Connect with Fast Company

While researching Fast Company's December/January cover story I ran across a startling claim: some computer security professionals were boasting that they could turn an iPhone into a piece of spyware that can intercept a target's voice mail and e-mail, hijack its Safari browser, and even surreptitiously record conversations, all without the owner's knowledge. H D Moore, Director of Security Research for BreakingPoint Systems, even posted a detailed primer. Given Apple's own marketing, which boasts that Macs are more secure -- and more virus-resistant -- than PCs, the fact the iPhone could be hacked seemed newsworthy.

Of course, the Web is rife with braggadocio, and just because a few computer engineers could gin up an obscure software exploit or two didn't mean anyone had actually unleashed any. Still, my editors and I wondered just how vulnerable is the "Jesus Phone" to an unscrupulous hacker? Could it really be turned into a tool of espionage?

So we purchased an iPhone for Rik Farrow, a UNIX specialist and consultant from Sedona, Arizona, and commissioned him to crack through its defenses, which he did using H D Moore's Metasploit, a popular platform for testing security systems. The result is this video, in which Farrow was able to take complete control of an iPhone and demonstrate the ability to eavesdrop on conversations, intercept voice mail and e-mail, and upload nefarious software programs. "Physical access to an iPhone," Farrow points out, "is not required." Although in Farrow's demo the Wi-Fi was turned on -- common enough for iPhone users, since AT&T's EDGE network makes Web surfing slow and laborious -- Moore says his exploit can work on EDGE, too.

Now, our lawyer would like us to emphasize that Farrow was careful not to offer a cookbook, or how-to guide, on how to hack Apple's touch screen marvel. He just showed what was possible. And we would also like to point out that the iPhone is no worse from a security perspective than other smartphones. Most, including those made by Motorola, Nokia, Samsung, and Sony Ericsson run on the Symbian operating system, which has been targeted by dozens, if not hundreds, of viruses (it's hard to know just how many). Windows Mobile and Linux, which have scant mobile market share, are also vulnerable to digital influenza. The more these devices can do, the more complex their software systems become, the more attack surfaces they offer.

As for the iPhone, however, Apple engineers have made it easier to attack by running all software applications as "root," which means they offer the same full-system privileges. Locate a security flaw in one -- say, e-mail or the Web browser -- you can control them all. Standard security protocol dictates providing layers of protection to guard against this, which the iPhone does not. Farrow believes the most likely explanation for that is Apple's rush to get the device to market -- and it is true that Steve Jobs pulled engineers off the development of the company's new Leopard operating system to hurry the iPhone along.