The following information is from a friend of mine (Michael Jenkins) that has had first hand experience with the issues. It highlights what may be an ongoing hack on the iPhone OS. Details are sketchy right now, but investigations are under way by a number of sources. Please read the information and if you feel you’ve seen this then contact Michael direct.
We spend a huge amount of money, and resources, on protecting our data and infrastructure from unscrupulous use. We analyse networks, servers and software looking for the smallest leak. In days gone by, the simple floppy disk or USB key was a risk. Then it became unencrypted lost laptops (or net tops) and there has been the ever present threats from the internet.
Rarely do we review such useful devices and simply trust them, like the iPhone.
What would you do it you looked down at a friends iPhone one day only to see your domain username and password splashed across the screen?
We trust devices such as iPhones. We trust companies like Apple to give us secure devices and have partnership agreements in place to cover bridging technologies (like Microsoft Activesync) so that the device we hold is as patched and protected as it can be. If something goes wrong, we trust them to fix it as quite simply we can’t. We can patch with whatever they give us or turn off the dangerous features making them useless but we can’t really tweak that much.
During this week I have had such a wake up call. I have been dragged into this scary world. As an IT specialist and someone that works with security daily, I have overlooked the simple. The device that I, and many others, carry in their hands and on their hips.
I was contacted earlier this week by people who had Flash SMS’s to their iPhones with some very scary words. During the remainder of this week I have been exposed to numerous more phones, including one in Florida, who have had sensitive information flashed up to the screen. The information contained on the screen includes domain information, passwords and even iTunes and Gmail account passwords. I have seen parts of Visa card numbers and much more.
I am only guessing here but with the huge amounts of information available on the internet and even Apps in the iTunes App store which allow you to send your own Flash SMS’s, I suspect someone has made a 2 part hacking tool. One part is Malware and gets into possibly Microsoft Exchange servers or at the very least gets into ActiveSync and starts cultivating usernames and passwords and the other part sends Flash SMS’s to random phones whose numbers are stored in your favourites in your Phone PIM data. From the screen shots I have seen I have seen domain controllers internal domain names, local administrator passwords for workstations, Network usernames and passwords and much more.
The Flash SMS is an interesting tool. It was designed for Telco’s to send important messages to their users. It leaves no SMS in your inbox or anywhere you can see on the phone and simply leaves you with one button on the screen to dismiss the message. It is not meant for the purpose I am seeing.
Currently I am working with numerous security partners including Microsoft and Apple to resolve this. If you get any such messages accompanied by the SMS audible tone, press the power button and main button to take a screen shot and send it to firstname.lastname@example.org
I hope to soon be able to tell you what to do, to keep safe. At the moment all I can suggest is remove Credit card numbers from iTunes accounts, change your passwords and update to OS 4.0.2