This short article details how the attack works.

Enabling the passcode lock on your iPhone is, for now, not enough to prevent someone using your device and adding to your bill!
This should worry you if your concerned about iPhone security.

How the vulnerability works

1. Hit “emergency call”
2. Type in a random number.
3. Hit the call button.
4. Shortly after, press the lock button on top of the phone.
4.1 That’s it! Your now an uber l33t haxor -_-

This isn’t a major security risk (yet) as full access to the phone’s operations isn’t granted, but it does point out yet another fundamental flaw in Apple’s iPhone software.
Let’s hope the team working on security for iOS have a good look through the crappy code their producing to iron out any more surprises.

The video below shows how simple and quick this can be.

There is no fix for this hack yet and will probably only be patched on the next iOS update, 4.2.
If you use an iPhone with iOS version 4.1 the only real way to keep it safe is to be careful who you let use it.

This article covers what the risks are and how to prevent this type of attack…

The latest wave of iPhone attacks have revolved around one primary issue: Jail broken iPhones.
A simple explanation of Jail breaking is quoted from Wikipedia

Jailbreaking is a process that allows iPhone and iPod Touch users to run unofficial code on their devices bypassing Apple’s official distribution mechanism, the App Store. Once jailbroken, iPhone users are able to download many applications previously unavailable through the App Store via unofficial installers such as Cydia, Rock App, Icy, and Installer. Cydia is preferred by the community, while Rock App has a small catalog of mainly paid apps. Icy and Installer are officially unsupported by their developers and rarely used. Cydia founder Jay Freeman estimates that 4 million (out of 40 million) iPods and iPhones are jailbroken.[1] A jailbroken iPhone or iPod Touch is still able to use and update apps downloaded and purchased from Apple’s official App Store.

Jailbreaking is distinct from SIM unlocking, which is the process by which a mobile device is made compatible with telephone networks with which it was not specifically licensed to be used. Jailbreaking, while not illegal, gives a user the option to install cracked (pirated,) apps, which is illegal. Jailbreaking voids Apple’s warranty on the device.

The iPhone trojan attacks started as silly “Rick Rolling” hacks, but quickly turned into fully fledged bank phishing software!

These trojans will only effect you if you have Jail broken your iPhone to work with unofficial software and games and have not changed the default SSH account created by “unlocking” your iPhone.

The most harmful trojan is currently known as “iPhone firmware 1.1.3 prep”, or “113 prep”.
It is written in Python and allows hackers access to the victim’s device from a computer running Windows, OSX/Unix and Linux. Nearly any data stored on the iPhone can be stolen and this trojan allows them to do just about anything with the stolen data.

Just think if this malware accessed your messages, bank account, paypal account, or other apps containing sensitive information.
It could very easily turn nasty.

Below is a simple guide on how to prevent this happening…

Secure Your iPhone’s SSH Password!

Here’s how to change default SSH password on a jailbroken iPhone :

1. Make sure you have Cydia installed on your jailbroken device. If you don’t already have MobileTerminal installed, launch Cydia and tap the ‘Search’ tab in the bottom navigation bar.

3. Navigate to the newly installed ‘MobileTerminal’ application and tap to open.

4. In MobileTerminal, type ’su root’ and tap return. It will ask you for a password, enter “alpine” and tap return again.

5. Now, type “passwd” and then tap return. Type in a new password such as “secret” (but not a word in the dictionary!) and tap return. Retype the new password to confirm and then tap return one last time to change the password.

6. Now, your SSH password will be changed and your device will be protected against any future hacks that use SSH to access your device.