David Braue10 November 2009, 10:54 PM
It may have just been a bit of fun, but Aussie iPhone virus developer Ashley Towns has opened himself up to criminal penalties under laws banning malicious damage to computers.
Towns, a 21-year-old software developer based in Wollongong, NSW, made worldwide headlines this week after developing Ikee, hailed as the first viable iPhone virus. And while Towns claims it was only done to prove a point about iPhone security, technology lawyer Steve White, principal of White SW Computer Law, believes the developer may have created a real legal problem for himself: "It's highly likely that he could be charged," he says.
A defence that the iPhone was not a computer for legal purposes wouldn't hold water, White warns. "Computer crimes legislation does extend to phones," he explains. "At the end of the day, they're yet another computer parked on a network. The devices were attacked in exactly the same way a computer would be attacked – picking up IP addresses, and scanning for IP addresses [to propagate]. It's my view that a commonsense approach would be taken" in extending existing legislation to cover hacking of phones.
The Commonwealth Cybercrime Act 2001 amended the Criminal Code Act 1995 with a criminal definition for unauthorised access, modification or impairment of data held in a computer. Division 478.1, for example, sets a maximum penalty of two years' imprisonment for "unauthorised access to, or modification of, restricted data" using a telecommunications service".
NSW has its own computer crimes legislation, embodied in Part 6 of the Crimes Act 1900. Section 308D of
that legislation provides for up to 10 years' imprisonment for "unauthorised modification of data with intent to cause impairment", for example, while section 308H imposes up to two years' imprisonment for "unauthorised access to or modification of restricted data held in computer".
That would seem to be a clear description of the activity of Ikee, which exploits a weakness in 'jailbroken' iPhones – those which have been modified to allow the installation of non Apple-authorised applications – to change victims' home screen to a picture of British pop singer Rick Astley. The attack is the latest form of 'Rickrolling', a common Internet joke in which victims are tricked into viewing a video of Rick Astley's song 'Never Gonna Give You Up'. Google made the joke famous by redirecting all views of any YouTube video to the Astley video on April Fool's day.
Ikee spreads by targeting SSH (Secure Shell), a widely-used application to securely link computers that is often loaded onto jailbroken iPhones by users. Many of those users, Towns argues, forget to change the SSH password from the Apple-set default 'alpine', leaving their devices as sitting ducks for Ikee-like attacks.
After it has dropped its payload, Ikee disables SSH – but not before attempting to spread to other iPhones by pinging random IP addresses managed by Telstra, Optus, and Vodafone. Towns admitted to ABC News Online that his phone had hit "about 100 [other phones] alone but from there I have no idea".
While the threat to most iPhone users is remote – legitimate devices have nothing to fear and many users savvy enough to jailbreak their phones would know to change their SSH password – the attack vector has knocked a chink in the armour that has so far kept smartphones relatively virus-free. Ikee's source code is available online, meaning it is likely to be used as the basis of attacks that are potentially far more damaging.
And as for Towns? Prosecutors have not indicated whether they'll pursue charges against the self-confessed hacker. But by confessing to the attack in public, White says Towns has set himself up to be made an example of.
"It's rare to find [a hacker] who pops up and says 'I did it!'", White explains, referring to often convoluted and ponderous computer crimes investigations. "It was just a bit stupid. It sounds like fun, but just because something seems like fun doesn't mean you should do it."