moser exploits iphone usability to pwn it

Max Moser (and Lothar!) has posted a video and discussion on basically auto-pwning an iPhone. In essence, when connecting to a wireless network like a hotspot that requires you to first hit a landing page, the iPhone will helpfully automatically pop up a Safari browser window to that landing page. Let’s just say you better pray the landing page wasn’t karmetasploit in waiting. (Karma grabs you with its network, and Metasploit delivers the web payload.)

While this is amusing, one argument Apple may make (if they even bother to make one) is the iPhone is just doing automatically what the user would do anyway: open a browser window. However, this becomes really bad when the user only accidentally clicked the wrong network to join (an oops-auto-pwn) or the attacker is spoofing a legit-sounding network. (Gotcha!)

Most people I know don’t give a thought to the security of their cell phones, even though they may give some thought about it for their laptops. I don’t think it is sinking in yet that something like the iPhone is more akin to a laptop than a phone, if you ask me.