New remote attack leaves iPhones vulnerable

The attack is the end result of a number of different problems with the way that the iPhone handles over-the-air provisioning, trusted root certificates and configuration files. But the result of the attack is that a remote hacker may be able to change some settings on the iPhone and direct all of the user's Web traffic to a malicious site and also to change the root certificate on the phone, enabling him to man-in-the-middle SSL traffic from the iPhone.

Charlie Miller, an Apple security researcher at Independent Security Evaluators, said that the attack works, although it would not lead to remote code execution on the iPhone.

"It definitely works. I downloaded the file and ran it and it worked," Miller said. "The only thing is that it warns you that the file will change your phone, but it also says that the certificate is from Apple and it's been verified."

A real-world attack might involve the attacker enticing the user into clicking on a malicious URL either in an email or on a site, leading them to the site to download the configuration file. The user would see a dialogue box asking him whether he's sure he wants to install the file. If he accepts, the file downloads and takes whatever action is contained in the configuration profile.

The attacker would not have the ability to run code on the iPhone, but he could take any number of other actions, according to Miller.

"You can make any part of the phone not work. You definitely don't get to run code, but there's lots of nasty things you can do. You can make applications not work, make it so that you can't remove this config file," Miller said. "At the very least, you can make someone's day miserable."