iPhone vulnerabilities: The hunt is on

Underground sites fuel interest in breaking Apple's mobile security.

Now that the iPhone is available, the hunt is on to prove or disprove claims from Apple that the phone's security is up to the public challenge.

Criminals and researchers alike have been working overtime to learn what they can about the hardware and operating system that runs the iPhone. While several researchers have quietly reported a few Bluetooth and Safari iPhone-related flaws directly to Apple, there is a public (albeit underground) effort to subvert the new mobile platform for fun and profit.

One underground site has collected information from the iPhone's Macintosh OS X Disk Copy Disk image file. So far they have succeeded in using a Unix program, and the help of the Full Disclosure mailing list, to discover the encrypted passwords for the mobile and root accounts. But since the iPhone lacks a console or terminal, there is no way for anyone to use this information right now. In both cases the predetermined passwords were found to be six characters, all lowercase letters. It has been suggested that the passwords are an artifact from an earlier operating system build and may have nothing to do with the iPhone.

Stated goals on the underground site collecting this information suggest that participants not only want to break open the disk image (to expose possible vulnerabilities) but also crack open the service activation codes, unlock the iPhone from AT&T, run third-party applications, and support use of the iPhone as a modem.

The good news is that Apple, not AT&T, will be handling iPhone security. Where mobile-service providers are traditionally slow to update their OS and firmware, Apple has been pretty good about pushing out patches for its other Mac OS X platform products. Updates for the iPhone mobile OS will be pushed through iTunes when ready. It is expected that Apple will start its updates for the iPhone by the end of this week.

About the author

    As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.

     

    Join the discussion

    Conversation powered by Livefyre

    Don't Miss
    Hot Products
    Trending on CNET

    HOT ON CNET

    Up for a challenge?

    Put yourself to the real tech test by building your own virtual-reality headset with a few household items.