Security

Only days after the ikee worm was unleashed on Australian iPhone users a tool has been discovered that steals private data from jailbroken iPhones. iPhone/Privacy.A is a malware tool that runs on computers (or on an iPhone) and scans the Wi-Fi network for vulnerable iPhones.

After discovering and accessing the devices in range it copies all private data including SMS messages, videos, email, calendars, music, photos and all other app data to the computer. The program does all this without ever making the iPhone user aware of its intrusion.

Rickrolling has finally made it to the iPhone. The first known iPhone worm has been released in Australia, spreading from phone to phone over the network. Only jailbroken iPhones running SSH with the default root password are affected.

The ikee worm exploits this security weakness to infiltrate the iPhone file system and search for other jailbroken iPhones in the vicinity. The malware also changes the lockscreen wallpaper to a photo of 80s pop icon Rick Astley with the message "ikee is never going to give you up."

Jailbreakers everywhere should be aware that the default root password from Apple is "alpine" and presents a security threat if SSH is installed. SSH can be uninstalled or switched off when not in use, however changing the password once will solve the problem.

To change your root password and help prevent unauthorized access to your iPhone:

1. Install the MobileTerminal package using Cydia.

2. Run the Terminal app.

3. Type "su root" without the quotes and touch return.

4. Type the root password "alpine" and touch return.

Apple has released version 3.0.1 of the iPhone OS software. This fixes the recently revealed SMS security flaw. The security hole was illustrated on Thursday by Charlie Miller at the Black Hat 2009 conference in Las Vegas.

iPhone owners can download and install the 3.0.1 update using iTunes immediately. Left unpatched, the problem makes it possible for iPhones to receive malicious binary programs through SMS messages without the user's knowledge.

A massive iPhone security flaw was illustrated on Thursday by Charlie Miller and Collin Mulliner at the Black Hat 2009 conference in Las Vegas. Word of the demonstration had been brewing for days, however Apple has remained silent on the issue.

The problem makes it possible for iPhones to receive binary programs through SMS messages without the user's knowledge. These programs can then give someone using the exploit complete control over the device.

If you thought your iPhone 3GS was more secure than the original iPhone or the iPhone 3G, think again. iPhone developer and hacker extraordinaire Jonathan Zdziarski says the encryption Apple has implemented on the iPhone 3GS is next to worthless.

With many businesses, higher education institutions, and government agencies starting to use the iPhone, Zdziarski cites poor encryption as cause for concern. In a demonstration to Wired, he pulled live sensitive data from an iPhone 3GS using readily available free software in only two minutes.

iPhone OS 3.1 beta versions have already been seeded to developers, meaning an update for the general public is imminent. Apple released iPhone OS version 2.1 only a month after 2.0 was made available last year.

The iPhone 3GS hit store shelves on June 19th running iPhone OS 3.0, and reports have indicated that millions of iPhone 3G and original iPhone owners have already upgraded their operating system. The new version includes 46 security fixes and new features such as copy and paste. So will it be worth upgrading again so soon?

The non-profit Center for Internet Security (CIS) has released a free benchmark on iPhone security, currently the only document of its kind. The full benchmark is available on the CIS website and only requires a free registration for download.

The purpose of the benchmark is to educate iPhone users and network administrators on the best ways to protect sensitive data on the device. The document provides over 20 recommendations and instructions regarding iPhone OS settings, Safari and iPhone Configuration Utility settings, strong password creation, and secure data destruction.

In a hint of things to come, more patents submitted by Apple just a few months ago show advances in future security designs for iPhones and notebook computers. The new authentication methods include several biometric technologies that would verify the identity of a user without any additional input from the owner of the device.

Examples would use cameras and software for facial recognition or allow a touch screen to identify a fingerprint. These methods could authenticate a user and protect private information without the current delay required when entering a passcode.

Many iPhone users have used the passcode lock feature to protect personal data. So everyone's information is safe and secure, right? Turns out it can easily be viewed without the password if the phone has been updated to firmware version 2.0.2. Even if the phone is locked, in emergency call mode a double-click of the home button brings up favorite contacts.

This alone might not be a problem, except that from this screen dialing provides access to the full contacts list, voicemail, and dial keypad. From the contacts list, sending a text opens the SMS application and text history. One click on an email address opens the mail application and all of your mailboxes. Similarly, any links in emails or contacts will open Safari, including history and bookmarks.