"“We have lent a huge amount of money to the U.S. Of course we are concerned about the safety of our assets. To be honest, I am definitely a little worried.” "

Chinese premier Wen Jiabao 12th March 2009

""We have a financial system that is run by private shareholders, managed by private institutions, and we'd like to do our best to preserve that system."

Timothy Geithner US Secretary of the Treasury, previously President of the Federal Reserve Bank of New York.1/3/2009

Monday, July 23, 2007

Apple iPhone - Hacked and Hi-jacked by ex(?) NSA wire juggler

Charles Miller ex NSA employee, now a security analyst for Baltimore based Independent Security Evaluators claims he can take control of iPhones through a WiFi connection or by tricking users into going to a Web site that contains malicious code.

Miller demonstrated the hack 'n' hijack to a reporter on the International Herald Tribune by using his iPhone's Web browser to visit a Web site of his own design.

Once he was there, the site injected a bit of code into the iPhone that then took over the phone. The phone promptly followed instructions to transmit a set of files to the attacking computer that included recent text messages - including one that had been sent to the reporter's cellphone moments before - as well as telephone contacts and e-mail addresses.

"We can get any file we want," he said. Potentially, he added, the attack could be used to program the phone to make calls, running up large bills or even turning it into a portable bugging device.

The whole thing is explained at http://www.securityevaluators.com/iphone/with a handy video and FAQ's and a downloaded PDF with more technical gumph. http://www.securityevaluators.com/iphone/exploitingiphone.pdf

The trick appears to take advantage of buffer overflow bug at 1024 bytes in Safari that has been previously reported to Apple (and exploited). If the hole is on the Safari side, it identifies the downside to a phone with a semi-real browser installed — it becomes vulnerable to attack like any other user of the browser on a laptop / desktop machine.

The same problem has been identified with the release of Safari for Windows last month with a great deal more detail available... Apple very swiftly fixed it... and no doubt will fix this claimed vulnerability. Meanwhile stay well clear of unauthorised Wi-fi nodes and don't be misled into looking at sites called http://www.nakedladies.com/

Update : Apple claims a patch fixes this problem Times

No comments:

(C) Very Seriously Disorganised Criminals 2002/3/4/5/6/7/8/9 - copy anything you wish