Saturday, July 21, 2007

iPhone 'may never be secure'

Encryption expert Phillip Dunkelberger, a former Apple employee and president of security firm PGP, believes that the iPhone is almost impossible to protect.

"There are so many security issues with the iPhone, because it is not just a phone," he said. "From an IT guy's perspective it is a Linux computer with communications built in."

...He added that, if hackers did get control of the iPhone, they could use it to dial expensive phone lines and steal funds from users.

Methinks he has a point. Consider:

* Jon Lech Johansen (you may know him as DVD Jon) reported on his So Sue Me blog that he found a way to activate the iPhone for WiFi and iPod functionality, but not for phone.

* The iPhone Dev Wiki has released a tool that that "generate[s] a valid activation token based on the SIM card (and iPhone) information...[and] allow[s] for activation with virtually any AT&T/Cingular SIM that the iPhone is hardware-compatible with."

* SPI Labs warned iPhone users not to use the web dialer feature. "Attackers could exploit a bug in this feature to trick a victim into making phone calls to expensive "900" numbers or even keep track of phone calls made by the victim over the Web... [it could] be stopped from dialing out, or set to dial out endlessly."

For a malicious party, the full-fledged Linux-style OS running on the iPhone definitely provides an intriguingly large attack surface.

Update 7/22: several commenters complained about describing the iPhone's OS/X as a "Linux OS". While Linux and BSD apps will recompile and run on OS/X, it's true that they are not directly related in the genealogy of Unices. I've changed the word Linux to Linux-style, above.

No comments: