Wuh-oh! Considering its popularity and the number of handsets floating around out there compared to the number of security exploits discovered thus far, I’d say Apple has done a pretty good job of keeping things locked down.
As this just-discovered flaw proves, however, nobody’s perfect.
You can read the full technical details of the exploit here, but to make one hell of a long story short: the iPhone allows settings configuration files to be installed over-the-air through Safari, primarily to help enterprise businesses setup a bunch of iPhones as quickly as possible. We’ve known this for a while – it’s a crucial part of easily enabling tethering on jailbroken iPhones. The user must must confirm the installation manually, and the iPhone tells you who it’s from and whether or not it’s a trusted source – which (we hope) most would be smart enough not to do in standard cases.
The particularly nasty part here, however, is that the anonymous hackers reporting the flaw were not only able to make the configuration file report back as “Verified”, but also indicate that it was straight from “Apple Computer” themselves. From that point, a pinch of clever web design and a dash of social engineering would be enough to convince the vast majority of users who stumble across a malicious update that it’s as legit as can be.
So once it’s installed, what harm can be done? In theory, it could be used to reconfigure the iPhone’s proxy settings, allowing hackers to redirect all traffic through a server of their choosing. It could also be used to wreak havoc on WiFi/e-mail settings, and disable the use of Safari, Mail, and a handful of other first-party iPhone apps. Worse yet, it’s possible to set the configuration file so that the user can’t remove it – so once it’s installed, getting it off the handset would require a full wipe.
Let’s hope there’s some way to fix all of this without nerfing the over-the-air configuration process all together, if only for the sake of I.T. guys everywhere. In the mean time: if you see a screen like the one in the screenshot above and you weren’t intending on provisioning your handset with new settings, you should certainly avoid hitting the “Install” button.
[Via ThreatPost]
Crunch Network: CrunchBase the free database of technology companies, people, and investors
Related News
HulloMail Launches Visual Voicemail App For BlackBerry
Windows Phone 7 devices will come in three flavors
LG Arena made official at AT&T
Vodafone reportedly ditching the HD2 as iPhone launch looms (update: nope!)
Jailbroken iPhones exposed to second worm, this time malicious
Desktop Factory hits the dead pool
Consumer Reports says Apple has the best tech support, Acer/Gateway/eMachines the worst
FujiFilm FinePix digital cameras hands-on
Use an SD card as a boot disk in your new MacBook Pro
Blizz helps bust WoW playing drug dealer
The “Ice Tube” clock classes up your abode with a tasteful steampunk look
Live at Toshiba’s CES press conference
PS3 losing the race