It may be just an innocuous prank, but the confirmed sighting of a malicious Trojan created for unlocked iPhones is a perfect example of the damage that can be done with a clever social engineering attack.
According to warnings from two different anti-virus vendors, a malicious iPhone software package circulating on the Web could cause legitimate third-party applications to be nuked if the Trojan is uninstalled from iPhones.
The malicious package does not cause any damage beyond the risk of removing legitimate applications but, as F-Secure explains, it is a wake-up call for those who have opened their iPhones using a security hole in the system and then installing unverified software without a second thought to what they are doing.
“This time it was an 11-year-old kid playing with XML files who created the Trojan. Next time it might be someone else with more skills and with a specific target.“
According to Symantec researcher Orla Cox, the dubious package was called “iPhone firmware 1.1.3 prep” and touted an an “important system update.” Instead, it could be an irritant to users who load third-party utilities on unlocked iPhones.
“Some of the applications it overwrites are “Erica’s Utilities” (a collection of command-line utilities for the iPhone) and OpenSSH. If the user chooses to uninstall the bogus package, these applications will also be removed. Affected users will need to reinstall these applications.“
I’ve argued before that zeroing in on the iPhone to raise security alarms is a bit of a non-story because businesses should treat the iPhone like every other device that can store data.
Here’s the best advice, from Matasano’s Dave Goldsmith:
“Every device that walks into your organization is just another way for data to leave. Laptops, iPods, cell phones, PDAs and even the dreaded Furby have all gone through this same set of concerns.Yes, somewhere deep inside of every enterprise is a small team of people that has to worry about data management. And yes, every time something like this comes out, they have to write a bunch of policy blocking it. And then they have to start relaxing that policy as the devices become commonplace.If you are responsible for keeping data inside of your organization, for the love of everything that is holy, please don’t spend too much time on the iPhone. Allow us to remind you about all of the data breaches that are happening thanks to insecure wireless access points, tape backups disappearing, wrapping your newspapers in customers’ personal financial information, and stolen laptops.“