updated 11:25 am EDT, Fri July 27, 2007
iPhone and Black Hat 2007
Apple is facing pressure to fix a security problem with the iPhone in a matter of days, commentators say, to protect both customers and its reputation. The company has less than a week before briefings begin at the Black Hat 2007 conference, where members of Independent Security Evaluators plan to reveal the details of its iPhone exploit announced on Monday. Simply by loading a malicious webpage or forum post, according to ISE, users may accidentally grant a hacker complete access to their iPhone, even to the extent of allowing camera use.
While Apple representatives will not say whether the exploit can be patched in time for Black Hat, the conference's director, Jeff Moss, accuses the company of having had "plenty of time" to update the iPhone software. "It would be nice if they patched it," he says.
Errata Security CEO Robert Graham argues that a fix is important to preserve a superior reputation for Apple in the mobile phone world. Whereas most phone carriers handle software updates themselves, Apple has opted to accept that burden, increasing opportunities for success and faliure. "Right now other smart phones are full of vulnerabilities and they are not getting patched," Graham says. "This is actually a good test to see if Apple can do this better than the mobile carriers."
Meanwhile, Errata partner David Maynor is working on a zero-day attack that could appear at Black Hat, but which may be withheld on the grounds that he does not want a repeat of the wireless hack scandal. "We are trying to get something ready but there are no guarantees it will be stage-worthy in time," Maynor warns. "After last year...we make sure that it's painfully obvious or we don't do it."