14 DAY TRIAL // Renowned Mac hacker Charlie Miller, who has won the CanSecWest Pwn2Own hacking contest two years in a row, has now found what is described as a potential security vulnerability in Apple's iPhone.
According to a NetworkWorld report, the security analyst at Independent Security Evaluators discovered the possible flaw days ago, at the Black Hat Europe security conference. Miller's discovery changes the way the public now views non-jailbroken iPhones, the report outlines.
On a more detailed note, the site reveals that researchers previously knew that running shellcode (code that can run from a command line) on an unmodded iPhone wasn't possible. Thanks to Miller's latest find, security researchers can scrub that belief. Moreover, the ability to run shellcode is an important matter, as it may allow a remote hacker to view a person's messages, call history, etc.
Miller said this was exactly what he had found – a way to trick the iPhone into running code that enabled shellcode. However, to run shellcode on an iPhone, an attacker would first need a working exploit for an iPhone, or a way to target some software vulnerability in, for example, the handset's Safari browser. Miller knows of the vulnerability, but doesn't have the exploit yet.
Still, if someone did, "this would allow you to run whatever code you want," Miller shared in an interview after his presentation. The researcher also outlined that he was able to find this vulnerability despite a strengthened security in the latest iPhone OS version.
This is not the first time (and probably not the last) Miller and his colleagues find a flaw in the iPhone OS. In 2007, the brilliant hacker reported a vulnerability in the mobile version of Safari, notifying Apple to issue a patch.
For its part, the news source also points out to the significance of Miller's find, as such an exploit would compromise unaltered versions of the iPhone, as it is sold by Apple. Generally, jailbroken iPhones are prone to such attacks, while non-modified iPhone OS versions should be more secure. Turns out, they're not.