Turning the iPhone Into a SpyPhone

Next Story

Hybrid HD DVD/Blu-ray discs dead in the water

In a demonstration of what can happen when someone hacks your iPhone (or any computer-like phone, for that matter), Fast Company commissioned a security expert to to show what is possible:

So we purchased an iPhone for Rik Farrow, a UNIX specialist and consultant from Sedona, Arizona, and commissioned him to crack through its defenses, which he did using H D Moore’s Metasploit, a popular platform for testing security systems. The result is this video, in which Farrow was able to take complete control of an iPhone and demonstrate the ability to eavesdrop on conversations, intercept voice mail and e-mail, and upload nefarious software programs. “Physical access to an iPhone,” Farrow points out, “is not required.” Although in Farrow’s demo the Wi-Fi was turned on — common enough for iPhone users, since AT&T’s EDGE network makes Web surfing slow and laborious — Moore says his exploit can work on EDGE, too.

If you know your target’s phone number, you could text message a link to a malicious Website, which would covertly install a third-party application executing malicious code. The corollary would be to send your target an e-mail with a nefarious attachment; he clicks on it and the attacker “owns” the phone. Or there’s always the “man-in-the-middle” (MITM) attack, which is perhaps the most James Bondian: You sit in, say, Starbucks with a laptop set up, as part of the ruse, to operate as a Wi-Fi access point, so a target’s Web browsing and e-mail pass through your computer first. (How can you tell who has an iPhone as opposed to someone with a standard laptop, rival smartphone, or PDA? Simple — the exploit only works on iPhones.)

The Metasploit hack refernced above has since been closed in the latest patch to the iPhone’s software. But the more iPhones that are out there, the more appealing targets they become. Here’s the video of the hack (warning: watching someone write code in a 6-minute video is worse than watching paint dry—unless you happen to like that sort of thing).

http://services.brightcove.com/services/viewer/federated_f8/769469373

blog comments powered by Disqus