WASHINGTON, DC — It’s anything but lonely at the top. Just ask Apple, manufacturers of the insanely popular iPhone, which since its introduction last year has become the “gotta-have” business accessory among the tech cognoscenti. As might be expected according to the law of unintended consequences, the iPhone’s popularity has made it a target for hackers, who last week demonstrated their affection for the device by releasing a bogus upgrade that doesn’t exactly wreak havoc on the iPhone’s essential being but can aggravate the unwary by overwriting some utilities.That the Trojan, identified by the U.S. Computer Emergency Response Team, is more nuisance than genuine threat is only mildly reassuring. It may be a proof-of-concept dry run, indicating hackers have more malevolent designs in mind. That’s bad news for the geeks who depend on their iPhones to do what their desktop computers can’t: remain by their sides and keep them connected in all imaginable ways while simultaneously storing their essential documents.
Chief among the concerns about the iPhone’s continued viability as an all-around workhorse is that the device is insecure. Currently, there is no way to encrypt files on the iPhone, and many users don’t even make a stab at protecting their devices by insisting passwords be entered before they can be used or accessed. If a hacker decides he or she wants someone’s iPhone data, there’s little to stop him or her from taking it — either over the air or by stealing the phone itself. If an iPhone goes missing, so does its data, because the iPhone can’t be locked down or wiped clean remotely.
Making a bad situation worse, all of the iPhone’s applications run as root functions, meaning a hacker has to compromise only one application in order to compromise the entire device.
Of course, none of this might have happened if Apple and AT&T hadn’t been such sticklers about ensuring the iPhone would operate on only AT&T’s network. “Locking” the phones so consumers who were determined to own one had to become AT&T customers was like waving a red flag in front of a bull. Hackers couldn’t resist the challenge of unlocking the devices for demanding throngs who were more than happy to pay big bucks for the service, and a sort of mobile-phone arms race has been raging ever since: Apple locks the phones, hackers break the lock; Apple releases a mandatory update to re-lock the phones, and hackers break the new lock. It’s become almost a game. Add that to Apple’s insistence that only third-party applications in which it has an interest could be ported to the iPhone’s operating system, and the challenge became even more irresistible.
In short, there are a virtual slew of very smart people, some of whom aren’t averse to deviltry just for the fun of it and some of whom may be eying potential financial gain with great relish, becoming very well acquainted with the iPhone’s weaknesses.
Thankfully, not everyone is pretending they haven’t noticed how scary all of this is. Number four on the SANS Institute’s list of the most serious potential threats for 2008 is mobile-phone attacks, and the iPhone’s platform is one of two SANS singles out as most vulnerable. (The other is Android.)
Pay attention, Apple. All it will take is one serious incident for that delicious toy to receive the kind of bad rap from which it can’t recover.
