iPhone hacked under laboratory conditions

There is no doubt that the iPhone, Apples new entry in the smart phone market, has received a lot of attention. I just had the opportunity to use one and they are truly an amazing toy, especially when compared to what else is out there.

Whenever something is popular, Internet outlaws normally try to figure out an angle on how to exploit it for their personal (probably financial) gain. In the interest of getting one step ahead of the bad guys - some of the good guys are trying to discover some of the potential issues with the iPhone before they occur.

Read a post written by Mike Gikas on the Consumer Reports Electronic Blog, which stated:

This week Independent Security Evaluators (ISE), a U.S. independent testing lab, dramatized the looming danger by piercing the defenses of the much-vaunted iPhone. (ISE is the lab whose help Consumer Reports seeks for our evaluations of security software. See our report on how we test antivirus software and look for our 2007 State of the Net report, which posts to ConsumerReports.org in early August.)

Apparently, ISE was able to hack New York Times reporter's iPhone by having it visit a website, which downloaded malware (malicious software) on the phone and gave the testers access to files and iPhone functions.

A visual presentation of this evaluation has been posted on YouTube:

Please note this was done under lab conditions and we've yet to see any hacking of the iPhone done in the wild (at least to my knowledge).

Nonetheless, hacking smart phones might become a new trend that people need to be made aware of. Just about any device can be hacked if hackers are motivated enough to do so.

My personal theory is that as smart phones become more common, we will see them exploited more often.

Perhaps, common sense when using any device that connects to the Internet is the best defense out there. Here are the tips offered from the electronic's blog:

1. Only visit Web sites you know.
2. Only use Wi-Fi networks you trust.
3. Don’t open Web links from e-mails.

And of course, don't fall for anything that is too good to be true, or doesn't make sense. Social engineering techniques (confidence tricks, fraud) normally are what lures anyone into a technology exploit.

Here is a previous post on some controversial software being sold that can invade someone's privacy (my opinion) by loading it on their smart phone. Thus far, they are not advertising software that is compatible with the iPhone.

FlexiSpy - software that spies on people via their smart phone

Full post from Mike Gikas on the Electronics Blog (Consumer Reports), here.

FlexiSpy - software that spies on people via their smart phone

There is already a lot of "buzz" that mobile phones, especially those of the smarter variety, will be targeted for their "information value."

A product called "FlexiSPY" is being legally sold, which allows anyone (with the money to buy it) to invade the privacy of someone, who uses a smart phone.

Here is FlexiSPY's marketing pitch (from their site):

Catch cheating wives or cheating husbands, stop employee espionage, protect children, make automatic backups, bug meetings rooms etc.

If FlexiSPY is installed on a smart phone, it downloads data to their server 4 times a day, which can be accessed via the Internet by anyone paying for their service 24 hours a day, 7 days a week.

The FlexiSPY site blasts F-Secure, a security vendor, for calling their software a trojan, and claims FlexiSPY will not answer their e-mails. This is probably because F-Secure was the first one to question this software and it's potential abuse factor. The site claims F-Secure's true intent is to sell their own software, which can remove FlexiSPY.

This is partially true, billions are made in the spy versus spy (white-hat versus black-hat) world of computer security. Although, in all fairness, F-Secure isn't the only on record that is worried about the use of FlexiSPY's spyware.

According to FlexiSPY, their software IS NOT a trojan because it has to be loaded on a telephone by a human being, and the software doesn't replicate itself.

I wonder how long it will be before a hacker figures out how to drop the software remotely? Of course, it also makes sense that FlexiSPY wouldn't want someone to be able to replicate their software. Replicated software doesn't make them any money.

I'll leave it to the reader's imagination how a product like this could be used by criminals, spies, or stalkers.

It never ceases to amaze me how some of these products are sold right over the Internet to ANYONE! It gives credence to the old saying, "there ought to be a law."

FlexiSPY even lists several electronic publications on their site as "talking about them." I decided to see what a few of them (besides F-Secure) had to say.

Gizmodo states:

The software allows a sickening amount of privacy invading features.

Endgaget states:

While FlexiSPY is designed to install itself invisibly, it's now been officially categorized as a trojan (which, face it, it really is) and has been added to F-Secure's virus database.

And the Register states:

A piece of software which allows a user to track another person's mobile phone use would be almost impossible to use in the UK without breaking the law, according to a surveillance law expert.

If fact, using this software could be illegal and subject to penalties in most of the civilized world. Most of these countries would require some sort of court order, even if this technology were to be used by law enforcement.

Gizmodo story, here.

Engadget story, here.

Register story, here.

FlexiSPY acknowledges the same concern that the surveillance law expert brings up in the Register article about them:

It is the responsibility of the user of FlexiSPY to ascertain, and obey, all applicable laws in their country in regard to the use of FlexiSPY for "sneaky purposes". If you are in doubt, consult your local attorney before using FlexiSPY. By downloading and installing FlexiSPY, you represent that FlexiSPY will be used in only a lawful manner. Logging other people's SMS messages & other phone activity or installing FlexiSPY on another person's phone without their knowledge can be considered as an illegal activity in your country. Vervata assumes no liability and is not responsible for any misuse or damage caused by our FlexiSPY. It's final user's responsibility to obey all laws in their country. By purchasing & downloading FlexiSPY, you hereby agree to the above.

I guess the old latin saying "caveat emptor" (buyer beware) applies in this instance!