duke campus..." Did you take the time to read the ACTUAL cause? Google it, man. It was their own architecture and Cisco devices - not the iPhone.
I am sick and tired people who "may" NEVER use something that has an opinion about it - oh, we all have butt holes but some don't talk out them!

Greg Lewis

July 24, 2007 11:27 AM

Yeah, but isn't the real reason that no one has hacked blackberrys the fact that there's nothing on them worth getting to? This is really all part of Apple's grandest marketing plan: hackers will target the iPhone because the people who own it are vastly more likely to have something interesting in there to begin with! I, by the way, am a Blackberry user and can attest that there is nothing interesting in my handheld.

Joe

July 24, 2007 12:00 PM

To Sam: Go take an English class then come back and try again.

Richard D'Aprix

July 24, 2007 12:02 PM

It’s not a better smart phone!
Sorry, but it’s just not. Security is always an issue and always something to be managed (but less so than in standard Windows/Mac environments).
The real problem with the i-phone is it’s not a business tool. No slide out keyboard so you fat finger the keyboard, no broad band speed data connectivity, and for business purposes it just doesn’t handle attachments as well.
If you spend a lot of time on the road you’re doing a lot of e-mailing you probably want more of PDA with phone functionality and if you need to edit documents or review a PowerPoiont deck you’re going to buy a HTC handset (think 8525 on AT&T or 6700 on Verizon) and get all you need and more. No more Batman utility belt, easily surfs off a wifi router and use the cellular line for voice at the same time, 2 gig of storage for MP-3s and hot swappable batteries and other helpful business tools like a backlit slide out keyboard that really lets you type lengthy documents and the ability to view PDF files.
If you have a corporate standard on Blackberry than you’ll use that (though personally, I hated the devices and their limitations and hated carrying multiple devices and found the browser and applications suite lacking).
The next release of the i-phone should support faster data speeds and better battery life, but the other issues remain.
I just don’t see the attraction other than a nice commercial and a good screen. Add to this the fact that WInmobile 6 is adding HTML to the pocket outlook client and I don’t see much use for an i-phone in the business enterprise mobile computing environment, and certainly nothing even remotely approaching the price point they want without HSDPA it’s not really much of a call.

Steve Wildstrom

July 24, 2007 12:44 PM

@Sam
It's Apple that is very fond of saying that the iPhone runs OS X and Safari, just like a Mac, so it's reasonable to speculate that an attack against Safari and OS X on the iPhone might work on the Mac.

Apple could clarify things a lot but telling us more about the operating system on the iPhone, since it is obviously some subset of OS X. Whatever you think of Windows Mobile, Microsoft has documented it extensively. Any developer can find out just which Windows applications programming interfaces will run on Mobile. But Apple has disclosed next to nothing about the iPhone version of OS X.

Steve Wildstrom

July 24, 2007 12:47 PM

@Greg Lewis
The bad guys these days are likely to be hacking for profit, not fun or curiosity. And a lot of data on corporate BlackBerrys--email, contacts, calendar info, corporate data--can be immensely valuable to the right people. This, by the way, is exactly the sort of information the iPhone attack is able to steal.

Alvin

July 25, 2007 12:24 AM

I am a current user of MacBook Pro and like it a lot. In my opinion, computer security threats by hackers is only a matter of time, sooner or later it will happen. Some years ago, internet banking was touted as a more secure way to bank than traditional walk-in-banking. Until the hackers and phishers catch up that is. Now I have to carry around an extra security device which generates an additional password for my internet banking.

It is silly to think that hacker criminal minds will leave any particular OS, phone, PDA etc alone for long, especially if it has significant commercial value. I am sure they will catch up and then it's another round of "running faster than the robber" thing again.

Apple users (including myself), should just be happy that for now and the enar future, it doesn't seem like OS X will be pagued by virii like Windows OS. The more we brag how much more secure OS X is, the more we increase OS X profile in the hackers' consciousness and the more likely they will want to try hacking OS X, just to show how good they are.

In short, keeping a lower profile of OS X's security will do us Mac users a bigger favour.

Adrian Vance

August 6, 2007 10:43 AM

Gentlemen:

We have developed several new systems to make carbon sequestration profitable and create a new carbon economy instead of treating carbon as waste. These systems are under Patents Pending and we have done a book from the website. You can see all about it at our website at: http://www.geocities.com/profadrian/SCAF.html

Adrian Vance

Post a comment

 

About

Bloomberg Businessweek writers Peter Burrows, Cliff Edwards, Olga Kharif, Aaron Ricadela, and Douglas MacMillan, dig behind the headlines to analyze what’s really happening throughout the world of technology. Tech Beat covers everything from tech bellwethers like Apple, Google, and Intel and emerging new leaders such as Facebook to new technologies, trends, and controversies.

Categories

 

BW Mall - Sponsored Links

Buy a link now!