Jarno over at F-Secure commented on the recent “trojan” for the iPhone :
Hopefully this serves as a warning for those who have opened their iPhones using a security hole in the system and then installing unverified software without a second thought to what they are doing.
Warning noted. The lesson here is not that we, the hacked iPhone community, should not take advantage of the holes; the lesson is use some common fucking sense. Especially if you’re using a hacked phone with wireless stuff coming out of the wazoo.
Those of you reading this via RSS can fuck off… just about… now.
<!–more–>
Sorry, I’ve been meaning to do that for awhile.
Take note of three four things [1]:
- 1. It is portable
- B. It is highly networked
- 3. You can install all sorts of things at the touch of a finger
- 4. It might run some derivation of the almighty Unix, we’re not really sure. And the terminal emulation app is no help.
When you combine these things plus a pinch or two of stupidity and you have yourself the makings of a good time. iPhone users and smartphone users in general need to understand the power of the devices in their pockets.
The more power a system has the more likely someone is going to hack it. CPU cycles, bandwidth, data, and prestige are fragments of this power. A random server in China ready to be rootkit’d to serve copyrighted material on IRC, the credit card companies database server, and the really popular and trendy pocket-sized computer – they all have this aura, this power. An 11 y/o [q] is drawn to this power like a moth to light. You can’t really stop the kid, just like you can’t stop the moth. But you can turn off the light.
But think about power in relation to other devices. A bluetooth headset: portable, networked, but you can’t really do a whole lot with one. If you find a flaw in my Jawbone’s Bluetooth implementation and manage to exploit the flaw BFD. I don’t care if you can hack my headset. No power here. But the iPhone, I do care if you hack my iPhone. It plays a big role in communication.
When it comes down to it the iPhone is really just a server from your operations center shrunk down a bit. You’re walking around with a full BSD variant here, be aware of that fact. You wouldn’t install random, untrusted applications on your server in the op center, don’t do it on the server in your pocket without carefully exploring the source (code or person). Common sense. Plain and simple.
Verifying the source is only one way to protect yourself. You might still get hacked but at least you didn’t do the dirty work for the kiddie.
Now back to Jarno. Personally I would rather mod my iPhone rather than leave it stock. One of the open doors used by the mod community was a TIFF exploit. A TIFF exploit that allowed any arbitrary website to execute arbitrary code on my phone. The mod used the exploit to gain entry to the system and then closed the door behind itself. Had I not used the trusted exploit to mod my iPhone some random guy in Russia could be using it to server porn. All without me installing some random kids malicious package. Just to be clear: I’m pretty sure my iPhone is “more secure” now than it was when I started. Perhaps that warning is mis-placed. If you aren’t a retard your iPhone will be may be more secure after you have hacked it using the existing mods.
Yes I have to be careful. Yes others should be careful. Understand that someone will be attempting to hack the device in your pocket as long as that aura of power exists. Read reviews of the application, explore the source code, verify the source (website/person). Change the password when you install SSH. Turn off unused services like AFSd and SSH. You know, just look up any UNIX best security practices guide and read through it, most of it will apply here. Then pick up any book about embedded security, all of that will apply. Now go back to the library and pickup a book on wireless security. Or instead of reading, which I hate, you could just stop being a dumbass.
I couldn’t find a reasonable place to drop this one so here: “is that an iPhone in your pocket or did I just Trojan your Troy?” [2]
[1] The iPhone is actually all-knowing as well but I didn’t want to debate the omnipotence of the device. Debating over its powers only serves to anger the iPhone.
[2] This is not funny.
[q] I’m not trying to pick on eleven year-olds here. Twelve y/o works just as well. Eleven just seems like a good age for people to get interested in computer security and they also seem to discover capitalization and leet speak.
