Apple iPhone / iPad / iPod Touch Security Alerts
General Apple iPhone Information
The Applie iPhone, iPad and iPod Touch, because it uses a variant of Apple's Mac OSX operating system and applications, such as the Safari web browser, is subject to security flaws. Below, are the known security flaws/alerts. To read additional information about the security alert, click on the link:
- 8/28/08 - iPhone Security Flaw Puts All Private Information at Risk
A major security flaw in the iPhone firmware 2.0.2 has been discovered that allows someone to access your data and certain iPhone apps even when you have the passcode lock feature turned on.
To replicate the security flaw, follow these instructions:
- Password Protect your iPhone and lock it
- Then Slide to Unlock the iPhone
- Tap Emergency Call button on the screen where you get an option to enter the passcode and then double tap the home button
- Double tapping the home button takes you to Favorites
If you thought this was a feature, think again, remember you have not entered the passcode which means that if someone happened to pick up your phone can get access to your Favorites (without knowing the passcode). It also gives someone access to your address book, the dial keypad, voice mail and by tapping on the blue arrows can get access to the private information of any of the contact entries in Favorites. Someone can then click on the e-mail address of the contact to get access to your iPhone's mail application thus exposing all your e-mails. Clicking on a URL in your contact gives someone access to iPhone's Safari browser. Someone can also send text messages to any of the contacts in your address book.
Apple have acknowledged the vulnerability and is working on a fix, which is scheduled to be released with the next firmware upgrade. Until a fix is made available, a temporary solution is to change :
To do so, in the iPhone home:
- Tap Settings
- Tap on General
- Tap on Home Button
- Tap on either "Home" or "iPod"
For additional information, visit http://gizmodo.com/5042332/huge-iphone-security-flaw-puts-all-private-information-at-risk
- 7/25/08 - iPhone vulnerable to phishing, spamming flaws
Security researcher Aviv Raff has discovered a pair of basic design flaws that could turn your iPhone into easy bait for malicious phishing and spamming attacks. According to an advisory from Raff, the iPhone’s Mail and Safari applications are susceptible to a URL Spoofing vulnerability which allow attackers to conduct phishing attacks. iPhone Mail and Safari on firmware 1.1.4 and 2.0 are affected by this vulnerability. Apple’s security team has confirmed the vulnerability. Raff says he is withholding details until after a patch is released. In the meantime, iPhone users should avoid clicking on links in the Mail app that refers to trusted sites.
A second vulnerability in the iPhone Mail application that could help spammers was also reported and acknowledged as a security issue by Apple. Raff describes this as “a basic security design flaw which might already be exploited in-the-wild.”
Apple have acknowledged the vulnerability in the Mail application, and are still investigating the issue in the Safari for iPhone. Until a fix is available, it is suggested to avoid clicking on links in the Mail application which refers to trusted web sites (e.g. Bank, PayPal, Social Networks, etc.). Instead, a user should enter the URL of the website manually in the Safari application.
For additional information, visit http://blogs.zdnet.com/security/?p=1541&tag=nl.e539
- 10/13/07 - Apple iPod touch / iPhone TIFF Image Processing Vulnerability
A vulnerability has been reported in Apple iPod touch and Apple iPhone, which potentially can be exploited by malicious people to compromise a vulnerable device. The vulnerability is caused due to an error in the processing of TIFF images and can potentially be exploited to execute arbitrary code when a specially crafted TIFF image is viewed, e.g. in the Safari web browser.
The vulnerability is reported in iPod touch version 1.1.1 and iPhone version 1.1.1. Other versions may also be affected.
Until a fix is provided by Apple, do not browse untrusted web sites and do not open untrusted TIFF images.
- 09/28/07 - iPhone Firmware version 1.1.1 Released
Apple released an update to the iPhone, version 1.1.1, to correct several security flaws. iPhone users must install this update, available through iTunes. For instructions on how to install the update, visit Apple's web site at http://docs.info.apple.com/article.html?artnum=306586.
- 08/01/07 - iPhone version 1.0.1 Update
Apple released an update to the iPhone, version 1.0.1, to correct several security flaws. iPhone users must install this update, available through iTunes. For instructions on how to install the update, visit Apple's web site at http://docs.info.apple.com/article.html?artnum=306173.
- 07/23/07 - iPhone security flaw offers complete control
A security flaw could allow an attacker access to personal information stored on the iPhone such as SMS text messages and voice mails. Attackers gain access to the iPhone in one of three ways: any iPhone that automatically connects to an attacker-controlled wireless access point with the same name and encryption type as a trusted network would be compromised; an improperly configured forum on any website could allow insertion of the exploit; and iPhone users opening a link delivered via email or an SMS message could unknowingly open a hostile website. Additional information and video can be found on Security Evaluators web page.
- 07/20/07 - Yahoo Mail security flaw
In they way the iPhone accesses and checks a users Yahoo e-mail account, could lead to anyone being able to eavesdrop on the e-mail authentication exchange when your e-mails are pushed to your Apple iPhone, especially when using any open (public or private) Wi-Fi hotspot. The hacker can then gain full access to your e-mail account until you change your password. Additional information is available on Technology News First web site.
- 07/16/07 - Flaw Found in iPhone Web Dialer
A feature that allows iPhone users to dial telephone numbers over the Web using the iPhone's Safari browser could allow attackers to exploit a bug in this feature to trick a victim into making phone calls to expensive "900" numbers or even keep track of phone calls made by the victim over the Web. In addition, the iPhone could even be stopped from dialing out, or set to dial out endlessly. Additional information can be found on Yahoo's web site.