JUST AFTER I disabled phishing detectors on one of my laptops, I read how a web developer could set up a phishing attack that results in total control of an iPhone. You need to code malicious content in a web page that opens in the Safari browser on the iPhone. Dr. Charlie Miller will be presenting the details of the exploit at BlackHat in Las Vegas on 2 August 2007. The preliminary paper [123 kb PDF] explains the iPhone exploit in greater detail. There are several places on the internet containing scripts that will do this. Here is how the exploit works:
Establish a wireless access point that uses the same name as a wifi node previously used and trusted by the iPhone owner. For example, around the Duke University campus, dozens of iPhone owners have already logged on there so you name your access point's SSID the same as Duke's and the iPhone user logs on to your wifi node.
On your malicious access point, deliver web pages containing the exploit. If you control your own access point, you can build and deliver malicious content.
Security specialists in the States have shown that when a forum website is misconfigured, a user could upload scripts that cause the exploit to run in any iPhone browser that viewed the thread.
In Europe, phone owners are used to getting links or updates via SMS. You can send the exploit via text message and if the iPhone owner accepts it and accepts the installation prompt, you can exploit the iPhone that way.
Even if phishing controls are set higher on the Safari browser on the iPhone, inexperienced iPhone owners are going to stumble onto web content or accept and load "updates" received by text message.
Some basic advice for those who have read this far.
1. Only visit sites you trust. When you visit sites offering "free" things or sites filled with inviting smiles of naked people, you have often clicked into a haven of malicious content.
2. Use trustworthy WiFi networks. If you connect to an unknown WiFi node and accept content through it, you're opening yourself to an exploit.
3. Don't open web links from emails, even when they are sent by people you know. Do not click on any link that ends with EXE.