Sure, we had a rather irritating “iPhone Rickrolling” issue a few months back, but that wasn’t all that harmful, not to mention you needed to jailbreak your iPhone and not change the default password for SSH to make it work. Now a more serious exploit has surfaced, involving security certificates. The iPhone allows settings and configuration files to be installed over-the-air through Safari, which is mainly used by enterprise businesses to setup a whole lot of iPhones in a short period of time. In order to install this, the user must confirm the installation manually, and you’ll be able to verify who the installation is coming from, thanks to a security certificate. The problem is, the latest reports indicate that hackers are able to make the configuration file report back as “Verified”, not to mention it can be indicated as if the file came from “Apple Computer”.
When you piece those two bits together, it should be fairly easy with to trick users into installing the update from a malicious website. Once installed, it could reconfigure your iPhone settings to redirect all traffic through a server of their choosing. It can also fiddle with your Wi-Fi and email settings; disable Safari, Mail and a whole bunch of other stuff on your iPhone. The worst part is that it can also be set that once installed, it can’t be removed, meaning you’ll have to reset the phone to get it off.It’s certainlyscary, so do be careful if and when you ever install a configuration setting.