The name Charlie Miller will be familiar to anybody who follows Mac security. Currently employed as a researcher by Accuvant, Miller has over the last several years discovered several vulnerabilities on Apple’s platforms, including an iPhone flaw that could be exploited via SMS, which Apple quickly moved to patch.
To demonstrate this vulnerability, Miller submitted an app, InstaStock, to the App Store. While the application, a stock tracker, functioned as expected, it could also take advantage of the security flaw to make a connection to Miller’s server, allowing him access to the device’s hardware functions and data. Apple approved the application in September, but it wasn’t until this week that Miller showed off a video of himself exploiting the vulnerability. In the demo, Miller used the exploit to make the phone vibrate and to access its Address Book data.
Miller plans to demonstrate the exact nature of the vulnerability at next week’s SysCan security conference in Taiwan. Apple did not immediately respond to a request for comment about when a patch could be expected. Earlier this month, though, the company promised an upcoming iOS update that would fix battery issues; it’s possible that this update, expected within the next few weeks, may also patch this security vulnerability.