iPhone vulnerabilities: The hunt is on

Now that the iPhone is available, the hunt is on to prove or disprove claims from Apple that the phone's security is up to the public challenge.

Criminals and researchers alike have been working overtime to learn what they can about the hardware and operating system that runs the iPhone. While several researchers have quietly reported a few Bluetooth and Safari iPhone-related flaws directly to Apple, there is a public (albeit underground) effort to subvert the new mobile platform for fun and profit.

One underground site has collected information from the iPhone's Macintosh OS X Disk Copy Disk image file. So far they have succeeded in using a Unix program, and the help of the Full Disclosure mailing list, to discover the encrypted passwords for the mobile and root accounts. But since the iPhone lacks a console or terminal, there is no way for anyone to use this information right now. In both cases the predetermined passwords were found to be six characters, all lowercase letters. It has been suggested that the passwords are an artifact from an earlier operating system build and may have nothing to do with the iPhone.

Stated goals on the underground site collecting this information suggest that participants not only want to break open the disk image (to expose possible vulnerabilities) but also crack open the service activation codes, unlock the iPhone from AT&T, run third-party applications, and support use of the iPhone as a modem.

The good news is that Apple, not AT&T, will be handling iPhone security. Where mobile-service providers are traditionally slow to update their OS and firmware, Apple has been pretty good about pushing out patches for its other Mac OS X platform products. Updates for the iPhone mobile OS will be pushed through iTunes when ready. It is expected that Apple will start its updates for the iPhone by the end of this week.