Security experts have uncovered flaws in Apple Inc’s iPhone that they said hackers can exploit to take control of the popular device, using the tactic for identity theft and other crimes.
Users need to be warned that their iPhones are not entirely secure and Apple should try to repair the vulnerability as soon as possible, they said at the Black Hat conference in Las Vegas, one of the world’s top forums for exchanging information on computer security threats.
“It’s scary. I don’t want people taking over my iPhone,” Charlie Miller, a security analyst with consulting firm Independent Security Evaluators, said in an interview.
Miller and Collin Mulliner, a Ph D student at the Technical University of Berlin, also discovered a method that allows hackers to easily knock a victim’s iPhone off a carrier’s network.
It prevents users from making calls, accessing the Internet and exchanging text messages, they added. They said the information they presented at Black Hat will give criminals enough information to develop software to break into iPhones within about two weeks.
They said they warned Apple of the flaw in the middle of July, but that the company has yet to fix it. “Apple’s credibility and reputation could get hurt if they don’t respond. Positive buzz is good; negative buzz is much more harmful,” said Trip Chowdhry, an analyst with Global Equities Research.
About 4,000 security professionals were in attendance, including some who are really hackers. While experts ferret out software flaws to fix them and protect users, hackers use the same information to devise pranks or commit crimes.
The researchers showed the audience how to break into iPhones by sending computer code via the phone’s SMS system. Mobile phones use SMS to send and receive text messages along with software upgrades. They said that the phone’s users cannot detect that it is receiving the malicious code.
It is not illegal to disclose ways to hack into computer systems, though it is against the law to use it to break into them. When asked why they would hand over such information to criminals, security experts said they felt it was necessary to alert the public that iPhones were just as vulnerable to attack as personal computers.
“If we don’t talk about it, somebody is going to do it silently. The bad guys are going to do it no matter what,” Mulliner said.
They have successfully tested the hacks on iPhones running on networks of four carriers in Germany along with AT&T Inc in the United States. They said they believed the methods will work with iPhone carriers around the world.
The two said they used a similar method to break into phones running on Google Inc’s Android operating system. Google patched the flaw after they notified the company of the vulnerability.
Apple officials could not immediately be reached for comment.