The popularity of the iPhone ensures that it’s going to be a target of unwelcome attentions, so the announcement this morning that a team of security researchers had allegedly discovered a vulnerability should not be shocking.
Independent Security Evaluators, the firm that did the investigation, claim to have found the hole in the iPhone’s version of Safari. It would allow for the execution of arbitrary code, run with administrative privileges. Such code can in theory do anything the iPhone can do, including sending text messages, stealing email passwords, or recording audio. The demo that ISE has concocted reads the SMS text log, the address book, the call history, and the voicemail data.
While this exploit should not be taken lightly, it’s important to note that it’s not in the wild: ISE has released a preliminary paper, with a full paper and presentation to be given at the BlackHat conference on August 2nd. They’ve notified Apple of the exploit along with a proposed fix. Also important to note is the potential attack vectors: since the vulnerability is in Safari, the user needs to click on a link or otherwise be directed to a malicious website, so it’s important to practice safe computing.
