US security consultant, Rick Farrow, has used H D Moore's security testing tool, Metasploit, to crack the iPhone, which allows a hacker to control an iPhone remotely.
Farrow demonstrated how he gained root access to the iPhone and installed an application that can record conversations on and near the iPhone, transforming the device into a spy tool. It also allowed him to remotely access recently modified files, locally stored e-mails and view the iPhone's Web browsing history.
"Using a specially crafted Web page utilising an iPhone exploit (now patched) he gained root level shell access to the phone -- which means he could do anything that the iPhone is capable of from his laptop," explained Jarno Niemelä, security researcher for the security vendor, F-Secure.
"This exploit actually involved you doing something with the iPhone, or in this case, I do something with the iPhone to get the exploit to work. This is not at all unusual. Most PCs are actually exploited because people visit a Web site and wind up being exploited," Farrow told US business and technology publication, Fast Company.
Last month, ZDNet Australia's sister site ZDNet.co.uk reported that application hungry iPhone owners were using a similar technique to gain root access to the iPhone thanks to the jailbreakme hack, which exploited an image vulnerability.According to analysts, Apple's decision to run every application on Safari as root exposes the iPhone to greater risk, and quite possibly repeats a mistake made by Microsoft some years ago.
"It strikes me as strange that Apple took the shift and moved to Unix as their operating system, but don't seem to have learnt the lesson that you don't run everything as root. This was the same lesson which Microsoft had so many issues with when they intertwined Internet Explorer with the Windows operating system, and it's something which they are now digging themselves out of," security analyst, James Turner, Intelligent Business Research Services, told ZDNet Australia.
"I think the inference we can make is that Apple decided that the risk of running applications as root was worth it. There used to be a saying that Windows 95 was Apple 84. Now it seems that Apple want the iPhone to follow a similar path to Internet Explorer. Sure, Apple will get market share, but at what cost to their reputation for security?" he added.
However penetration testers say that Apple's operating platforms are in general still more secure than its competitors and this instance simply highlights the problem of running a desktop operating system on a phone.
"This vulnerability isn't particularly special as it's just exploiting a vulnerability in Safari. Now it is patched, users will get their phones updated by iTunes when they next sync," said Chris Gatford, security expert from penetration testing company, Pure Hacking.
"I think that Apple's operating system on the whole is far more reliable and secure than the other competitors and I am sure some of these kinks will be eventually ironed out," he said.
The potential threat to iPhone users however is not isolated to Apple's phone, explained Farrow.
"This is a problem for any smartphone, for any widely distributed computing device, which will eventually be attacked and exploited," he said.
Although malware threats to mobile phone operating systems are uncommon today, security companies have been keeping a close eye on the sector. According to F-Secure, there are currently 373 known pieces of malware for all mobile phone operating platforms, 364 of which work only for the dominant smartphone operating system, Symbian, which is used in Nokia's phones.
Future threats for mobile phone operating systems, according to F-Secure, include rootkits, self-propagating worms, mobile phone botnets and large-scale profit-oriented malware organisations.
Daniel Eran Dilger's excellent web site - has already succinctly debunked this shaggy-dog story at RoughlyDraftedMagazine -
http://www.roughlydrafted.com/
As Daniel asserts
----------
"There’s no viral distribution nor worming replication going on, just the manual installation of software on a device that requires some degree of expertise in order to install any software on it. Doing so also requires the existence of exploitable holes that have not been patched."
....
"Farrow isn’t demonstrating the flawed architecture of the iPhone, he’s only showing that software can be malicious, and explaining why Apple isn’t allowing users to install their own software willy-nilly, as Windows users can and do. Rather than explaining what he’s doing in accessible language, Farrow and other experts are sensationalizing the mundane in order to suggest that the iPhone is somehow uniquely dangerous."
---------
If you want the truth and not lies read the "RoughlyDraftedMagazine" website. Why live a life blinded by the sensationalism of tabloid journalists and their use of exciting, shocking stories and language at the expense of accuracy, in order to provoke hits and to foster FUD.
The site certainly has opened my eyes to the nefarious iniquities around the OS world.