Apple patching nasty iPhone SMS vulnerability
Given the hype surrounding Apple's iPhone, we're actually surprised that we haven't seen more holes to plug over the years. In fact, the last major iPhone exploit to take the world by storm happened right around this time two years ago, and now -- thanks to OS X security expert Charlie Miller -- we're seeing yet another come to light. Over at the SyScan conference in Singapore, Mr. Miller disclosed a hole that would let attackers "run software code on the phone that is sent by SMS over a mobile operator's network in order to monitor the location of the phone using GPS, turn on the phone's microphone to eavesdrop on conversations, or make the phone join a distributed denial of service attack or a botnet." Charlie's planning to detail the vulnerability in full at the upcoming Black Hat conference, but Apple's hoping to have it all patched up by the end of this month.
[Via HotHardware]
[Via HotHardware]



















Reader Comments (Page 1 of 3)
Josh @ Jul 2nd 2009 1:04PM
feel free to spy on my boring ass work meetings
Quantumphysics @ Jul 2nd 2009 1:10PM
APPLE should be patching the lag in 3.0.
Unless you have a 3GS, 3.0 runs like crap on the iPhone3G.
grimm2420 @ Jul 2nd 2009 1:17PM
@Quantumphysics
I second that.. my 3G runs like crap since I've upgraded to 3.0. Maybe Apple thinks they can force everyone to upgrade to the 3GS if they slow down the old ones enough..
marty @ Jul 2nd 2009 1:21PM
lol, just stop complaining and upgrade to the 3GS...
smak @ Jul 2nd 2009 1:30PM
Lol marty, that's a very practical solution for all of us. STOP BITCHING AND GO SPEND $400.
Thanks for the advice!
Johnny @ Jul 2nd 2009 2:02PM
That's odd because anyone I know with a 3G said theirs got faster with the upgrade.
Funke, Tobias Dr. @ Jul 2nd 2009 2:03PM
3.0 behaves like a beta release in far too many ways. Apple has some nerve to charge iPod Touch owners (not me) for almost downgrading their devices. I can't wait for 3.1.2!
Quantumphysics @ Jul 2nd 2009 2:03PM
You don't know me.
a @ Jul 2nd 2009 2:22PM
It's OK - I'll just take the battery ou.... Oh yeah.
Faraday cage iPhone case, anyone??? :)
Sahil @ Jul 2nd 2009 2:37PM
I just upgraded to the 3GS from 3G, could not stand the lag on my 3G after 3.0 update.
chumanfu @ Jul 2nd 2009 3:48PM
upgrade to 3.1 its much faster plus you can send pictures!
Ellianth @ Jul 2nd 2009 4:00PM
Wait... Engadget's comment system allows 2 users to use the same name?
I knew this thing was shit, but wow! How could that have ever seemed like a good idea?
patriotsn1 @ Jul 2nd 2009 4:32PM
"you've been reported douche bag"
Pot, meet kettle...
Markarian @ Jul 2nd 2009 4:41PM
Unfortunately, I usually do my upgrades according to DevTeam's schedule. So I'll have to just hope this exploit stays theoretical until then.
dziban303 @ Jul 2nd 2009 1:06PM
Zzz.
K @ Jul 2nd 2009 1:36PM
Don't read it then, moron.
Kris @ Jul 2nd 2009 1:07PM
Wow, how do you even have a vulnerability like this? It's SMS! That's just shoddy programming right there.
AroSlg @ Jul 2nd 2009 1:17PM
Shows what you know. Network operators use SMS to configure phone settings. On phones that do not understand the settings, you just get garbled text. Try it. Put your iPhone sim card in a plain ol' GSM phone and have someone leave you a voice mail. You will get the voicemail ding on the ol' phone as well as an SMS settings text - this is the text that notifies iPhones you have a new visual voicemail.
Jagster @ Jul 2nd 2009 1:27PM
@AroSlg
It doesn't matter that operators use SMS for backend settings. How often does a carrier turn on your camera or microphone? Apple knows what the SMS messages are used for since they wrote the interface and they should have put measures in place so that SMS only allowed valid command syntax. You're trying to excuse Apple here when they have no excuse.
SimbaDogg @ Jul 2nd 2009 1:32PM
@Jagster
agree w/ you 100%, there's no justification for something like this...
patriotsn1 @ Jul 2nd 2009 1:32PM
Well, come on now, according to Engadget, Apple is STILL awesome because "there haven't been more holes to plug"! Kudos Apple for only having a few privacy invading security holes. I think Engadget + Apple = love conspiracy theories are as rediculous as the next guy but to start off this article the way they did is just ridiculous.
redcard @ Jul 2nd 2009 1:36PM
Jagster, there's a flaw in some piece of code? Like that never happens.
redcard @ Jul 2nd 2009 1:37PM
SimbaDogg, how do you know there's no justification? Maybe there is, but you don't have the technical knowledge to think what it may be.
Think that could be right?
KyleW @ Jul 2nd 2009 1:47PM
@Jagster
I agree. It really sounds like a bad programming decision. I can't really picture someone writing code for SMS that could possibly control the phone other than telling you "THIS MEETING SUCKS LOLZ" and not thinking what would happen if someone manipulated it.
deanb @ Jul 2nd 2009 1:49PM
@redcard - there isn't really any justification, they have a phone that is vulnerable to a simple SMS hack. Kinda major oversight there, how many other phones do you know that have issues with being hacked by SMS?
KyleW @ Jul 2nd 2009 2:00PM
Actually I just thought of this. I wonder if it has something to do with MobileMe's Find My iPhone or whatever. That's probably why the vulnerability is there and probably how it works.
redcard @ Jul 2nd 2009 2:09PM
deanb, think this is the first time it has happened?
How about this post from 2006?
http://www.noeman.org/gsm/trash-section/15714-mobile-phone-hacking-via-sms-etc.html
How about this from 2007?
http://www.gizmowatch.com/entry/an-incredible-diy-mod-hack-your-camera-phone-through-a-sms/
How about this from April?
http://www.maximumpc.com/article/news/sms_hack_could_hijack_cell_phones
Chris @ Jul 2nd 2009 2:36PM
It's not likely to be the SMS that's doing it but the code behind it - when you get an SMS the application will store it in a buffer, manipulate it, figure out who it was from and much more - any step could have a buffer overrun or such.
How do you think IE gets exploited? It's not just HTML an such - everything ends up in memory at some point, if it's in the wrong place then it may be exploitable
just because this is in SMS doesn't mean it couldn't be elsewhere - just that the other apps don't manipulate the data in the same way
Ryujin @ Jul 2nd 2009 3:37PM
@redcard
Which supports someone elses reasoning on why this simple hack was left unchecked if its a known problem with other phones.
adrian @ Jul 2nd 2009 4:05PM
@KyleW,
No, the MobileMe service functions over the data connection. This is probably the same as any other hack, meaning the hacker is able to run his own code on the main processor via a flaw in the SMS handling protocols. And as you know, the processor controls everything.
iRoc @ Jul 2nd 2009 5:57PM
No way this is how most of your apps get and send information. It's also how Apple uses the "Apple Killswitch" This is not a new vulnerability. Apple built this in, and has been discussed long before this. This person just brought it into the public realm.
@sweet greggo it's not that no one cares that there are few iphone hacks or Mac hacks even it's because those that write the viruses usually write them on macs as part of their twisted love affair with Apple. :(
People have been steadily trying to hack into every ones iphone since day one. Jailbreak and install Veency and see how many attacks you get an hour. It's disgusting how attempts to gain entrance into your device you will see. Veency makes it possible to seet he attacks because it will not allow a connection with out on device approval, but the attacks are pretty steady on all network connections. Think of all those people with bank passwords and credit card info on their iphones that they think is safe because they have it with them. Ummm no! The thing is Apple does not want people to know exactly how unsafe their information is. It's not safe on any device. If it makes it easier for you to get into your bank account or use your credit card it also makes it easier for hackers and thieves to get at your information and use it. Why isn't this breaking news? Well because people would stop using the devices if they truly knew how vulnerable they were. Why is this story now main stream? Well because now that push is active Apple can drop the use of the sms style of information sending and reporting, so the hole can have a light shined on it since they can now close it due to no use for it any longer. Apple would not be closing one hole with out creating another, so once this hole is closed your information is still going to be just as vulnerable. Hackers and thieve will always find away! Even if they have to go to work for major corporations and build the ways into the things meant to keep them out. People seem to underestimate the sheer patience and devotion that those that want whats yours have. IF you think push is so kewl think again, because it's a constant connection with your device. It's an open window for nefarious people to just climb right in and root around. It's being said that jailbreaking only makes this easier,but when one jailbreaks the device they then have the control to close as many holes as possible should they chose to. So I take that info as a sort of disinformation.
With all that said I repeat this is not a new exploit. It's just an old hidden exploit that's time has come and gone, and Apple feels is now safe to discuss. Anyone remember the boom video? You logged on on your iPhone and it then crashed your device. Too much info and system overload? Or Apple testing the Kill Switch?
I can hear it now, but Apple didn't release the information some Hacker did. He's not a hacker he's a techno safety consultant. Hackers don't sell their exploits to people that will use them to seal the hole. Hackers use the exploit till they can no longer safely use it, or they sell the exploit to underworld no gooders that use it to rob people. Any one that shows up to any of these hacking contests is not a hacker and I doubt they ever come up with a new exploit, but merely take what they have found in the underground and make it public. They are more like hacker journalist than hackers, but I'm sure they erk some people in the process. It's like tax attornies. they don't work for the IRS, because they know there is more money to be made on the other side of the law.
It's a smartphone of course someone can remotely turn on the gps , or camera or mic, or rummage through all your information. Think about that all would be criminals that have to have the latest and greatest cell/smartphone.
ill trooper @ Jul 2nd 2009 6:12PM
Many phones can have this done to them, however... Likely all condoned and utilized under the Patriot Act.
pulleyk @ Jul 2nd 2009 1:09PM
Isn't that what Batman used to find the joker?
hitmanshalva @ Jul 2nd 2009 1:14PM
Correct
NoAndThen @ Jul 2nd 2009 10:59PM
Obviously. Whenever I get a text it includes a bluish-gray 3d map of where they're texting me from.
Doesn't yours?
Ryan @ Jul 3rd 2009 6:15AM
No, batman didnt use the phones cameras...if you noticed...it actually used all the phones microphones to create a sound picture...
No Phone For You @ Jul 2nd 2009 1:08PM
That is really messed up though. I know privacy is an illusion, but that is the edge of it.
Imagine if they can also control the cam and start taking pictures of you and put them on a "bad" site or something.
marty @ Jul 2nd 2009 1:23PM
eagle eye? ...
Wayne @ Jul 2nd 2009 1:20PM
Sweet hack.
Flowah @ Jul 2nd 2009 1:13PM
I thought you couldn't hack apple products.
Dking @ Jul 2nd 2009 1:30PM
apple love to lie... there are many things which apple claims to not have or has.. (viruses, problems, and so on..)
Puggs @ Jul 2nd 2009 1:36PM
@Paul.
So what about the mobileMe exploit?
Puggs @ Jul 2nd 2009 1:38PM
@Paul
Ok, so the MobileMe was exploited for Trojan.
Newone @ Jul 2nd 2009 1:44PM
This is a hole that can be exploited for a worm which is far worse than a virus.
Matt @ Jul 2nd 2009 1:47PM
Paul I hope that you don't think in your "perfect world" where Windows is the minority that nobody will create viruses for Apple.
sweet greggo @ Jul 2nd 2009 1:50PM
There are few hacks on the iPhone because, like the Macs, no one really cares.
lars @ Jul 2nd 2009 1:52PM
@paul: http://www.kaspersky.com/viruswatchlite?search_virus=osx&hour_offset=-2
deanb @ Jul 2nd 2009 1:54PM
Paul -
So OSX has Trojans n Malware, but because its Virus-proof that makes it all better?
So what's you view on Asbestos? It gives you cancer, but at least its Fire-proof eh?
Matt @ Jul 2nd 2009 1:54PM
Thirty viruses, Paul? Somebody's insecure. If OSX is so amazing, we shouldn't be able to name one virus, should we?
sweet greggo @ Jul 2nd 2009 2:15PM
@Paul
I guess I didn't make myself clear enough. It doesn't matter if a viruses can be written for the Mac or not.
NO. ONE. CARES.