The curse of popularity: Hackers love Apple's iPad, iPhone, too

The curse of popularity: Hackers love Apple's iPad, iPhone, too

Summary: For a long time, hackers didn't bother with Apple and its niche audience. But now that the iPad and iPhone have gone mainstream, hackers have their eyes on iOS.

SHARE:

One of the greatest things about being a Mac instead of a PC is not having to deal with all the headaches of viruses, adware, trojans and all of the other havoc that hackers have been placing on Windows users for more than a decade.

Of course, that's not to say that Macs have never been vulnerable - it's just that hackers tend to go where the masses are, where their chances are greater that someone in the pack will click on the bad link or open the bad attachment.

Now, as the popularity of the iPhone and the iPad - both of which run iOS - has gone mainstream, the hackers are tapping iOS. And surely, they're counting on users - who have long known about vulnerabilities to computers - to be naive about the vulnerabilities that are possible in the mobile world.

Also see: Your iPhone, iPad and iPod touch devices are all wide open to hackers

Today, Gizmodo posted an unsourced report about a security breach in iOS products that are being pushed through PDF files and the Web pages that load through the Safari browser. Gizmodo calls the vulnerability "easily exploitable" and explains that unsuspecting users who could be giving "total control" of their iPhones, iPod Touches or iPads to hackers. The blog reports:

It just requires the user to visit a web address using Safari. The web site can automatically load a simple PDF document, which contains a font that hides a special program. When your iOS device tries to display the PDF file, that font causes something called stack overflow, a technical condition that allows the secret ninja code inside the font to gain complete control of your device. The result is that, without any user intervention whatsoever, that program can do whatever it wants inside your iPhone, iPod touch or iPad. Anything you can imagine: Delete files, transmit files, install programs running on the background that can monitor your actions... anything can be done.

Again, the Gizmodo post is unsourced, though it does link to a couple of other blogs that offer more technical details about what's at work here. [Macstories and Digdog] Still, it's important for iPhone and iPad owners to recognize that the invisible Apple security blanker that once came with being an Apple customer is going away.

The company is quick to boast the number of iPhones and iPads out there - now in the millions. And market tracking firms are also quick to note how the iPad has given Apple a huge head start in the tablet market and how the iPhone - even though it doesn't have the largest market share - is the smartphone that competitors are targeting. But competitors aren't the only ones placing that target on Apple's back. Hackers are apparently eyeing it, too.

The Gizmodo post includes some information about a product that warns users when dangerous PDFs are about to be installed - but that requires you to jailbreak your device, which will void your warranty. It also notes that Apple has not yet responded to its inquiries about this particular vulnerability.

Hopefully, that's because the security team is working double time to address the breach - and looking for ways to deal with breaches that are sure to surface in the future.

Related coverage: Forrester: Apple's iPhone, iPad secure enough for enterprises, but RIM rules security roost

Topics: Hardware, Apple, iPhone, iPad, Mobility, Security, Smartphones

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

79 comments
Log in or register to join the discussion
  • Truth, its only just begun.

    Watch what happens in the next year.
    NoAxToGrind
    • RE: The curse of popularity: Hackers love Apple's iPad, iPhone, too

      Your Ministry of Truth reminds you: in order to be safe, everyone should buy and install Microsoft Windows.
      Robert Hahn
      • RE: The curse of popularity: Hackers love Apple's iPad, iPhone, too

        @Robert Hahn - The Ministry of Truth just issued a new advisory: Install the Ministry of Truth's "Ultimate Security Monitor" program. If you choose to not install this program, then you must immediately disconnect all your computing devices from any networks and data plans.
        PollyProteus
  • But iPhone runs OS X...

    and OS X refuses to run "bad" code unless you type in your administrator password. This makes iPhone invulnerable to all malware. Or so we are told.
    NonZealot
    • OS X is immune!

      @NonZealot <br><br>OS X is immune! to <sub><small>Windows</small></sub> viruses! Always will be. It is true!
      honeymonster
      • RE: The curse of popularity: Hackers love Apple's iPad, iPhone, too

        @honeymonster The last 2 posts sound tongue-in-cheek, but sometimes you can't tell, sometimes it is trolling.
        msandersen
      • RE: The curse of popularity: Hackers love Apple's iPad, iPhone, too

        @honeymonster Not if you're on an Intel box ... PPC's are immune, but not the others.
        Starman35
    • RE: The curse of popularity: Hackers love Apple's iPad, iPhone, too

      @NonZealot

      OS X asks you for your password - and according to some bloggers this is security.

      But how do you compare OS X's multi user features with iOS's single user features?

      They are both basically the same OS, but one of the differences is that iOS is not designed to have the multi-user interface features because an iPad/iPhone/iPod is a single user tool, and a desktop or laptop is a mulit-user tool.

      <i> Or so we are told.</i>

      Not by anyone who has used an iPhone, iPad or iPod you aren't!!!
      richardw66
    • PDF vulnerability not affecting Tabbrowse

      @NonZealot
      Looks like this affects only Safari. I tried to jailbreak using TabBrowse [http://itunes.com/apps/tabbrowse] and the jailbreak failed. Guess we are safe to use this browser on iOS. Safari has vulnerabilities, so what, every piece of software does. It must be that Safari runs as root while other browsers such as tabbrowse are sandboxed. Oh! dont you love the app store!
      browser.
  • RE: The curse of popularity: Hackers love Apple's iPad, iPhone, too

    Had nothing to do with popularity, had everything to do with just how easy it was to attack these Apple platforms.
    Loverock Davidson
    • RE: The curse of popularity: Hackers love Apple's iPad, iPhone, too

      @Loverock Davidson Yes, just as it is easy to attack a Windows platform. Wait until Windows 7 Phone is out..you'll deny when it's being attacked from all sides...but that's just your normal response to everything anti-Microsoft..you're in denial, just like you refuse to show me your credentials. You have none and you have no credibility.
      cyberslammer
      • WP7 isn't Out Yet! Can You Predict the Future? lol

        @cyberslammer What a clown troll comment. I suppose you're a gypsy fortune teller by trade? haha...

        Microsoft has been successfully running a Garden Walled Network of 40 $$$Million$$$ users now since 2001 in Xbox Live with few problems. They had an App Market before CrApple stole the idea, in Xbox Marketplace 2005. They've been running a Fire Walled Secure Hyper Tunnel Environment before CrApple even knew what that was. As they simply ripped off AOL HELL to Create iHELL in their garden walled iPlatform network! ....their App Store is a disaster with App Farms all over and all HELL breaking lose while users are getting ripped off to the iTunes of $$$1000's.

        Meanwhile Marketplace has been handling MILLIONS of transactions without any major blowups whatsoever in it's 5yr history. That in a Garden Walled environment now near 10yrs old!

        WP7 phones will be on that exact same secure environment and although users won't have direct access to the web (just like on CrApple's iHell) the Hackers won't have direct access to them either. Because they first have to hack the SSL Servers and that hasn't been done. Not only that, but they'd have to do it every single time since M$ runs remote authentication like what Adobe now runs in FLASH 10.1 content.

        When you open a PDF it has to be not only signed now, but remotely authenticated before it can be opened. Hackers can't duplicate remote authentication and I doubt that they will be able to, anytime soon. Spoofing and Hacking on WP7/Xbox Live Garden Walled networks will be impossible. So what are Hackers going to do? Stick with CrApple's revolving door way into their wHollier than iThou spoofable and hackable platform. You know..... thieves have always liked going through unlocked front doors over breaking down walls or going through broken windows since eternity! .....CrApple gives them just that!!! ;)
        i2fun@...
      • RE: The curse of popularity: Hackers love Apple's iPad, iPhone, too

        @cyberslammer Nice deflect... except Windows phone 7 isnt even available yet, so any talk of security vulnerabilities is pure speculation. The iSheep will just have to come to terms with the fact that they have a bit of a bullseye on them now.
        The Horns
    • They perpetuate the myth

      @Loverock Davidson No disagreement here. But the Wintards have to keep focusing on market share - like that has something to do with it.

      It's all about how the operating system is designed and has NOTHING to do with market share.
      rag@...
      • And yet... Even THIS article seems to think Market Share is relevant...

        @rag@...
        The 3rd paragraph of the article begins with:
        [b]Now, as the popularity of the iPhone and the iPad - both of which run iOS - has gone mainstream, the hackers are tapping iOS. [/b]

        The author, Sam Diaz, for what it's worth, is a Mac fanboy. He'll be the first one to tell you that himself. Allow me to translate the above clip.

        The iPad/Phone/Pod has hit critical mass. It's now OPEN SEASON on all iOS devices. Hackers are now taking notice and will be writing more and more crapware for it.
        Wolfie2K3
    • Spot on. And these are the devices I am constantly being told...

      @Loverock Davidson

      are ready for the enterprise? I'm told that RIM is dead, get rid of the 'Berries and usher in iPhones; meanwhile, Saudi Arabia is banning Blackberries because there encryption is [i]too strong[/i]

      And to all you idiots about to say "well...'windoze'...you allow windoze on your network"...um, yeah, i can manage windows to the T. Appearantly the only people who are allowed to manage the iDevices are Apple or hackers.

      It's funny...when someone with a Windows box goes to a website and it installs an o/s changing app, we call it hacked or pwned. but when the same thing is done on an iPhone, it is called jailbreaking.

      I guess that NonZealot fellow is on to something with the 'double standards'
      SonofaSailor
      • RE: The curse of popularity: Hackers love Apple's iPad, iPhone, too

        @SonofaSailor

        Saudi Arabia is banning blackberries because the messaging traffic is handled in the US and outside of their control.

        <i>It's funny...when someone with a Windows box goes to a website and it installs an o/s changing app, we call it hacked or pwned. but when the same thing is done on an iPhone, it is called jailbreaking.</i>

        No - if someone disables the security on Windows, and also removes the code signing checks, you'd call it pretty darn stupid.

        If someone disables code signing on the iPhone, enables SSH login without setting a password, and disables features designed to stop the OS being messed with, and at the same time stops the system for keeping the user within the contractual agreement they entered with the phone carrier, as the phone carrier paid for part of their handset, then you call it jailbreaking. And those that call it jailbreaking are in fact hackers - and why do you glorify their actions by using their word?

        Some people call theft 'lifting' or a '5 finger discount', doesn't make it right.

        Jailbreaking in itself is not a breach of copyright - and I for one never even imagined it was.

        Jailbreaking to break an agreement to use a carrier's network in return for them paying part of the handset costs is breach of contract. The latest ruling did not touch on this.

        Besides that factor jailbreaking your own phone is legal - but for many people simply misguided. If you need to do it because you need certain software, and you are not under contract with a subsidised handset, then go for it!!!

        <i>when someone with a Windows box goes to a website and it installs an o/s changing app, we call it hacked or pwned. but when the same thing is done on an iPhone, it is called jailbreaking.</i>

        Are you dumb?

        If someone goes to a website and chooses to install an app which changes the OS then we call that many things - but not pwned.

        If someone goes to a website and without their knowledge or consent the website modifies their OS, we call that hacked, pwned, hijacked or botnetted - very common.

        If an iPhone goes to a website and the website modifies the OS without the users knowledge or consent then we call that hacked, pwned, hijacked or botnetted - just like any other platform.

        The double standard is your attempt to pretend something about the iPhone because it is not part of your team - and to pretend duplicity on the part of others out of either ignorance or in fact duplicity on your part.

        <i>I guess that NonZealot fellow is on to something with the 'double standards'</i>

        I guess he is participating in double standards - but is he onto something? No
        richardw66
      • I want to clear up some misconceptions here

        @richardw66

        [b]If someone disables code signing on the iPhone, enables SSH login without setting a password, and disables features designed to stop the OS being messed with, and at the same time stops the system for keeping the user within the contractual agreement they entered with the phone carrier, as the phone carrier paid for part of their handset, then you call it jailbreaking. And those that call it jailbreaking are in fact hackers - and why do you glorify their actions by using their word?[/b]

        Jailbreaking is the act of modifying the iOS to allow non-Apple authroized apps to run on the iPhone. And HOW is "...disables features designed to stop the OS being messed with..." a bad thing? While Apple does have certain rights the do NOT have the right to mess with apps I install on a device I paid for. Also enabling SSH on the iPhone and not changing the default password is not jailbreaking, that is lack of common sense. Jailbreaking does NOT automatically enable SSH, that has to be done via user interaction.[b]

        Some people call theft 'lifting' or a '5 finger discount', doesn't make it right.[/b]

        THIS is the asinine argument that amuses me the most... tell me HOW is jailbreaking the iPhone theft? In and of itself it is not - there ARE ways to get hacked and cracked apps on the iPhone but that is something that most people who jailbreak do not condone... including me.[b]

        Jailbreaking in itself is not a breach of copyright - and I for one never even imagined it was.

        Jailbreaking to break an agreement to use a carrier's network in return for them paying part of the handset costs is breach of contract. The latest ruling did not touch on this.[/b]

        Jailbreaking in and of itself is NOT going to break an agreement with the carrier - please tell me what part of the contract says I cannot modify the OS of my device? If it is not in the contract as saying I can't then jailbreaking is not a breach of contract... Now perhaps you are confusing jailbreaking with unlocking the latter of which is the process where one can unlock the device to be used with any compatible carrier (i.e. unlocking the iPhone in the US to be used with T-Mobile) but once one is out of contract then there is no issue and if one terminates the contract early they are charged the ETF which allows the carrier to reclaim the portion of the cost of the device they subsidized.
        athynz
      • Thank you for arguing semantics...

        @richardw66

        instead of addressing the point of my post which was [b]these devices just may not be ready for enterprise[/b]

        But, in Apple fashion, you skirt the issue and try to explain to me what the definition of 'is' is.

        Well done.
        SonofaSailor
      • To Jail Break or Not To Jail Break..... That is the Question!

        @SonofaSailor AT&T did not want to willingly set up Apple's Garden Walled environment or setup the Video/Voice Mail Servers for them either. They didn't want to do the separate network just for Apple's devices. Because they had just quit their own Garden Walled environment and now most networks have gone away from them. Including AOL and Verizon as service providers.<br><br>But they do serve a purpose if they are run properly. For instance Microsoft's Xbox Live is a Firewalled environment since it's inception in 2001. It was developed for all the right reasons though. To protect it's users and keep anyone else from getting in and attacking them. <br><br>Apple created theirs originally for these same reasons. But when they made their App Market on their AT&T Garden Walled networks (copy of MS's Marketplace) they began to take advantage of this control scheme to the detriment of their users. Who #1 were prevented from changing to other service providers. #2 from installing applications they wanted. Because of the Exclusivity Contract signed with AT&T in order for them to recoup the server and Garden Walled Network setup costs to run Apple's separate Mail & App Store on. That without getting any direct returns of profits off the App Store.<br><br>That contract is debatable for sure. But it is not still in effect or Apple would have, at least put iPhones and iPad on other providers in America. There are rumors of that contract being extended as of the one year anniversary of iPhone by Mac insiders and system engineers in convo's in Apple Fed Talk mailing lists:<br>
        http://lists.apple.com/archives/fed-talk/2008/Jul/msg00157.html
        <br><br>But who really knows. Has AT&T yet recouped the costs of setting up separate billing and services for iPhones and iPads? Who knows and even if they have that wouldn't break the 5yr exclusivity of the their contract. It seems to me that AT&T holds all the cards, because Apple would have to supply all the those services in other ways on other providers and I don't think AT&T would let competitors here do that here in this country. In England alone, their are 7 wireless providers selling iPhones. AT&T is one of them there too. But they allow those competitors to access Apple's Video Voice mail and App Market Server networks because they have a lock on American iPhones and iPads for at least 2 more years (2012)!<br><br>Do you really think AT&T Cares (or any service provider in the World? they still get monthly service fees and they remain locked to that carrier), if users Jail Break iPhones and iPads in America? I don't think so, now that there is no unlimited service and they make more when you use more bandwidth.<br><br>Simple legal Jail Breaking:<br><a href="http://www.telegraph.co.uk/technology/apple/7922135/JailbreakMe-Apple-iPhone-4-hack-released.html" target="_blank" rel="nofollow"><a href="http://www.telegraph.co.uk/technology/apple/7922135/JailbreakMe-Apple-iPhone-4-hack-released.html" target="_blank" rel="nofollow">http://www.telegraph.co.uk/technology/apple/7922135/JailbreakMe-Apple-iPhone-4-hack-released.html</a></a> <br><br>Facetime now available via Jail Broken iPhones along with FLASH if you want and people seem to be grabbing both by the bucket load all over the World since Jail Breaking is basically been declared Legal in EFF decision!<br><br><a href="http://thenextweb.com/mobile/2010/08/02/facetime-over-3g-becomes-a-jailbroken-reality/" target="_blank" rel="nofollow"><a href="http://thenextweb.com/mobile/2010/08/02/facetime-over-3g-becomes-a-jailbroken-reality/" target="_blank" rel="nofollow">http://thenextweb.com/mobile/2010/08/02/facetime-over-3g-becomes-a-jailbroken-reality/</a></a><br><br>FLASH on iPad if it's Jail Broken (which it has been)!<br><a href="http://www.gaj-it.com/20473/unofficial-flash-workaround-coming-to-jailbroken-ipads/" target="_blank" rel="nofollow"><a href="http://www.gaj-it.com/20473/unofficial-flash-workaround-coming-to-jailbroken-ipads/" target="_blank" rel="nofollow">http://www.gaj-it.com/20473/unofficial-flash-workaround-coming-to-jailbroken-ipads/</a></a>
        i2fun@...