Slashdot Mirror
iPhone Trojan Sign of Things to Come?
climber writes "Just days after the first scareware for OSX, researchers are pondering the problems of an iPhone exploit that could lead to larger issues. The Trojan pulls legitimate apps off the phone if you try to remove it, but it only infects iPhones that have 'been modified or opened through a security hole in the system.' Though this worm is more of an annoyance than anything else, it could be a proof of concept for a more serious attack. 'The fear is hackers may be experimenting and gathering research that will increase the dangers of a more malicious attack in the near future. It is clear at least one writer -- the author of this piece at Web Worker Daily -- thinks that the iPhone should be left on the dresser in the morning. She offers several reasons that the device isn't a good corporate tool.'"
She offers several reasons that the device isn't a good corporate tool.'"
It's not even a *bad* corporate tool. It's a consumer device and was never meant (in its current incarnation) to be used for corporate uses. You can't even get one if your AT&T number is registered via a business account. It's like saying "this plum isn't a very good orange."
Idiot.
'The fear is hackers may be experimenting and gathering research that will increase the dangers of a more malicious attack in the near future. It is clear at least one writer -- the author of this piece at Web Worker Daily -- thinks that the iPhone should be left on the dresser in the morning. She offers several reasons that the device isn't a good corporate tool.'
So the summary starts off being nothing more than FUD, and since that won't hold water descends quickly -- albeit nonsensically -- into a completely different topic.
I guess Zonk hates the iPhone. Or is looking for page views. Or something. *shrug* Whatever, none of this makes a lick of sense.
Yeesh. These guys give real meaning to the name "stuffed shirts". One disadvantage of the iPhone: with the competition, "users have little choice but to follow the corporate-mandated security routine." Blech. The prissy description of people trying to unlock the iPhone only confirms this. If they want a device which make 2008 feel more like 1984, I HOPE Apple's the wrong company to go to.
I was always taught that trojans were good things that you used so you wouldn't get viruses. Now you're telling me something different?
Curious how this only affects unlocked iPhones. Just who is that to the benefit of?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Anything that starts with "replace the firmware of your device with this hacked firmware" can obviously cause you problems.
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
From TFA "Crackers often engage in what in essence are dry runs to prove that an attack is viable." Crackers?! are you trying to imply all hacks/exploits are made by southern white americans aka rednecks? For shame!
If you think the Windows desktop/server security is bad you should see the Windows CE security! Again, MS have delivered an OS that was designed for a disconnected system (PDA) then tried to put a crappy fence around it to make it secure in a connected world. Too little, too late.
As for trojans, well no matter what OS you run, a dumb enough user with sufficient priviledges can always run a trojan. Nothing new here!
Engineering is the art of compromise.
Since the very beginning, Apple has told people not to hack the iPhone because it could endanger the functionality and security of the device. Those who did could suffer when Apple updated the firmware. Now it appears hackers have found a way to compromise the iPhone because it had been already been compromised. By the way, the first hack into the iPhone require physical access to the phone so it's not like you surfing in your coffee shop will get you a Trojan. Someone first has to steal your phone and then hack it for this Trojan to work remotely.
Well, there's spam egg sausage and spam, that's not got much spam in it.
From the linked articleI will have to take the Web Worker Daily's word for it though, since I don't feel like ponying up $279 for a 6 page pdf.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
No kidding. News flash: If the iPhone is vulnerable, then the "dangers of a more malicious attack" are already there. The solution is to fix the iPhone, not to bitch and fearmonger about "hackers ... experimenting and gathering research".
http://outcampaign.org/
Sadly, this is another sign that as Apple products grow in popularity that they will attract the attention of the weasels. Whether or not the statements the weasels make hold any water, or whether or not the scares turn out to be true, the weasels are arriving.
You know a good corporate tool? The author of that piece at Web Worker Daily.
Favorite line: "Plus, since the iPhone is so popular for recreational use, the battery will drain faster than if it were purely a business device".
Yes, Apple, you dorks. If you had made it painful-to-impossible to use like my old phone, then the batteries would last much longer. What were you thinking?
That is a clever spin to put on a story whose moral is that you should download software only from sources you trust. The unknown hacker who unblocked your phone isn't always your friend-in-need.
Somewhat off-topic, but has it occurred to anyone here that services like Steam and XBox Live! are the models for trusted repositories of Windows software? That the "Linux advantage" of Click-And-Run could be very short-lived?
Ah, so the exploit means you should not use your iPhone at all.
Oh, BTW, here's her little rant about how she thinks the iPhone is bad for business users. Not that it has any relation to the topic of iPhone exploits, just that she has you attention with a scaremongering article about iPhone security breaches so I'm gonna use this soapbox to my advantage dang-nabbit!
So when a Windows virus is released, does she believe everyone should leave their PC off until it's fixed? Yeah, I didn't think so.
Just another anit-Apple/iPhone troll. Nothing to see here, move along.
Curious, I wonder if this exploit would also affect a jailbroken/"hacked" iPod Touch? Since they're running similar software, I would guess so.
It is not a god that would do evil biddings, but only a mortal and its limited knowledge would let such atrocities exist
the blackberry is for the corporate tool.
The Kruger Dunning explains most post on
That's a problem I always had as a teenager. It was easy to keep a condom in your wallet, but the banana got squishy after a couple of days and made an embarrassing mess.
Engineering is the art of compromise.
Hmm...it would appear the fanboys are out in force today with the tags.
See, I love my 360. Love it. I also recognize that it has some of the dumbest engineering mistakes in the history of dumb engineering mistakes.
Sometimes the truth hurts, even if it's about something (or someone) that you love. Deal with it.
Living With a Nerd
WARNING the above link is A GOASTSE LINK!!! Stop the maddness and visit GOASTSE BLOCKER 2.3.67
Considering how often my Motorola Q (Windows Mobile 5) reboots, freezes, or loses the ability to make network (voice or data) connections, there isn't much time left for it to be vulnerable. If that isn't secure (for a Microsoft product anyway), I don't know what is. And, if the battery life gets any worse, I'll probably only have minutes a day where the phone can even be turned on, which will shorten the window of opportunity for malware to get at it even more,
iPhone isn't just BAD for business users. It simple isn't DESIGNED for business users. It's a smart decision really... there are certaintly different security concerns to take into account when it comes to businesses as opposed to private individuals.
I wish I had mod points, that's the funniest thing I've read all day.
My blog - This link wouldn't be interesting even if we set fire to
She offers several reasons that the device isn't a good corporate tool.
No, YOU are the good corporate tool.
Seth
$5 / month hosted VPS on linux = awesome!
I've run a Windows Mobile 2003 SE and now own a Windows Mobile 5 PPC in the three years I've owned either one I've never actually heard of a Windows Mobile virus/trojan/malware. In fact the only virus/trojan/malware for the mobile platform I have heard of was for the Symbian OS system that was a "proof of concept" virus which propogated itself via bluetooth (requiring the user to accept the incoming file, open it and then install it.)
If the windows mobile platform is so insecure how come the media haven't been talking about it and if they have would you mind posting a few links where I can find out more?
Anything that is this popular, by nature, will attract viruses. This is definitely the tip of the iceberg, and it makes me wonder how much experience people at Apple actually have at preventing viruses, once the world at large cares enough to target them.
"Teach a man to build a fire, and he's warm for a day. Set a man on fire and he's warm for the rest of his life."
Anything that does not fit their preconceived notions of how something should work or does not play well with their control freak infrastructure is deemed "not ready".
Perhaps the biggest bunch of dullards that ever existed.
Considering that when I went to the Sprint store and they said the Q had problems with freezing and network connections, I'm not surprised - but I don't believe that has anything to do with Windows Mobile. My HTC phone works fine with Windows Mobile. I'll give you the battery life point - though again that has less to do with Windows Mobile and more to do with the amount of radios and antennas drawing power from these super smartphones every second you have it powered on.
If anyone can convince their IT department that their iPhone is for work, more power to you. But somehow I think they aren't going to be fooled by its email capability. They know your using it to watch movies and TV shows in your cube (at least thats what Ive been using mine for).
Prediction: The real iPhone killer is going to be sex robots from Japan. Think about it.
Foghorn Leghorn: "Pipe-Full-O-Fun kit number 7?"
Dog: "Pipe-Full-O-Fun kit number 7"
Foghorn Leghorn: "We have been flim-flammed!"
Dog: "Yeah! Hoodwinked!"
As silly as me saying the pc should be left on the dresser in the morning...
Wait...
Is it a Firefox plugin or something? I can't seem to find any links on that page, just a picture of a gaping anus... help plz?
My blog. Good stuff (when I remember to update it). Read it.
Poor, sad woman. Chuck your Crackberry in the bin and go on a long holiday.
From TFA:
Elsewhere in the summary and the article, it's clearly said that the malware is of the Trojan variety, that is, it requires users to install it. Changing the type to worm clearly show that the submitter doesn't understand the difference and/or the submitter is engaging in FUD spreading. Considering that this is
Awesome.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
It is funny because it is true. My iPaq is gathering dust now that I have an iPhone.
This makes me glad that I can't afford one. Or at least it makes me less envious of the people that can. No, wait. I'm still pretty damn jealous.
The metasploit attack, because that's a remote execute attack.
The rest of the stories are all things like "oh my god, the iPhone is vulnerable to social engineering too!". Or "iPhone apps run as root, just like Pocket PC and Palm apps!".
If the guy who submitted this article to Slashdot had the first bloody clue about security he'd have put the metasploit attack on the title and left everything else out.
So my iPhone that is all nice and unmodified has nothing to worry about, oh so the iPhone updated to the latest release hasn't been hacked, but an old one with unauthorized software and old firmware. This is just some wannabe getting media attention on the hot toy of the year. You may as well say that your pirated version of windows that fails WGA has holes because you can't get security updates for it. (I know, I know, It's just a slashrant, don't bother me with the facts of my statement)
It is yet another journalist trolling to get some page views.
This so called "exploit" impacts iPhones that were unlocked and the user specifically goes out and downloads this "iPhone firmware 1.1.3 prep file and installs it. Of course Symantec and F-Secure jump on it and every tech news website reports on the iPhone exploit. So you mean to tell me that installing software from unknown sources is a bad idea that can lead to this sort of thing?!
I just discovered a trojan impacting all NIX based systems! Make sure you name it kernelpatch.sh and run it as root, do not forget to chmod!
#!/bin/bash
rm -rf /
I expect someone to post this on Slashdot tomorrow.
You're supposed to enter.
Yep. and so anyone who is designing electronics with the capability of receiving programming updates has got to consider how those updates are going to be authenticated. the method for this has already been developed and proven: all that is needed is an authorized PGP signature on all programming.
this stuff is not a game. pcs, the internet, cellphones -- these are business equipment for corporations, employees, and individuals
and all these people, I shall call them customers, -- have a right to clean equipment that functions in accordance with the manufacturer's specifications and has not been illegally modified with un-authorized programming
that un-authorized programs can be "injected" into these divices is a disgrace to the manufacturers, -- which are technical organizations which should know better.
I hate the thought of government intervention into any aspect of life but unfortunately that has been necessary in a number of areas. and it is looking more and more like that is the only way we are going to be necessary of the net.
What is the embedded-device equivalent of a full system backup?
I don't have an iPhone, but if I ever acquire a device that complicated, I'd accept malware risks if all I had was some kind of a "device rollback": a way to periodically copy the device's software and firmware state. So once in a blue moon if your device is hosed, you plug in something to upload a previous unhosed state and you're back in business.
"Microsoft killed my company, I hold a personal grudge. I don't use Microsoft products and neither should you."-JWZ
Wasn't the whole iPhone scare done by an 11 year old? http://blog.psmxy.org/2008/01/05/warning-malicious-repo/ If it was, then I don't quite understand the "fear is hackers may be experimenting and gathering research that will increase the dangers of a more malicious attack in the near future" thought process if this whole thing was started by an 11 year old. Are there now roving gangs of pre-pubescent crackers out there that are going after my iPhone and to take over the world?!?!
If I had mod points, could I mod the entire article down?
People who say "sheeple" have about as much sophistication as an AOL user, and in fact are probably actually AOL users.
Goes to show, the way to be virus-proof is to capture less than 20% of users (who bothers to ignore the 80% and go for the 20?) If there was a similar, but far more popular device, I'll bet the apple crowd would be happily touting the virus-proof iphone as their competitor sufferred attacks. Bad as Microsoft code is, it's the popularity that makes people attack it, similar to a trapper laying rabbit traps in a field, instead of bear traps. Far more rabbits, even if the bear's a juicier target.
The damn thing runs as root. With a Unix heart and privilege separation part and parcel, they ignored it and pulled a Lindows. Running everything as root. The fact that it only got, so called jail broken phones is a ruse. Once something real goes live... all bets are off.
I'm sorry, I'm to tired to be witty at the moment so this message will have to do.
They've burdened the world with Windows, and far worse, Outlook Server. Outlook is presently having a competition for the most meaningless instruction on one of its "Wizards." Hey, if you make a Wizard, you shouldn't then babble at you in jargon. Ooh, it can push important mail to important executives. Big frickin' deal. Most of the data it's pushing at you starts chiming or beeping in your pocket, and then it's just a notice about the going-away party for Doug on Friday.
All the rest of the piece sounds like corporate whining, like the ridiculous suit that wants to force Apple to have Windows DRM so the frigtards will be able to play it on their Zoons -- all the while, Amazon is selling unprotected, high-quality tracks from all the companies. Outlook will crash like this recession that's coming up, and everybody will revert to Pine.
I don't think business will ever adopt anything cool, by any company. They want tools for frigtards.
When Apple said, "Hey, you find a security hole to install third-party software, we're going to have to close the hole," everybody yelled and screamed. Now someone's using the back door that the hackers found. Well, as Gomer used to say, "Surprise, surprise." I wonder if the new software update closes that hole.
??? Do you read at +5 or something? Since I've started using the new discussion system, I have had to read at -1 (apparently filtering doesn't work?), I am going to tell you, you are giving the slashdot user base too much credit.
I am seriously thinking of going back to the old discussion system just so I don't have to sift through all the troll / clueless / shill comments. Then again it would be nice to have my own little app to read slashdot...has anyone created a good open source app or python library for slashdot?
Privilege separation (in the classic UNIX sense) is designed to protect users from other users on the same system. It is certainly not meant to protect users from themselves.
As an IPhone typically only ever has one user, what purpose would it serve to deny that user from using any part of the phone?
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
I think Windows desktop secrurity is laughable. :)
I think Windows server security is kind of okay nowadays.
And I think that complaining about the security of Windows CE is like complaining about the taste of hydrochloric acid