iPhone security: Experts compromise email names and passwords over WiFi
A team of researchers have successfully compromised the security that protects sensitive data being transferred over WiFi networks in four phones, the Nokia N95, Windows HTC tilt, T-Mobile G1 Android and Apple iPhone 3GS.
A team from SMobile Systems managed a “man-in-the-middle” exploit, in which communications on an unsecured wireless network are intercepted, re-routed, and used to enable or disable connections and to replay and view communications between the systems.
Using the hacker’s toolkit of Arpspoof and SSLStrip, the researchers succeeded in gaining access to email user names and passwords by breaking into the SSL encryption on the devices.
On the iPhone 3GS, the researchers managed to gain email user name and password through an SSL bypass attack on the iPhone using both the Safari web browser and the Mail app to access email.
“Targeting a smartphone’s mailbox, web browser or email application, the testers were successful in getting email login credentials for all four devices,” reports ITPro.
The researchers warn, “the use of public WiFi hotspots should be approached with caution and care should be taken that confidential or private data is adequately encrypted, when it becomes necessary to access such data.”
They urge users to ensure they use trusted and secure WiFi networks in order to keep safe. And warned that smartphones should be equipped with enterprise-scale security counter-measures to protect corporate data.
The report is available in full here (PDF)
Delicious
Digg
StumbleUpon
Reddit
Facebook
Google
YahooLatest Stories on 9 to 5 Mac
- Apple patents the 3D Apple Store - Alice in Avatar-land
- Surprise: Warner admits iTunes sales slow on price hikes
- Apple ships Aperture 3: 64-bit, Snow Leopard/Intel only, 200 features, $199/£169 (demo available)
- What's coming to the Apple Store this morning?
- Apple Store Down. Can we has Core i7 MacBook Pros?
- Apple podcasts Mac advice video clips
- iPhone gains, BlackBerry loses US smartphone marketshare
AAPL Stock Coverage
196.19+2.07
Poll
Recent comments
- Why would Apple do this?
20 min 47 sec ago - Cocoa is 64bit, Carbon (old)
25 min 5 sec ago - I don't believe in
29 min 38 sec ago - Sounds like hell to me. One
52 min 55 sec ago - This is going to hurt:
99¢ is
1 hour 11 min ago - what is source?
1 hour 21 min ago - Bazzinga!
1 hour 25 min ago - HELL YEAH! I want my Apple
1 hour 41 min ago - so, since what century are
2 hours 44 min ago - Having been a Second Life
2 hours 47 min ago
Who's online
There are currently 3 users and 0 guests online.
Online users
- Helvetica
- mime454
- Jonny Evans
Comments (5)
VPN is always a good idea. And even then, you have to trust who you VPN into.
Amen to that.
And grow up to whoever thumbs downed your comment. There's absolutely no reason to thumbs down that one. Seems like there are folks on here who thumbs down just to be negative for negative's sake; silly children.
They could be "thumbs downing" all the smart phone manufacturer's who sell us this stuff with no protection or detection method. Now I need to look to see if the App store has anything available to check for this stuff.
Possible of course because not only do the phones not check the certificate (no UI for it) they don't check if it's suddenly changed either...
You have no idea who set up the wifi at public places. I tend to trust AT&T at Starbucks, but that is about it. Even then, an employee could set it up so he is gathering your credentials. I doubt there is a lot of technical expertise at coffee shops and restaurants to catch such a scheme. I certainly don't do anything financial or log into anything important over public wifi.
It sounds like they read the user information sent automatically by the phone's Mail program when retrieving mail. That is scary. I may stick to 3G entirely.