NEWS: SMS Bug In Your iPhone Could Prove Disastrous

If you receive an iPhone text message with a "single square character," be afraid. Be very afraid. It's could be hackers using a iewly discovered iPhone SMS bug to infiltrate your precious phone. According to CBS 5. "Famed hacker Charlie Miller discovered the flaw and told Apple about it six weeks ago. The company has not issued a fix, so Miller will pressure Apple by showing exactly how to hijack the iPhone at a cybersecurity conference on Thursday." Miller warned yesterday, "Someone could pretty quickly take over every iPhone in the world with this." IntoMobile explains how it works: "Using the exploit, hackers could send a succession of SMS text messages to an iPhone, allowing them to gain complete control of the handset. Hackers can then commandeer the iPhone to send similar text message strings to other iPhones, spreading like wildfire." If you get this square-character message, there's not much you can do other than turn your phone off.

Reply to
John Navas
Loading thread data ...

John Navas wrote in news: snipped-for-privacy@4ax.com:

That's not possible! All the fanbois told me there isn't any Apple viruses in any product. They're perfect!

Reply to
Larry

Sounds like a load of horses--t to me. I don't doubt certain exploits are possible, but probably not as easy as a local "Eyewitless News" team has made it sound.

Just curious as to how an iPhone would then "send similar text message strings to other iPhones"? Are iPhones part of a sci-fi-like mass collective intelligenge aware of all other iPhones around them? Do they carry a secret internal database of all other iPhones sold and the phone numbers assigned to them?

The ZDNet version of the story seems to indicate this theoretical hack would allow the SMS to silently direct the phone to open the browser and download malicious software from a preset website. I'm curious (and certainly no expert on iPhone architecture) as to how much "damage" this could do, given the iPhone's draconian restrictions on running code vs. other phones. How malicious a "web-app" can one create? From my understanding they can't access much user data in any significant way, other than maybe reading your contacts. Sure, I suppose you could create an SMS-sending "bot" out of the phone which would text everyone you know, or perhaps random numbers. This would be an inconvenience, and potentially expensive if you don't have a texting plan- at least until you rebooted, but it's not like a web-app could install itself and "autorun" again after the phone was rebooted.

This has all the earmarks of a "World Ends at 10, Details at 11!" TV news shock-story.

Reply to
Todd Allcock

If you were designing a worm to spread automatically via SMS, wouldn't you do it this way?

Sure, you'd send a bunch of text messages to non-iPhones, but only sending messages to phone numbers known to be assigned to authorized iPhone carriers would limit the amount of junk text messages that would need to be sent.

On the flip side, the sheer flood of junk SMSes would probably cripple AT&T's SMS capabilities network-wide, limiting the spread of said virus.

That's not quite what would happen -- Rather, the malicious code would probably do it in the background, Safari wouldn't even need to get loaded.

At least from what I've read it sounds like the iPhone happily assembles messages of arbitrary length, so the initial payload could be enough to get online and pull further code/instructions in the background.

However, all of that being said, there is little need to do anything silently, all you'd need is to point the browser to a compromised website, there are also known Safari exploits available, so the transmission by SMS may simply be to force users to visit said websites.

You've heard of jailbreaking? The app likely jailbreaks enough to meet it's own needs (this would not include installing typical JB tools or be remotely similar to what a consumer jailbreak looks like, it would just weasel in far enough to run as root.

Yes, it does. However, if it really is a remotely trigerrable code-execution situation and if Apple's own apps all still run as root (they did previously) then the reality need only be limited by the ingenuity of the badguy.

The flip side is that these attacks will be cleaned up fairly trivially by Apple via iTunes, you'll just need to get every compromised user to upgrade to a new version of iTunes, then connect their iPhones. Yay!

Reply to
DevilsPGD

If NavASS can do anything to berate anything that he doesn't own, he will spread rumors like wildfire. He is a child who gets his ass in trouble wherever he goes. Right now, he has been laughed out of the photograophy groups, so he's over here with nothing better to do...

Reply to
George Kerby

Now that was funny, look out Adam Sandler.

Reply to
The iPhone 3GS KICKS some seri

"Todd Allcock" wrote in news:OMkcm.36967 $ snipped-for-privacy@newsfe09.iad:

...er, ah, no....They'd have to be multitasking for that!...(c;]

Reply to
Larry

Agreed. My point was the exaggeration of the news quote designed to make it sound more sinister. Obviously the malware would have to cast a wide net and hope to hit other iPhones using a "throw enough excrement at the wall..." methodology.

If 30 million of the nation's teenagers haven't brought the SMS system down, I'm not sure this could! ;)

The point, however, is how would this "execute" on the iPhone's sandboxed architecture? (I'm asking because I certainly don't know!) How much latitude does a web app (because this is all we're really talkng about- the iPhone can't really download a native app from the web) have to run amok?

If this was possible, why hasn't this exploit been used by hobbyists? As an alternative to jailbreaking, certainly someone would've put up a non- malicious web-installable app "no jailbreak required" by now, wouldn't they?

And the limits of how much the iPhone allows to be done by this method. As I wondered above, wouldn't this method have been used for quasi- legitimate uses already if possible? Some dev rejected by the app store could simply publish his or her app as a "click-to-install" link and let it "weasel in."

It sounds to me that the hacker found a hole to allow an SMS message to trigger a web link without the users' need to tap on it, (which is certainly bad enough,) and imagination is snowballing the threat the rest of the way.

Considering how often one needs to dock an iPhone just to change media files, it wouldn't take long...

Reply to
Todd Allcock

it's usual sensationalism and it is due to be patched this weekend.

however, this bit stands out:

"Phones incorporating the Windows Mobile and Google Android operating systems are also vulnerable, they said."

so it's not just apple with the security hole. imagine that. where's the headlines about them?

and i'm not sure why the carriers can't just detect the 'single square character' and discard the bogus sms.

Reply to
nospam

In theory, a web app can't do anything of the sort. In theory, phones don't execute arbitrary code sent via SMS.

Safari has a bit of a remote-code-execution habit that Apple doesn't seem to have broken yet, iPhone's Safari implementation has a smaller attack surface then it's desktop counterparts, but there have been a variety of issues, and there were a couple reported in OS3.0 shortly after the release.

Some of the very first jailbreak efforts got in through browser exploits (via image rendering flaws, if I recall correctly)

From what I understand the problem on the current generation of iPhone OS is that these types of exploits are generally lost after the OS reboots, iTunes is needed to make the type of changes that are needed for a full jailbreak to be sticky.

It's likely that this exploit can be cleaned up with a reboot too, unless the bad guys have another trick up their sleeves.

Assuming the bad guys can't get around the reboot problem, but also assuming we have an organized bad guy who wants to maintain his iPhone botnet across reboots, he would likely have his exploit call home to report in when it first fires up, and again every hour or so. This seems like an ideal job for a mesh network of iPhones, if you wanted to get sophisticated, you'd have a system where iPhones monitor several neighbors, should a device stop calling in, a SMS attack would be triggered to re-compromise the device, automating re-infecting a device after a reboot.

If you wanted to be lazy you'd just have infected phones reinfect everyone on their contact list regularly, there likely isn't any harm in a botnet of iPhones sending each other re-infection attempts regularly, trapping and discarding the message wouldn't be hard and would avoid the user becoming suspicious by the continual "square SMS" messages.

All of this will be moot if Apple ever bothers to patch the vulnerability, they've known about it for most of a month so far, and knew that the vulnerability would be publicly disclosed at Blackhat yet Apple hasn't bothered to release a patch yet, this speaks to Apple's commitment to security.

Everything I've read says that this is a full remote code execution exploit, although there may be an upper limit on the size of the executable that can be sent (but it's beyond the SMS message limits since the iPhone reassembles multi-part messages before starting code execution)

By injecting the code into an application running as root (yes, Apple runs the native apps as root) the code can do whatever it wants, including downloading a full exploit binary from the intertubes.

Since a reboot kills it, this is less useful for a rejected app developer to get back in since the app would be rendered useless on every device reboot, and would be neutered completed after Apple gets around to patching, so writing for the full jailbreak community is more productive.

Reply to
DevilsPGD

Sure. Just use a round hole. Works every time.

Reply to
News

Yesterday, The Reg reported that researchers had discovered a vulnerability in the iPhone and other mobile devices that made them vulnerable to an SMS hack.

This morning, Apple fixed it.

Apple spokesperson Tom Neumayr told The Reg about the fix when we contacted him after the BBC reported that O2 had said a fix was on the way.

According to Neumayr:

We appreciate the information provided to us about SMS vulnerabilities which affect several mobile phone platforms. This morning, less than 24 hours after a demonstration of this exploit, we've issued a free software update that eliminates the vulnerability from the iPhone. Contrary to what's been reported, no one has been able to take control of the iPhone to gain access to personal information using this exploit.

MORE:

Reply to
John Navas

leaving windows mobile and google android vulnerable.

Reply to
nospam

Wouldn't that be some windows etc ?.

Reply to
atec 7 7

exploits are

You missed some bits (emphasis mine): "APPLE SAID Phones incorporating the Windows Mobile and Google Android operating systems were also POTENTIALLY vulnerable..."

Media darlings have to take the good with the bad. The iPhans don't complain when it's "big news" everytime the iPhone gets a 5 year-old feature or program (MMS, Skype, etc.) so don't be surprised when "me too" works against it!

Because the message probably isn't a "single square"- that's just how it displays on the phone. Presumably the message is a silent SMS control message like carriers send to configure phones OTA. If I try to open one of those on my WinMo phone, I get an error message something like "this message can not be displayed."

Besides, who wants their carrier sniffing their messages looking for "potential threats?"

Reply to
Todd Allcock

Don't forget that the "less then 24 hours" is technically true, but a bit disingenuous.

This exploit was reported to Apple weeks ago, along with the expected public release date, they didn't bother fixing it until public release.

Reply to
DevilsPGD

On Sat, 01 Aug 2009 19:31:58 -0700, DevilsPGD wrote in :

There's no way Apple can be sure of that.

And what really matters is how long it will take for iPhones to be patched, which will depend on whether AT&T is proactive or not.

Reply to
John Navas

it doesn't depend on at&t at all. apple posted the firmware update and every iphone user will be notified the next time they sync. it's up to the user to actually download and install it.

Reply to
nospam

On Sat, 01 Aug 2009 20:02:40 -0700, nospam wrote in :

And if they don't happen to sync, as many (most?) don't (very often at least, if at all), then they are still exposed.

As I wrote, how serious this is will depend on whether AT&T is proactive or not.

It's not the obligation of users to protect themselves against screwups by Apple which are unknown to them.

Reply to
John Navas

bullshit. you don't know how often people sync. most sync fairly often, particularly since it's a convenient way to charge.

and as i wrote, it has nothing to do with at&t, especially since it affects phones outside of at&t's coverage area.

nobody said it was. apple can only provide the update. if the user declines to install it, so be it.

Reply to
nospam

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.