A German agency has warned of potentially serious security problems in several versions of Apple's iPhone, iPad, and iPod touch devices. Apple is aware of the problem, but the company hasn't yet said when it will fix it.
iPhone users may not be able to smile away their security concerns
The Federal Office for Information Security (BSI) said in a statement on Wednesday that Apple's mobile operating system has "two critical weak points for which no patch exists."
The Bonn-based agency said that due to the flaws in the iOS operating system, "opening a manipulated website or a PDF file could allow criminals to spy on passwords, photos, text messages, e-mails and even listen in to phone conversations."
"This allows potential attackers access to the complete system, including administrator rights," it added, urging users not to open PDF files on their mobile devices and only use trustworthy websites until Apple publishes a software update.
The warning relates to iPhones using iOS versions 3.1.2-4.0.1., iPads using iOS 3.2-3.2.1 and iPod touches using iOS 3.1.2.-4.0.
BSI said it was not clear whether older iOS or iPhone OS versions could also be affected.
While using their mobile devices, users should not only stay clear of PDF files they get via e-mail, but also of those found via search engines, as they could be infected too, BSI said.
The agency said it had been in contact with Apple concerning the issue.
A worm in the near future?
A spokesman for Apple Germany, Georg Albrecht, told the Associated Press that the company is looking into the matter.
"We know these reports and are investigating them," he said, refusing to elaborate.
Apple CEO Steve Jobs introduced the new iPhone 4 at a conference in June
Some media reports quoted an Apple spokesperson as saying that the company had developed a fix, which would become available to customers along in an upcoming software update. But is that good enough for iPhone and iPod users?
"The key piece of information we are missing is when will the update come?" said Graham Cluley, senior technology consultant at Sophos, a UK and US-based developer and vendor of security software and hardware, in an interview with Deutsche Welle. "We just have to hope that the update will be soon rather than months away."
"The other thing is how many hackers will exploit this flaw. If we really begin to see hackers exploiting this flaw, then it will be even more urgent that we see an early patch coming from Apple."
Will other hackers follow suit?
While acknowledging that no attacks have been observed yet, BSI warned that "it has to be expected that hackers will soon use the weak spots for attacks."
The agency noted that the devices' popularity could lead to attacks within the corporate world, possibly leading to aiding industrial espionage.
Most analysts weren't really surprised by news of the security flaws.
"Although we didn't know about this particular flaw, we all thought that it was most likely that the iPhone would be targeted via the browser," Cluley said. "We thought the browser, which is mobile Safari, has been the weak link."
Mikko Hypponen, chief research officer at Helsinki-based computer security firm F-secure, agrees that the "vulnerability is definitely something to worry about."
While pointing out "that there is no immediate danger as there are no known attacks at the moment," Hypponen told Deutsche Welle in an e-mail. "This could change at any moment, and there's still no patch available."
However, he said that hackers may take advantage of this vulnerability soon.
"I'm guessing we'll see some sort of an iPhone worm within a week," he said.
The BSI warning relates to iPads as well as iPhones and iPods
Jailbreak revealed loopholes
The security loophole came to the fore after a new "jailbreaking" website, JailbreakMe.com, revealed the flaw over the weekend. Jailbreaking is a process that allows iPhone, iPad and iPod Touch users to run third-party unsigned code on the devices, instead of only Apple-authorized software.
Sophos' technology expert Cluley said it's ironic that this particular flaw was brought to light via a jailbreaking website.
"Certainly something Apple don't really approve of is jailbreaking – them doing that which is relatively benign, has opened the door and given the idea potentially to other hackers to exploit it for malicious reasons," he said.
Stressing that "we haven't seen malicious attacks using this vulnerability yet," Cluley warned that "it would effectively put iPhones in a similar camp to Windows users. So just visiting a website on your iPhone could initiate malicious code to run on your iPhone."
Earlier this year, the German government had warned of the risk of having computers infected via Microsoft's Internet Explorer owing to security gaps in the operating systems.
However, Cluley added that it's not absolutely essential for governments to warn people about such threats given that there are adequate warnings in the media.
"People will make up their own minds about what sort of action to take about it," he said.
Author: Ranjitha Balasubramanyam
Editor: Cyrus Farivar