Apple’s iPhone is a tough target for hackers, but a security researcher warned Friday that there are ways the sleek device could potentially be compromised.
The iPhone has no security software, but Apple doesn’t let people load third-party programs on the device, reducing the risk of infection from malicious software. But when the iPhone is connected to the Web, possibilities emerge, said Marius van Oers, a security researcher with McAfee’s AVERT Labs in Amsterdam.
He doesn’t claim to have uncovered a specific security hole in the device, but listed several ways that determined hackers could use to try to find a way in.
Apple is relying on developers to create rich Web-based applications that will be accessed through the mobile version of the company’s Safari Web browser. Browser flaws are a proven way for hackers to get unauthorized code running on a system, van Oers said.
“It’s fairly easy to send someone an SMS (Short Messaging Service) or an e-mail with a Web link,” he said. “And once you go to the Web link, then that server can inject code into the iPhone, and if that happens, [a hacker] can have full control.”
That’s what happened with a Safari flaw found by Independent Security Evaluators, a company that detailed its findings at the Black Hat security conference in August. By constructing a malicious Web site, the researchers injected code into the iPhone and pilfered recent text messages, phone numbers and e-mail. Apple has since patched the flaw.
“Once you get access to the system, it’s all over,” van Oers said.
He presented his view of iPhone security Friday at the Virus Bulletin security conference in Vienna. Although he is based in Europe, he examined an iPhone purchased in the U.S. His view of the iPhone’s security is more cautionary and speculative, but rooted in the well-known ways that hackers work.
Apple also allows the use of JavaScript when the iPhone interacts with Web pages, a programming language that has been used to exploit software problems, van Oers said.
Further, Apple’s multimedia application QuickTime has been prone to trouble, and there are several proof-of-concept exploits circulating the Web now for version 7, van Oers said. How that proof-of-concept code could affect QuickTime on the iPhone remains to be seen.
Nonetheless, with the iPhone already popular in the U.S. and due to go on sale in Europe in about six weeks, Apple can expect more aggressive attempts by malicious hackers to meddle with it.
Hacking mobile devices is less prevalent than hacking desktop computers. But interesting malicious programs have been written for mobiles, including some that repeatedly autodial or send text messages to a premium number. The number is owned by the hackers, who collect the revenue.
The chance of those kinds of malicious software affecting the iPhone today is probably low, but “that’s the future. Let’s hope it will not come to that,” van Oers said.