IPhone Flaw Lets Hackers Take Over, Security Firm Says

Charles Miller, shown on his iPhone, said that after finding a hole in security, “you were in complete control.”

By JOHN SCHWARTZ
Published: July 23, 2007

A team of computer security consultants say they have found a flaw in Apple’s wildly popular iPhone that allows them to take control of the device.

The researchers, working for Independent Security Evaluators, a company that tests its clients’ computer security by hacking it, said that they could take control of iPhones through a WiFi connection or by tricking users into going to a Web site that contains malicious code. The hack, the first reported, allowed them to tap the wealth of personal information the phones contain.

Although Apple built considerable security measures into its device, said Charles A. Miller, the principal security analyst for the firm, “Once you did manage to find a hole, you were in complete control.” The firm, based in Baltimore, alerted Apple about the vulnerability this week and recommended a software patch that could solve the problem.

A spokeswoman for Apple, Lynn Fox, said, “Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users.”

“We’re looking into the report submitted by I.S.E. and always welcome feedback on how to improve our security,” she said.

There is no evidence that this flaw had been exploited or that users had been affected.

Dr. Miller, a former employee of the National Security Agency who has a doctorate in computer science, demonstrated the hack to a reporter by using his iPhone’s Web browser to visit a Web site of his own design.

Once he was there, the site injected a bit of code into the iPhone that then took over the phone. The phone promptly followed instructions to transmit a set of files to the attacking computer that included recent text messages —[Full story]

Online social network will help reveal sex offenders….

Published: May 16, 2007

MySpace, an online social network popular with teenagers, said in two statements yesterday that it was prepared to work with state attorneys general who have requested the identities of MySpace members who are known sex offenders.

But the company said its cooperation hinges on whether the state officials follow the law and subpoena the names, a step that a leader of the state attorneys general said was not necessary.

In its first statement, MySpace said it was “doing everything short of breaking the law to ensure that the information about these predators gets to the proper authorities.”

MySpace, a division of the News Corporation, said it would release information about its members as long as it was able to comply with the Electronic Communications Privacy Act. That law “prohibits us from disclosing the information they’re seeking without a subpoena,” the second statement said.

MySpace’s statement was interpreted as a rebuff by Richard Blumenthal, the attorney general of Connecticut and the co-chairman of a working group of 50 attorneys general.

“I do believe it is disingenuous and disappointing because much of the information that we have sought, specifically the numbers of convicted sex offenders on the site require no subpoena or any other compulsory process,” Mr. Blumenthal said. “We have a valid and viable need to know about convicted sexual offenders who may pose a threat to children.”

Mr. Blumenthal said that parole conditions for sex offenders ordinarily say that they cannot be in contact with children.

He said that Connecticut and other states do not require subpoenas for enforcing parole conditions. Mr. Blumenthal said he plans to convene a conference call in the next few days of the 50 attorneys general to decide how to respond to MySpace.

He said they would issue subpoenas, if need be.

Hemanshu Nigam MySpace’s chief security officer, said in an interview that the site had already taken down the profiles of thousands of sex offenders since the beginning of May when it began running its own database check.

“We’re hoping that we can work out the proper legal channel so we can provide this information to the attorneys general,” Mr. Nigam said. “The attorneys general have a particular goal, which is to try to do something against online predators, and we do too, which is to try to keep them off our site.”

Mr. Nigam said that the company had aggressively tried to crack down on sex offenders. Late last year, the company hired Sentinel Tech, a company in New York, to design a system to compare its 175 million member records with public sex offender records.

“In six months, we are the only company in the country that has stepped up in an area that faces the entire Internet industry,” Mr. Nigam said. “We did it with our own costs.”

Information source: nytimes.com