By David Worthington | Thursday, July 2, 2009 at 8:00 pm
Yesterday, security researcher Charlie Miller gave Apple a good pantsing at the SyScan conference in Singapore. Miller, who is the author of “The Mac Hacker’s Handbook,” revealed that the iPhone allows remote code installation and execution through SMS, a security hole that Apple is working to patch up.
That means that a hacker could potentially turn the iPhone into a remote tracking device by exploiting its microphone and GPS capability, or do whatever else he or she pleases.
Software that runs devices like the iPhone is complex, and there is always going to be a Charlie Miller who can uncover defects. However, Apple has been sharply criticized for lacking a company wide, holistic approach to secure software development. Vulnerabilities will continue to slip by its engineers, placing iPhone user’s personal information and privacy at risk.
The iPhone 3.0 update contained 46 security patches, but it did not address against the SMS vulnerability that Miller discovered–that fix is on its way (likely to be wrapped into the iPhone 3.1 update).
I expect that this SMS vulnerability is just the tip of the iceberg, and we will continue to see more like it until Apple upgrades its security practices.