iPhone Trojan Sign of Things to Come?

climber writes "Just days after the first scareware for OSX, researchers are pondering the problems of an iPhone exploit that could lead to larger issues. The Trojan pulls legitimate apps off the phone if you try to remove it, but it only infects iPhones that have 'been modified or opened through a security hole in the system.' Though this worm is more of an annoyance than anything else, it could be a proof of concept for a more serious attack. 'The fear is hackers may be experimenting and gathering research that will increase the dangers of a more malicious attack in the near future. It is clear at least one writer -- the author of this piece at Web Worker Daily -- thinks that the iPhone should be left on the dresser in the morning. She offers several reasons that the device isn't a good corporate tool.'"

What rock was she hiding under?

[dreamchaser]

She offers several reasons that the device isn't a good corporate tool.'"

It's not even a *bad* corporate tool. It's a consumer device and was never meant (in its current incarnation) to be used for corporate uses. You can't even get one if your AT&T number is registered via a business account. It's like saying "this plum isn't a very good orange."

Idiot.

Re:What rock was she hiding under?

I'll bet you she's a good corporate tool.

Re:What rock was she hiding under?

[OECD]

It's a consumer device and was never meant (in its current incarnation) to be used for corporate uses.

Also, it does not toast my bread AT ALL evenly. I am sorely disappointed with my purchase!

Also, what does that link have to do with the rest of the summary?

Re:What rock was she hiding under?

[arminw]

.....It's a consumer device and was never meant.....

True, but even so, many executives have bought iPhones and ordered their reluctant IT dept. to support them. When the big boss speaks, most underlings do listen and try to please him/her. So, IT folks out there, you might as well figure on supporting the iPhone, even if Apple doesn't market it for corporate users. The big boss may come in sooner than you figure and DEMAND support for his/her shiny new iPhone.

Re:What rock was she hiding under?

[Cro+Magnon]

Same Old Stuff. IT should be used to supporting stuff that isn't ready for the Enterprise *cough*Windows*uncough*

Re:What rock was she hiding under?

[kellyb9]

This is an instance where I have to agree. Apple does a very good job of identifying specific problems and trying to create unique solutions for them. The iPhone was never designed for corporate use, maybe a future version will be, but at this point, it's a pretty stupid idea.

I am by no means Mac user, but I have to admire their creation of the Macbook Air. Here's another example where they said - here's the problem, people traveling - lets create something to make this process easier. This is really one of my major criticisms of MS, who always try to create the one machine that will solve all of our needs. Unfortunantly for Mr. Gates, there is a high overhead in this line of thought.

Re:What rock was she hiding under?

You're right, but if you look at the reasons, most of them apply to a consumer device, too. (e.g. Lack of encryption is pretty wacked. The only reason Apple gets away with that in the market, is that their competitors are just as bad.)

One of the big lessons of the iPhone is that today's phones suck. The iPhone sucks too. But the iPhone -- a device made by a personal computer maker -- has also sent a message that wasn't being heard before: phones don't have to suck. If PCs can be make non-sucky, why not phones? Maybe in a few years, someone will address the we-don't-want-suckiness market.

Re:What rock was she hiding under?

[SatanicPuppy]

Like most of us are in a situation to make things like that compatible with existing systems?

Whenever someone comes to me with that sort of demand, I tell 'em I'll be glad to support it, whenever they buy the software/hardware appliance/developers license/whatever that I'll need to run to support it. And I am happy to do that, because that does fall under the realm of things that I can do, unlike waving the magic compatibility wand and recoding interfaces to support a platform that only just released a real api.

Re:What rock was she hiding under?

[webmaster404]

I didn't know that KDE had an app by the name of Kkkorporation guess Ill have to look at it...

Re:What rock was she hiding under?

[Bert64]

To support it? An iphone is a lot less hassle to support from a corporate perspective than other types of device such as blackberry...
It uses standard IMAP, with support for SSL.. Standard SMTP with support for TLS...
It can even VPN, using standard l2tp/ipsec.
You don't need any additional software, assuming you're running systems that support the appropriate standards. Yes, the iphone does have some shortcomings but being a hassle to support is not one of them. It's just a case of people being scared of what they don't know.

Re:What rock was she hiding under?

[arminw]

....... IT should be used to supporting stuff that isn't ready for .....

But isn't that the fun and interesting part of an IT job. Coming up with clever solutions that others have not already thought of and pre-chewed and partially digested is what makes the life of a real engineer challenging and fun. This includes supporting Windows, possibly in ways and with methods the folks in Redmond have not even dreamed up yet.

Re:What rock was she hiding under?

I assume you've never seen or used a BES (Blackberry Enterprise Server) in a medium or large corporate environment.
Maybe the iPhone is easier if your corporation is less than 10 users and John is your trusted IT guy. Do that many companies really allow direct access to POP/IMAP/SMTP from the random internet to the corporate email system? You can fire up Thunderbird and connect to your companies email? Not a single place that I've worked has done that. Really.
One person can maintain thousands of crackberries from one console. "Maintain" means provision, destroy, deploy, maintain, monitor, manipulate, update, and configure all aspects of the device. You can even see who currently has a signal and when their device was last seen somewhere in the world and when it last sent and received email, feedback on if your changes made it to the device and the response, update passwords, encyption keys, service books, see if new policies were applied to the device, how many messages are queued for delivery, and email alerts to yourself or a syslog when a certain % of all of your users are not getting coverage or the queue backs up. You can erase and wipe out the units with tracking if the device got that signal or not.

Re:What rock was she hiding under?

[Ash+Vince]

For me the lack of a user changeable battery was a show stopper. With every phone I buy I also buy a spare charged battery. That way if one runs out wheil I am out and about I can just swap to a new battery and call whoever I was talking to back straight away. This beats the hell out of trying to find an apple store in a city you may not know and may not have time to piss about in.

I am a die hard Linux user who generally hates Microsoft products, but I could not wait for the Google Phone so I bought a Kaiser instead. Cost me a shitload more than an Iphone would have but is a much better device.

- As montioned above it has a user swappable battery.

- Supports decent encrypted WiFi so I can connect to my home and works networks with no reconfiguration needed.

- It can be used as a 3G modem USB for my laptop when I have no WiFI within range.

- I can run loads more off the shelf apps on it as PocketPC is a much more established platform.

- It has SDK's available now so I develop any new tools I need.

- It has a fold out qwerty keyboard with tactile feedback when a key is pressed.

- It supports MS exchange integration for email, tasks, calendar and notes.

- It doesn't crash anywhere near as much as I was expecting (It IS a microsoft platform after all).

- It supports data encryption on the device so if I lose it the info has cursory protection from prying eyes. (Note cursory, I know you could probably crack it in a day or two)

Like it or not these are key features for a large number of corporate customers with the exception of the keyboard, that was a key factor for me though.

The main plus point of the Iphone seemed to be that it looked pretty.

So FUD... and a non sequitur

[revscat]

'The fear is hackers may be experimenting and gathering research that will increase the dangers of a more malicious attack in the near future. It is clear at least one writer -- the author of this piece at Web Worker Daily -- thinks that the iPhone should be left on the dresser in the morning. She offers several reasons that the device isn't a good corporate tool.'

So the summary starts off being nothing more than FUD, and since that won't hold water descends quickly -- albeit nonsensically -- into a completely different topic.

I guess Zonk hates the iPhone. Or is looking for page views. Or something. *shrug* Whatever, none of this makes a lick of sense.

Re:So FUD... and a non sequitur

[Firehed]

Sounds about right. This so-called 'worm' is nothing more than a useless file - THAT YOU HAVE TO CHOOSE TO INSTALL - with a bad uninstaller script. It's about as much a worm as typing 'sudo rm -rf /' into the terminal because some stranger on the internet said it's a good idea (for the uninformed, it's a great idea, and definitely try it and give it your root password when prompted)*.

The only known actual exploit on the iPhone is the TIFF exploit that JailBreakMe.com uses for powers of good (which, while jailbreaking the phone, also patches the exploit it used to do so). People that didn't use that hack likely updated to 1.1.2 firmware, which also patches that hole.

No, it's (most irrelevantly) not a corporate blackberry replacement. It's not really perfect at anything, though I'll say that the solitaire game really lends it self fantastically to the touch interface. But unlike most multifunction devices which really half-ass everything, it does most things quite well and the sacrifices made are understandable and more importantly are not deal-breakers.

*Hey, I'm a stranger on the internet. What did you expect, candy?

trojans

I was always taught that trojans were good things that you used so you wouldn't get viruses. Now you're telling me something different?

Curious

[Nom+du+Keyboard]

Curious how this only affects unlocked iPhones. Just who is that to the benefit of?

Re:Curious

[2nd+Post!]

It isn't funny, at all. By not releasing an SDK for 6 months, Apple had a host of volunteer security testers search for every exploit, overflow, and vulnerability on the device (which they promptly fixed).

And of course, in the course of those six months, there are some people who have NOT patched their system against these vulnerabilities.

Re:Curious

[jacksonj04]

Oh for the love of God, not another /. "The corporations/government are out to get our freedom/data/money!" conspiracy. Perhaps it's just exactly the same as the vast majority of exploits for everything else with a processor, and it's somebody either proving a point or out to make a name for themselves.

There is of course an easy solution to the virus problem. Apply the damn patch, and if you want an open device you can play around with don't buy an iPhone in the first place!

Re:Curious

[DaggertipX]

That depends, do you consider usability a feature? Or are you yet another slashdot user that thinks that a user interface is no more than "pretty graphics"?

Sorry... I'm a UI designer, and posts like this almost make me froth at the mouth.

Wrong

[MBCook]

1. It is not a worm. That would require it to spread
2. Software installed on systems without privilege levels (like the old days of DOS or OS 7) is allowed to do anything... duh
3. This isn't a flaw with the iPhone. Apple's way of installing applications may prevent this kind of stuff

Anything that starts with "replace the firmware of your device with this hacked firmware" can obviously cause you problems.

Re:Stuffed shirts

[Ferzerp]

You do realize that in many (most?) cases, we are mandated by law to protect our information on mobile devices with passwords/encryption?

I'm a huge advocate of personal freedom, but on an enterprise-class mobile device, support for centraly managed policy is a MUST to comply with HIPAA, SOX, etc.

1984 does not apply to a corporate environment, sorry.

I'm sure a Windows Mobile phone is more secure

[EmbeddedJanitor]

NOT!

If you think the Windows desktop/server security is bad you should see the Windows CE security! Again, MS have delivered an OS that was designed for a disconnected system (PDA) then tried to put a crappy fence around it to make it secure in a connected world. Too little, too late.

As for trojans, well no matter what OS you run, a dumb enough user with sufficient priviledges can always run a trojan. Nothing new here!

Doesn't this only support Apple's position?

[UnknowingFool]

but it only infects iPhones that have 'been modified or opened through a security hole in the system.'

Since the very beginning, Apple has told people not to hack the iPhone because it could endanger the functionality and security of the device. Those who did could suffer when Apple updated the firmware. Now it appears hackers have found a way to compromise the iPhone because it had been already been compromised. By the way, the first hack into the iPhone require physical access to the phone so it's not like you surfing in your coffee shop will get you a Trojan. Someone first has to steal your phone and then hack it for this Trojan to work remotely.

Dresser

[Fnord666]

From the summary

It is clear at least one writer -- the author of this piece at Web Worker Daily -- thinks that the iPhone should be left on the dresser in the morning. She offers several reasons that the device isn't a good corporate tool.'"

The author of the linked piece at Web Worker Daily said no such thing. In fact, the author didn't express a personal opinion one way or the other about the matter. The author was quoting a piecewritten by Benjamin Gray, who works for Forrester.

From the linked article

At least, that's the conclusion coming out of Forrester, whose analyst Benjamin Gray, lists 10 reasons why the iPhone is not yet ready to be an enterprise-class mobile device.

I will have to take the Web Worker Daily's word for it though, since I don't feel like ponying up $279 for a 6 page pdf.

Re:Dresser

[E-Rock]

It isn't a business device, but then I don't really think that's what it was designed to do in the first place. The iPhone doesn't play well with corporate data. POP e-mail isn't even available as a pull service from some companies and there is nothing to sync calendar data. All these business articles are trying to pit Apple vs RIM, where I see them as very nice manufacturers that are in different markets. Currently...

"dangers of a more malicious attack"

[Schraegstrichpunkt]

The fear is hackers may be experimenting and gathering research that will increase the dangers of a more malicious attack in the near future. So the summary starts off being nothing more than FUD, and since that won't hold water descends quickly -- albeit nonsensically -- into a completely different topic.

No kidding. News flash: If the iPhone is vulnerable, then the "dangers of a more malicious attack" are already there. The solution is to fix the iPhone, not to bitch and fearmonger about "hackers ... experimenting and gathering research".

Re:"dangers of a more malicious attack"

[Tsiangkun]

This only affects unlocked iPhones, so I assume by "fix", that you mean use as intended ?

Re:"dangers of a more malicious attack"

[Your.Master]

I don't think "unlocked" is the right word for a hacked iPhone. They were hacked through a security hole. So by "fix" he may well mean "close the security holes". You know. Fix the security bug.

Of course, people who hack it to hell and then don't ever upgrade again (in fear of bricking or whatever), their phones can't be fixed by their own actions.

Re:"dangers of a more malicious attack"

[die444die]

That security hole has been closed for a while, which is why you can find people trying to downgrade their iPhones back to 1.1.1 which will reintroduce the security hole, allowing them to jailbreak their phones again. The phones were infected when users who had already intentionally jailbroken their phones downloaded a new application from an unsafe software repository.

Attack of the Weasels

[Bullfish]

Sadly, this is another sign that as Apple products grow in popularity that they will attract the attention of the weasels. Whether or not the statements the weasels make hold any water, or whether or not the scares turn out to be true, the weasels are arriving.

Re:This kind of racism is intolerable

[mrami]

Ah do decla-uh, Miss Daisy Mae, Ah believe Ah have found the solution to our impendin' labor shortage here on Daddy's plantation. Allow me to elaborate:

1. Find them unlocked ah-phones
2. ???
3. Profit, ah say, profit, there Daisy!

Re:This kind of racism is intolerable

[BadHaggis]

Crackers?! are you trying to imply all hacks/exploits are made by southern white americans aka rednecks? For shame!

Shame on you for implying that I.. I mean, southern white americans aka rednecks are smart enough to even figure out what an iPhone is!

Re:Stuffed shirts

[mckinnsb]

You do realize that in many (most?) cases, we are mandated by law to protect our information on mobile devices with passwords/encryption? Yes. You do realize the FCC already checked to make sure that Apple was following the law, right?
Ok. I was just checking. Look- if your employees buy an iPhone and bring it to work, you don't have to support them joining the buisness network. If they complain, tell them that the company didn't furnish them with an iPhone and it was their personal telecommunications purchase decision. You sound like Apple should be sued for releasing a phone that was intended for personal use just because people decided to bring it to work- and use it in work. Guess what? The responsibility , under HIPAA regulations, as far as your employees are concerned, falls with *the employer* and the *employees*, not the *systems they choose to run*. If you choose a faulty system, its your fault. I didn't see any Apple commercials with doctors talking about how well they could use their new tool to communicate to their nurses.

She is right

[geekoid]

the blackberry is for the corporate tool.

yes, but

[EmbeddedJanitor]

only if you roll it out on a banana like they showed you in sex ed class.

That's a problem I always had as a teenager. It was easy to keep a condom in your wallet, but the banana got squishy after a couple of days and made an embarrassing mess.

Re:SLASHDOT SUX0RZ

WARNING the above link is A GOASTSE LINK!!! Stop the maddness and visit GOASTSE BLOCKER 2.3.67

Re:I'm sure a Windows Mobile phone is more secure

[UtucXul]

Considering how often my Motorola Q (Windows Mobile 5) reboots, freezes, or loses the ability to make network (voice or data) connections, there isn't much time left for it to be vulnerable. If that isn't secure (for a Microsoft product anyway), I don't know what is. And, if the battery life gets any worse, I'll probably only have minutes a day where the phone can even be turned on, which will shorten the window of opportunity for malware to get at it even more,

like a worm on a hook

[Teflon_Jeff]

Anything that is this popular, by nature, will attract viruses. This is definitely the tip of the iceberg, and it makes me wonder how much experience people at Apple actually have at preventing viruses, once the world at large cares enough to target them.

Re:SLASHDOT SUX0RZ

[PitaBred]

Is it a Firefox plugin or something? I can't seem to find any links on that page, just a picture of a gaping anus... help plz?

Re:Love the tags on this story

[e4g4]

In other news, analysts say that the XBox 360 isn't ready for primetime in the corporate market. "Out of the box, all it does is play games," said one IT professional, "it won't even let you check email without installing a rootkit called 'Linux'." A security expert from Microsoft was quick to point out that, "when used as intended - the XBox 360 is very secure. When running a software firewall called 'Halo 3' and operated by a security technician who has earned the much touted 'Legendary' certification, you can rest assured your data is safe from parasitic aliens from outer space." Another security professional was less avid: "I think for now, the 360 should stay in the living room."

If I had mod points...

[zieroh]

If I had mod points, could I mod the entire article down?

Ah, the virus-proof apple.

[caliburngreywolf]

Goes to show, the way to be virus-proof is to capture less than 20% of users (who bothers to ignore the 80% and go for the 20?) If there was a similar, but far more popular device, I'll bet the apple crowd would be happily touting the virus-proof iphone as their competitor sufferred attacks. Bad as Microsoft code is, it's the popularity that makes people attack it, similar to a trapper laying rabbit traps in a field, instead of bear traps. Far more rabbits, even if the bear's a juicier target.

Re:Ah, the virus-proof apple.

[mini+me]

Linux has somewhere around 40% market share for servers. Apache has 60% market share for web servers. So, I guess that explains why all the server and web server viruses are for Linux and Apache. Oh wait...

Oh. And.

[Swift2001]

When Apple said, "Hey, you find a security hole to install third-party software, we're going to have to close the hole," everybody yelled and screamed. Now someone's using the back door that the hackers found. Well, as Gomer used to say, "Surprise, surprise." I wonder if the new software update closes that hole.