So far, Errata has found three main flaws in the long-awaited and much-hyped mobile phone/music/video player/mobile Web/email client device: a heap overflow bug in its Safari browser; a potential denial-of-service bug in its Bluetooth feature; and a data "seepage" bug that could cause seemingly innocuous data to be exposed by chatty client applications over a WiFi connection. (See Tool Uncovers Inadvertent 'Chatter', Joke's on Me, and Data That Doesn't Drip... Drip... Drip....)
These are just the first of the publicized bugs in iPhone: Security researchers say plenty more have been found, but many won't be disclosed until Apple fixes them. John Hering, CEO of Flexilis, a mobile security firm, says his company has found flaws in iPhone and is currently alerting Apple on its findings.
"A number of vulnerabilities exist in the device," Hering says. "The iPhone is going to be a choice target. With something as exciting as this, inherently creative people are always going to be looking into it" security-wise.
Even so, the iPhone, which is based on a version of OS X, is actually more secure than other mobile phones because it has a system for updating and patching it: iTunes, says Robert Graham, Errata's CEO, who has been hammering away at the iPhone since his service finally kicked in. "It's the only one [mobile device] that will be regularly updated for security patches." The iTunes service already has alerted users that it will provide updates on July 5, he says.
A lack of simple patching capabilities has been a major problem in the mobile industry, Hering says. Interfacing with iTunes will make this process simple for iPhone users, but it also opens another potential attack venue. "If the mobile device gets compromised, would it be a great leap to exploit the traditional PC [or laptop]?"
Interestingly, the Safari and Bluetooth bugs found by Errata had already been found on other Mac OS X systems. "One of the major problems with mobile industry is legacy code -- having vulnerabilities hopping from system to system," Hering says. "If you have systems that are 'recycled' in mobile systems, you're going to see similar security vulnerabilities."
Although the Safari bug wasn't really a surprise, Graham says it's probably the most critical of the bugs Errata has found so far. "Just by visiting a [malicious] Website, you can have your iPhone broken into... and taken over." All it takes is a spam or SMS message luring the user to a malicious link, he says.
Graham says Errata is still exploring the Bluetooth bug, which he has been testing with a fuzzer. "The system hangs -- it may just be a DOS [denial-of-service]" bug.
And like any wireless device, the iPhone is susceptible to what Graham and Errata CTO David Maynor have dubbed as "data seepage," which they confirmed using their Ferret tool that sniffs WiFi traffic.
"If you've got a mobile phone, and you walk by a wireless access point it likes the name of, it will connect you to it and disclose all about you without your being aware you're on WiFi," Graham says. "It has all of the same problems Mac notebooks have."
Security researchers expect iPhone to have lots of security flaws because it's a high-profile device, and because of its Mac OS X ties. "There will be more iPhone vulnerabilities found than in all the other mobile phones put together," predicts Graham. "But in reality, it's [the iPhone] more secure."
It all boils down to threat vs. risk for iPhone users. Flexilis's Hering worries that the iPhone's high profile and expected massive uptake, as well as its links to the Mac OS, could make it an attractive target for a massive worm or other attack. The iPhone's Web browser, unlike other mobile devices, is basically a full-featured Safari application, he says. "That’s neat for the user but it also poses a number of security risks."
Meanwhile, what looks to be the iPhone's system-restore image has appeared online, leading to speculation that iPhone hacking tools may be just around the corner.
— Kelly Jackson Higgins, Senior Editor, Dark Reading