ShmooCon | Your iPhone's Dirty Little Security Secret

Just how easy is it for the bad guys to use your iPhone against you? Well, pretty easy. Trevor Hawthorn explains what to do about it.

WASHINGTON D.C. -- We've heard much about how our PCs and laptops can be compromised through malware and insecure wireless access points and often comfort ourselves with the knowledge that our smart phones are safe from such things.

But the smarter these phones become, the more susceptible they become to those same dangers, and more. That was the warning at ShmooCon 2010 this morning from Trevor Hawthorn, founder and managing principal at Stratum Security.

See also: 3 Simple Steps to Hack a Smartphone (Includes Video)

"The old smart phone wisdom in terms of security best practices was that you simply needed to wipe the devices of all your data before selling them on eBay," he said. "Today, you can use them to access the company VPN and Outlook, so the dangers are much more in line with those of PCs and laptops."

Hawthorn discussed security holes (since fixed) found in AT&T's network, which Apple's iPhone uses, and how an epidemic of "jailbreaking" is disabling critical security controls on the device.

Jailbreaking is a process iPhone and iPod Touch users can exploit to run whatever code they want on the device, whether it's authorized by Apple or not. Jailbreaking the phone allows you to download a variety of apps you couldn't get in the Apple App Store.

For those who hate Apple's heavy hand and welcome any method to thumb a nose at the company's decrees, jailbreaking is very attractive. But there's a problem, Hawthorn said. A big one.

"Jailbreaking wipes away 80 percent of the iPhone's security controls," he said. "Since nearly 7 percent of all iPhones are jailbroken," the bad guys have plenty of targets to choose from.

And target they have.

Exhibit A is the iKee worm. According to an earlier analysis from security vendor Sophos, Apple iPhone owners in Australia were infected by a worm that changed their wallpaper to an image of 1980s pop crooner Rick Astley. "The worm, which could have spread to other countries although we have no confirmed reports outside Australia, is capable of breaking into jailbroken iPhones if their owners have not changed the default password after installing SSH," Sophos Senior security Consultant Graham Cluley wrote. "Once in place, the worm appears to attempt to find other iPhones on the mobile phone network that are similarly vulnerable, and installs itself again On each installation, the worm - written by a hacker calling themselves "ikex" - changes the lock background wallpaper to an image of Rick Astley with the message: 'iKee is never going to give you up.'"

This may seem harmless, but Hawthorn noted that such malware is easily adapted to do more insidious damage, like stealing sensitive data.

Also worrisome is that the bad guys can use the advanced map and GPS software on these devices to see exactly where a person is and where they are going. From there, the cyber threat becomes a physical one. [Related ShmooCon story: Inside FarmVille's Sinister Underbelly]

One way the bad guys can target the phone user is through a game called "Underworld: SweetDeal," a free location-based iPhone multi-player online game about trading controlled substances in the real world.

Hawthorn noted how players can use Google Maps to locate where other players are physically. He found players in some interesting places through the course of his research. He was able to track one player to a parking lot outside the headquarters of NSA. Another player was tracked to a parking lot outside CIA headquarters.

"You can check a person's movements because the game checks in on your device's location regularly," he said.

His advice in this dangerous new world?

For one thing, be careful with games like these and understand that you're opening yourself up to danger, including physical abduction.

As for the jailbreak threat, the solution is a lot more simple. Just don't do it, he said.

Insider: How a good CSO confronts inevitable bad news
Join the discussion
Be the first to comment on this article. Our Commenting Policies