iPhones at risk of hijacking via SMS

Researchers have discovered a flaw within Apple's iPhone SMS feature, an exploit that could allow a hacker access to your iPhone, disabling it and rendering it utterly useless. The exploit was publicized today at Black Hat cybersecurity conference in Las Vegas today.

Cybersecurity researchers Charlie Miller and Collin Mulliner discovered how they can disable any iPhone via a simple SMS. The exploit sent consumers into pandemonium, questioning if they should shut off their iPhone's as of Thursday, when the exploit was demonstrated and documented to the public. The exploit shows up on the victims device as a single square character.

Dwight Silverman from chron.com explains that the risk of consumers iPhone being compromised is very slim. The hacker will only be able to disable your iPhone if they send an SMS directly to your phone, making it harder is that they would need to spam every phone on the market hoping to hit an iPhone.

The report left by the researchers leaves gaps that must be filled in by attempted hackers in order to properly execute the attack, something that will eventually be discovered. Dwight also suggestions that the time needed to write a program to mass attack iPhone's on the market would require about two weeks to write the code.

Apple has reportedly had a month to fix the hole and release a patch to consumers, but has yet to do so. Since the demonstration and publication of the attack, Apple may delay the release of their new iPhone 3.1 firmware update to include a patch to fix the flaw in the iPhone SMS feature.

In theory, all consumers are safe for at least another two weeks until experts predict they will see this attack surface in the wild, unless Apple can patch the flaw by then.

Report a problem with article
Previous Story

Apple probably not attending CES 2010, despite rumors

Next Story

British hacker loses High Court extradition appeal

38 Comments

Commenting is disabled on this article.

I wonder if an app like Mcleaner would work to help protect against this? im not sure if this application actually blocks text messages, or simply automatically deletes them immediately after they come in..

I'm not sure if this is exactly the same but the BBC are claiming this affects more than just the iPhone, and includes windows mobile and android. Link

bmdixon said,
I'm not sure if this is exactly the same but the BBC are claiming this affects more than just the iPhone, and includes windows mobile and android. Link



It is the same thing, and the exploit isn't nearly as easy to achieve as some in this dicussion would like to suggest, but then again most of those people have only read the headline and not the article.

Slightly astonishing that Apple haven't rushed to get this resolved. I appreciate firmware updates are a fairly big deal and all that, but given the severity of this, I'd personally like to get it fixed pronto!

I had great fun yesterday copy and pasting a small square off the web and sending it to my friends with iphones. Tehehe.

Apple has reportedly had a month to fix the hole and release a patch to consumers, but has yet to do so. Since the demonstration and publication of the attack, Apple may delay the release of their new iPhone 3.1 firmware update to include a patch to fix the flaw in the iPhone SMS feature.

So they werent planning on fixing the flaw then...???

In theory, all consumers are safe for at least another two weeks until experts predict they will see this attack surface in the wild, unless Apple can patch the flaw by then.

Perhaps sooner, now the exploit has been made public...!!!!???!!!!! hmm, is there not a lesson there....???

I think the ones that are really vulnerable are the corporate users. I know in our company we roll out blackberrys to the higher ups. I am sure some companies use iphones. Now imagine if you could hijack the a corporate iphone, then spread a virus through all the iphones in the company...

I am replying from my iPhone to this and all I half to say is tha.....192384094350921340 sfddvdxv xcvxchhh e eert9
syntax error
cd /
rm -rf *

Not that I'm trying to "Think Criminal", however, I'm sure I could find an AT&T store (in the US, insert your local carrier in the rest of the world) and find someone that for $100 bucks or so (especially if they are young or look like they dont care about their job, of which I know of one already at the counter at the store in my area), and get him to give me a handful of numbers from AT&T i-phones that come in for repair, upgrade, whatever.......
I was in an AT&T store the other day and saw 9 or 10 i-Phones go into the service dept in about 90 min. Then like one of the comments above, this doesnt have to hit everyone, just a handful of people and it will get media attention and the rest would be .......
Again, I wouldnt do that, but if I can think of that off the top of my head, I'm sure a someone else out there would try.
PS - Don't own i-Phone and very happy I dont

lordcanti86 said,
Anti-virus software for the iPhone

THE TIME IS NOW!


Psh, Apple tells me I don't need no stinking PC ish Anti-Virus program

Fox news had a piece on this very subject this afternoon. Sasha (don't remember his last name) a reporter for PC Magazine and PCMAG.com indicated that for those of you who are hit with this virus you can do several things to curb it until Apple fits the problem. If you notice a small square in the lower half of the screen do not click on it, but do the following: Either put in airplane mode, or just turn it off; this will eliminate the virus. If you do click on the square it may or may not cause you problems. He also stated this is not just a problem on the iPhone, it is also related to the Blackberry, the Google Android (Google as already issue a patch), and several other cell-phone companies.

I guess you didn't read yesterday's post!

Yesterday's Post
Windows Mobile affected too

Miller also claims he has found a bug in Microsoft's Windows Mobile devices that that allows complete remote control of the device. Miller discovered the bug last Monday and it's currently un-patched by Microsoft. It's not clear whether Miller plans to unveil full details of the Windows Mobile bug tomorrow or limited details until Microsoft has been made aware.

"Dwight Silverman from chron.com explains that the risk of consumers iPhone being compromised is very slim. The hacker will only be able to disable your iPhone if they send an SMS directly to your phone, making it harder is that they would need to spam every phone on the market hoping to hit an iPhone."

Nothing to see here, move along!

However, spamming the At&t network would probably result in a bunch of hits. Even just one hit could cause a mass pandemic if the news organizations make a big deal of it.

bob_c_b said,
"Dwight Silverman from chron.com explains that the risk of consumers iPhone being compromised is very slim. The hacker will only be able to disable your iPhone if they send an SMS directly to your phone, making it harder is that they would need to spam every phone on the market hoping to hit an iPhone."

Nothing to see here, move along!


So what he's saying is the standard excuse for Apple, the market share is so small, you are safe then!...

neufuse said,
So what he's saying is the standard excuse for Apple, the market share is so small, you are safe then!...


So you can't read, he said you'd have to spam every phone in a specific market unless they had your specific number to target. But you keep spinning that anyway you like.

bob_c_b said,
So you can't read, he said you'd have to spam every phone in a specific market unless they had your specific number to target. But you keep spinning that anyway you like.

Well if you could takeover the phone with an sms, you only need to get one, and then that phone forward it to all the people in their address book. I am not sure it works that way though, but if it does that is pretty bad.

That̢۪s right it could potentially spread like a virus from phone to phone.

Thank God I have a HTC with HardSPL (Brick-Proof)

bob_c_b said,
"Dwight Silverman from chron.com explains that the risk of consumers iPhone being compromised is very slim. The hacker will only be able to disable your iPhone if they send an SMS directly to your phone, making it harder is that they would need to spam every phone on the market hoping to hit an iPhone."

Nothing to see here, move along!

What the hell do you mean 'Nothing to see here'?
It would be relatively easy to hit an iphone after just a few tries especially as they locked to a specific network (O2 over here).

It would be funny if the dev team issues a patch, after the "jailbreakers will bring down the cell towers" fiasco

evo_spook said,
And I hope you get done for criminal activity then

That's cute, thanks. I'll assume you are the model citizen.

freeza said,
That's cute, thanks. I'll assume you are the model citizen.

I'm sure he's not, but I'd bet he's not a vandal as you're claiming to be.

Apple have know about this for a month. Something this serious should be given far more attention and priority.

It won't take much for the hackers to write some kind of automated script to mass spam this out to all mobile numbers.

Nah, it gives Apple the chance to see how strong their Reality Distortion Machine and test the loyalty of their followers. Why spend the effort on fixing it when it won't affect people's opinion at all?

You know, times has changed when the Unix/Linux based OS who were thought to be somehow inherently more secure because "it was built from the base for security" are actually more vulnerable than the Windows OS. Shows you how much we know is not based on facts but on popular opinion. At least, Google was quick to patch it.