Right after the first Hello World app, the New York Times is now reporting that security firm Independent Security Evaluators has discovered the first flaw in iPhone's security, taking "complete control" over all data and call capabilities by using a simple Web page, apparently just loading it and without any user intervention whatsoever. Video demonstration after the jump.
In the words of the company's principal security expert and ex-NSA agent Dr. Charles A. Miller:
Once you did manage to find a hole, you were in complete control.
According to NYT's John Schwartz:
the site injected a bit of code into the iPhone that then took over the phone. The phone promptly followed instructions to transmit a set of files to the attacking computer that included recent text messages -- including one that had been sent to the reporter's cellphone moments before -- as well as telephone contacts and e-mail addresses.
Scary? It gets worse: they can use your iPhone to make calls - all without any user intervention, just by loading the web page.
Steven M. Bellovin, professor at Columbia University and ex-AT&T Research Labs security expert, confirmed to the NYT that the hack seemed "genuine" and added that Windows Mobile phones could be similarly attacked.
While security flaws in the iPhone were expected, what is surprising is that they have appeared so early in the game. Or maybe not, because given it's JesusPhone status, security companies and hackers all over the world must be racing to get a piece of its media darling pie. [New York Times]