* Apple has not issued patch to fix vulnerability- experts
* Researchers say publicizing flaw to warn users of risk
(Adds analyst comment, Android flaw, background)
By Jim Finkle
LAS VEGAS, July 30 Security experts have
uncovered flaws in Apple Inc's (AAPL.O) iPhone that they said
hackers can exploit to take control of the popular device,
using the tactic for identity theft and other crimes.
Users need to be warned that their iPhones are not entirely
secure and Apple should try to repair the vulnerability as soon
as possible, they said at the Black Hat conference in Las
Vegas, one of the world's top forums for exchanging information
on computer security threats.
"It's scary. I don't want people taking over my iPhone,"
Charlie Miller, a security analyst with consulting firm
Independent Security Evaluators, said in an interview.
Miller and Collin Mulliner, a Ph.D. student at the
Technical University of Berlin, also discovered a method that
allow hackers to easily knock a victim's iPhone off a carrier's
It prevents users from making calls, accessing the Internet
and exchanging text messages, they added.
They said the information they presented at Black Hat will
give criminals enough information to develop software to break
into iPhones within about two weeks.
They said they warned Apple of the flaw in the middle of
July, but that the company has yet to fix it.
"Apple's credibility and reputation could get hurt if they
don't respond. Positive buzz is good; negative buzz is much
more harmful," said Trip Chowdhry, an analyst with Global
About 4,000 security professionals were in attendance,
including some who are really hackers. While experts ferret out
software flaws to fix them and protect users, hackers use the
same information to devise pranks or commit crimes.
The researchers showed the audience how to break into
iPhones by sending computer code via the phone's SMS system.
Mobile phones use SMS to send and receive text messages along
with software upgrades. They said that the phone's users cannot
detect that it is receiving the malicious code.
It is not illegal to disclose ways to hack into computer
systems, though it is against the law to use it to break into
When asked why they would hand over such information to
criminals, security experts said they felt it was necessary to
alert the public that iPhones were just as vulnerable to attack
as personal computers.
"If we don't talk about it, somebody is going to do it
silently. The bad guys are going to do it no matter what,"
They have successfully tested the hacks on iPhones running
on networks of four carriers in Germany along with AT&T Inc
(T.N) in the United States. They said they believed the methods
will work with iPhone carriers around the world.
The two said they used a similar method to break into
phones running on Google Inc's (GOOG.O) Android operating
system. Google patched the flaw after they notified the company
of the vulnerability.
Apple officials could not immediately be reached for
(Reporting by Jim Finkle; Additional reporting by Gabriel
Madway; Editing by Richard Chang and Tim Dobbyn)