By Kim Zetter
November 16, 2007
Readers of Threat Level will recall a little bit of flack that I and
Wired received recently for writing a couple of stories about problems
with the iPhone's security.
As we pointed out here and here, security researchers took issue with
the design of the iPhone, because the phone has all programs running as
root and requires no authentication to install applications. The theory
is that if any program has a vulnerability -- similar to one that was
already discovered in a library used by the iPhone's browser and e-mail
programs -- then a hacker could exploit the vulnerability by remotely
installing malicious code that takes over the phone. One possible attack
I mentioned was to turn the phone into a bugging device.
Security researcher Rik Farrow told me that Apple could easily have
designed the phone to make this harder to do but likely didn't do so
because it would have taken more time and delayed the product launch.
Blogger Daniel Dilger used one of the stories as an opportunity to
attack me personally as well as another expert I interviewed, saying
that I and the researcher didn't know what we were talking about. He
also erroneously reported that I'd interviewed only one source for my
research -- but that's beside the point.
Well Fast Company asked Farrow to try to take over an iPhone using a
tool developed by H.D. Moore, the author of the Metasploit tool -- who
is also one of the researchers I interviewed for my stories. The result
can be seen in a video that Farrow made showing his attack. (See the
video after the jump.)
Visit InfoSec News