UPDATE: Some folks are telling is that this is an iPhone 2.2.1 exploit already patched in 3.0. We’ll wait for an update from Black Hat before we exhale, however…

Almost a month ago we linked to an Engadget report on Charlie Miller and his SMS exploit for the iPhone. Well, today is the day he intends to show it off at the Black Hat conference.

Thanks to some last minute media attention, however, the general iPhone user base seems to be getting a tad nervous. And rightly so. We’ve said it before and we’ll say it again, in an ideal world, NSA expert come iHacker Charlie, who’s claim to current fame is using Mac exploits to win Pwn2own contests and free laptops, would work with companies like Apple and Microsoft (yes, it looks like Windows Mobile has an exploit as well), and those companies would patch the exploits as immediately as possible, before any “research” was publicly disclosed and any bad guys decided to use them as attack vectors.

TiPb will update post-Miller’s Black Hack disclosure, and hopefully Apple will roll the security fix into a quick 3.0.2 firmware release, or hurry 3.1 out of the gate.

Turns out that if you jailbreak your iPhone you remove most of the Apple’s security protections — 80% to be exact — and are vulnerable to attacks. At least according to Charlie Miller:

“If you care about security, don’t use a jailbroken iPhone,”

Miller, speaking at SyScan in Singapore, believes that by jailbreaking you open your device some major risks. The operating system on an iPhone is basically a watered down version of Mac OS X. For those of you who are unfamiliar with Macs, Mac OS X is the latest OS that Apple computers run. Macs are generally known for pretty risk-free machines with a few exceptions. Those exceptions being Java, Adobe Flash, and PDF files. The major risk on the iPhone is opening your device up to any application available on Cydia/Icy. iPhones will generally only run applications that are digitally signed by Apple, this is not the case when jailbroken. So if you don’t know what you are installing, there is a possibility you can be in for a world of hurt.

Of course just a few hours ago Rene told you about the huge vulnerability within the iPhone’s SMS application that Charlie found, so nothing is completely safe.

Does this scare you away from jailbreaking your iPhone? Perhaps you are thinking about doing a restore and going legit from now on? Let us know if this warning from Charlie sways you to avoid the jailbreaking life!

[Via Macworld]

In an ideal world, Mac and iPhone hacker Charlie Miller would discover vulnerabilities, inform Apple, and Apple would then patch them before they had any chance of being exploited “in the wild”.

Miller, however, prefers to keep them to himself so he can win MacBooks and detail them at Black Hat conferences. The good of the hacker obviously outweighs the good of the users, every one. So be it.

Miller’s latest iPhone-related find was disclosed at SyScan in Signapore:

a hole that would let attackers “run software code on the phone that is sent by SMS over a mobile operator’s network in order to monitor the location of the phone using GPS, turn on the phone’s microphone to eavesdrop on conversations, or make the phone join a distributed denial of service attack or a botnet.”

Apple, for their part, is hoping to have this patched before Miller’s upcoming Black Hat gig.

We hope so too.

[via Engadget. Thanks Travis for the tip!]

Very little code is bullet-proof. Hackers will always find holes. The worst holes will be critical. The worst hacks will be zero-day and found in the wild — catching companies and users both by surprise.

Not sure we have any of that here. Macworld does report that, at the Black Hat Europe Security Conference, former NSA number cruncher Charlie Miller — who has rolled his ability to find exploits in the Mac version of Apple’s Safari Browser into tens of thousands of dollars and a couple free MacBooks at the annual Pwn2Own contest — claims to have:

…found a way to trick the iPhone into running code that enables shellcode. To run shellcode on an iPhone, however, an attacker would first need a working exploit for an iPhone, or a way to target some software vulnerability in, for example, the Safari Web browser or the mobile’s operating system. Miller said he doesn’t have one now.

Miller previously gained attention for a Mobile Safari exploit that made for some quick early jailbreaking and led to Apple patching the problem in firmware 1.0.1.

What’s particularly disturbing, however, is that Miller also says he’s unsure whether or not Apple knows about the potential vulnerability.

He should know that absolutely dead cold, of course. He should have told Apple long before he made the information public, and only made the information public when Apple had a fix rolled out or ignored his warnings for so long that public pressure could reasonably be considered the only option in getting them to roll out a fix.

Either way, Miller should know that Apple knows because he told them first. Or do we no longer warn people in a house when we see a potential fire starting, but wait and see how much attention and cash we can get for the info first?