ATLANTA -- You'll want to read this story. Your security could depend on it. The popular iPhone has won praise over its resistance to hackers but Georgia Tech researchers have revealed you can still be vulnerable.
We keep a lot of information stored in our phones - to make calls, stay connected, store photos, bank and shop. It's all contained within many apps. However, Georgia Tech research scientist, Billy Lau, says it can be hacked.
"There are ways for people to install apps on your iPhone, or anyone's iPhone, without going through the app store," Lau said.
Only approved apps can run on iPhones but Lau demonstrated how hackers, using Apple's procedures for app developers, could circumvent the process to test apps on real devices.
"Anyone can sign up and become an iOS developer, including you and I," he said.
Lau and his team, at Georgia Tech's Security Information Center, made a malicious app look like Facebook and hid the malware code to get an initial security certificate.
After gaining Apple's initial approval for testing, the app was downloaded to an iPhone. Like Lau, hackers could now introduce the app to an iphone.
"And it is charging," Lau said, as the iPhone was plugged into their USB charger that was connected to a motherboard.
The malicious app could be introduced through subversive public USB chargers, disguised as a normal iPhone or iPad charger, connected to a hidden computer.
Lau says nothing will happen, as long as you don't unlock your password protected phone, while it's charging.
"If it's unlocked even for a second or less than a second, the attack commences," Lau pointed out.
When they unlocked the phone for the demonstration, the Trojan app went to work.
A minute later, he launched what looked like the Facebook app on the phone but it was their Trojan app that took over, allowing him remote control of the phone, seeing everything the user could see, passwords and all. He was able to remotely make a call from the phone and had the ability to eavesdrop on one.
"The possibilities are really endless. It can steal your banking credentials," Lau said.
The solution - don't unlock your phone while charging. Apple has also updated its software to warn you about plugging into unknown USB public charging stations, asking first, if you trust it.
Okay, you've plugged into a public USB charger before and want to be sure you're not compromised. What do you do?
"You go to settings, then you need to go into general and then you need to search for the profiles," Lau demonstrated.
If you see an unknown profile running on your phone you could have been hacked. If it's a company iPhone, you should check with your IT folks to see what profiles are legitimate.
Georgia Tech reached out to Apple to get this fixed. We should also point out, the researchers say their malicious app wouldn't survive Apple's full review process, in order to be available in its app store, even though it got initial testing approval.