It wasn't long after Apple released the iPhone in June that researchers discovered that every application on the device -- from the calculator on up -- runs as "root," i.e., with full system privileges. As a result, a serious vulnerability in any of these applications would allow hackers to gain complete control of the device.
With the limited bandwidth of the iPhone, malicious code would be unlikely to slow portions of the internet. But malware could wreak creative havoc of a different kind. It might, for example, cause a phone to call numbers without the user's knowledge, seize text messages and a list of received and sent calls, turn the phone into a listening device, track the user's location through nearby WiFi access points, or instruct the phone to snap photos of the user's surroundings -- including any companions who may be in view of the camera lens.
Microsoft has been roundly criticized for years for releasing early versions of its Windows operating system with administrative privileges automatically enabled. This gave hackers who gained access to Windows machines complete privileges to modify the operating system and take control of the machine.
It took a while for the company to get the message, but Redmond finally closed the hole with its Vista operating system this year, which included a User Account Control feature to control the level of privileges required for various functions on a Vista machine.
" I guess Apple hadn't learned those lessons and is now going to learn them the hard way," says Geer,vice president and chief scientist at security firm Verdasys.
Charlie Miller,principal security analyst for Independent Security Evaluators says that Apple will need to redesign the entire firmware to fix the problem -- which would require owners to install a pretty hefty update.
"If you start from the beginning with security in mind and you design your product thinking about security as you go, it's not really any harder to design a secure product than an insecure product," he says. "Once you've already got it out in everyone's hands, it's a little harder to go back and add security. And that's really what they need to do at this point."
