The Apple Core

Jason D. O'Grady & David Morgenstern
Home / News & Blogs / The Apple Core

iPhone executes SMS binary code as root

By | July 2, 2009, 1:58pm PDT

Summary: A security flaw has been discovered in the iPhone OS that could allow attackers to gain root access to the iPhone OS and allow them to install and execute malicious programs at will. Charlie Miller announced the discovery of the vulnerability during a presentation at the SyScan conference in Singapore on Thursday. DailyTech explains: The iPhone apparently [...]

A security flaw has been discovered in the iPhone OS that could allow attackers to gain root access to the iPhone OS and allow them to install and execute malicious programs at will.

Charlie Miller announced the discovery of the vulnerability during a presentation at the SyScan conference in Singapore on Thursday. DailyTech explains:

The iPhone apparently automatically executes binary code sent in SMS messages.  Messages are limited to 140 bytes, but this is little deterrence as longer programs can be broken up into several messages, which the phone automatically reassembles.  While other applications such as the Safari browser on the phone only enjoy access to their sandbox, the SMS system is automatically granted root access, and SMS commands execute as root.

Miller wouldn’t provide specific details nor would he demonstrate the vulnerability stating that he has entered under an agreement with Apple. He’d only say, “SMS is a great vector to attack the iPhone.”

Update: Apple said that it will release a fix by the end July and Miller has agreed to hold off on releasing details of his attack until then. He will present the attack at the Black Hat USA 2009 conference which runs from July 25-30 in Las Vegas. Miller is the author of The Mac Hacker’s Handbook.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “The Apple Core”

Topics

Apple iPhone, SMS, DailyTech, Text Messaging/SMS/MMS, Telephony, Cellular Phones, Smart Phones, Consumer Electronics, Personal Technology, Online Communications, Networking, Jason D. O'Grady

Jason O'Grady is a journalist and author specializing in mobile technology. He has published six books on Apple and mobile gadgets and his PowerPage blog has been publishing for over 15 years.

Disclosure

Jason D. O'Grady

Jason D. O'Grady is the creator and editor of O'Grady's PowerPage, which has been publishing mobile technology news since 1995. He maintains an advertising relationship with the following legacy advertisers on the PowerPage:

  • Amazon Associates
  • Google Adsense
  • Tekserve

    • Advertising on the PowerPage is brokered by a third-party agency (BackBeat Media) and he recuses himself from these negotiations.

Biography

Jason D. O'Grady

Jason D. O'Grady developed an affinity for Apple computers after using the original Lisa, and this affinity turned into a bona-fide obsession when he got the original 128 KB Macintosh in 1984.

He started writing one of the first Web sites about Apple (O'Grady's PowerPage) in 1995 and is considered to be one of the fathers of blogging. He has been a frequent speaker at the Macworld Expo conference and a member of the conference faculty. He also co-founded the first dedicated PowerBook User Group (PPUG) in the United States.

After winning a major legal battle with Apple in 2006, he set the precedent that independent journalists are entitled to the same protections under the First Amendment as members of the mainstream media.

O'Grady is the author of The Nexus One Pocket Guide, The Droid Pocket Guide, The Google Phone Pocket Guide, and The Garmin nuvi Pocket Guide (Peachpit Press), the author of Corporations That Changed the World: Apple Inc. (Greenwood Press), and a contributor to The Mac Bible (Peachpit Press). In addition, he has contributed to numerous Mac publications over the years, including MacWEEK, Macworld, and MacPower (Japan).

When he's not writing about Apple for ZDNet at The Apple Core, he enjoys spending time with his family in New Jersey.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
37
Comments
Add Your Opinion

Join the conversation!

Just In

RE: iPhone executes SMS binary code as root
jackson1984-24316069205748857739440257893812 10th Oct
I basically appreciated learning this submit. Remarkable phase by cycle mulberry bag sale description!
View in thread
0 Votes
+ -
why people go down the path
onepersonsopinion@... 2nd Jul 2009
I hope he is charging a lot for finding this flaw. The more you slam these companies the more they will fix their software. I can feel the matrix and killer robots in the future secretly whispering to us..."fix the bugs....fix the bugs!!!.. FIX THE BUGS!!!!...thank you...you know...this guns for you....*screams*...no please spare me...my great great great great great great grandfather logged a bug on you years ago!!!" =D bwahahahahhahaha
0 Votes
+ -
You're such a geek LOL
T1Oracle 2nd Jul 2009
I know, I know...
0 Votes
+ -
Don't listen to the voices in your head!
BillDem 2nd Jul 2009
For once, I got a chuckle reading a post on here. Thanks.
0 Votes
+ -
No need to worry
honeymonster 2nd Jul 2009
iPhone OS is UNIX based. As such it has a superior security design which makes attacks all but impossible.

This guy, Miller, is clearly overstating the severity of this issue.
0 Votes
+ -
No, iPhone is NOT UNIX based
NonZealot 2nd Jul 2009
We all know that OS X is UNIX certified.

We also know that iPhone OS is OS X.

Therefore, iPhone OS isn't just UNIX based, it is UNIX.

Therefore, it is immune to all malware.

At least I think that is how the logic goes.

This guy, Miller, is clearly overstating the severity of this issue.

I agree. By breaking into OS X within seconds at each PWN2OWN, it is obvious that Miller is just an M$ $hill who hates Apple.

Therefore he must be lying about this issue.

At least I think that is how the logic goes.
0 Votes
+ -
Actually, I think the logic is...
rapson 2nd Jul 2009
...that since there's not an actual exploit for this flaw, for all practical purposes it doesn't exist.

Carl Rapson
0 Votes
+ -
Good point
NonZealot 2nd Jul 2009
I guess the logic goes that Miller, while being an Apple hating M$ $hill, is the only one technically brilliant enough to ever find this vulnerability.

Of course, then you need to come to grips with the fact that this brilliant guy hates Apple. happy
0 Votes
+ -
NZ Of course you know Charlie Miller is a Mac User right?
Davewrite Updated - 2nd Jul 2009
sometimes I don't know whether you're joking or not NZ.

You say "Of course, then you need to come to grips with the fact that
this brilliant guy hates Apple. "


But of course you know C. Miller is Mac User.

Tom's Hardware article:

Charlie Miller:
"I usually work on a pretty old MacBook that I've upgraded the hard
drive on. Its been the computer that I had both times at Pwn2Own and
its been in many countries with me like Korea, Japan, Australia,
Malaysia, and of course, Canada"

" I don't know what I?ll do with my new MacBook Pro, but I definitely
won't retire my trusty MacBook."

Alan (the interviewer) : " I recently switched to a Mac myself and wrote
about it for Tom's Hardware (and had a lot of angry readers)"
-----

and of course he's stated many times over the reason he could so
quickly hack into Safari in pwn2own was because he had spent a lot of
time preparing his exploit.

Charlie M:

"Yes, I took down the Mac in under a minute each time. However, this
doesn't show the fact that I spent many days doing research and
writing the exploit before the day of the competition. It only looks
Hollywood because you don't see the hard work in the preparation. If
you set me down in front of an application I've never seen before and
told me I have 2 minutes to hack it, as is often the case in movies, I'd
have no more luck than your grandma at accomplishing it. Well,
maybe a little more of a chance, but not much!"
0 Votes
+ -
Running as root is like opening the door
Herrie 2nd Jul 2009
As OSX is a UNIX-based OS, having anyone run something with ROOT
permissions is like opening the door and walk away.

ONE reason this will probably not attack is that SMS'es cost money and
can easily be stopped at service provider level.
0 Votes
+ -
No OS is secure, particularly when running as Root
BillDem 2nd Jul 2009
You give anyone or anything root/admin permissions on your system and they can EASILY screw up whatever they please. If he really understood Unix, he would already know that.
0 Votes
+ -
naw....
JoeMama_z 2nd Jul 2009
Simple worm that parses your address book would do the trick, an iPhone botnet... interesting.
0 Votes
+ -
Does this mean that iPhone OS is flawed by design?
NonZealot 2nd Jul 2009
Just curious.
0 Votes
+ -
Just a flawed feature I think
Herrie 2nd Jul 2009
Running SMS binary code as root does make sense from a service point
of view. You actually could SMS one or a bunch of phones to change
some settings or something without direct interaction with iTunes.

However this "feature" can easiy be misused, it is like logging in to root
in Terminal and then walk away. Actually, leaving the front door open as
anyone is able to send you an SMS.
0 Votes
+ -
In other words its a huge oversight and yet another Apple security fail
T1Oracle 2nd Jul 2009
If you need a back door (which I would rather not give up on a device I supposedly "own") then at least put a lock on it. Don't leave it wide open.

That's just common sense.
0 Votes
+ -
Bingo! Give the man the prize.
BillDem 2nd Jul 2009
It was a major "OOPS!" type moment that Apple is scrambling to quickly fix within a few weeks. No incoming communications message or data should have ROOT level access to any OS. The guy who programmed that is now sitting in his boss's office getting chewed out.
0 Votes
+ -
One documented security issue
Pete "athynz" Athens Updated - 3rd Jul 2009
and suddenly the iPhone is "flawed by design"? So far I haven't had any issues.

Per my post later in this thread, I'm curious as to how many other similar issues the other mobile platforms have had... Let's not single out just one, let's examine ALL of them just to be fair.

0 Votes
+ -
I think I would get a little suspicious
frgough 2nd Jul 2009
if I suddenly started getting long strings of binary code as
SMS messages. This is not exactly a stealth attack.
0 Votes
+ -
Nothing to see, move along now!
NonZealot 2nd Jul 2009
happy
0 Votes
+ -
Whay appologize for Apple
John Zern 2nd Jul 2009
shouldn't it be Apple appologizing to you?
0 Votes
+ -
To be on the safe side....
oncall 2nd Jul 2009
I have moved my iPhone a good distance from my business computer and made sure it cannot get to any sharp instruments. Look at it over there, cool and shiny. But any minute now it could snap!!
0 Votes
+ -
Don't forget to move it away from flammable objects
NonZealot 2nd Jul 2009
Haven't you heard? The iPhone is always milliseconds away from catching fire.
0 Votes
+ -
Hey heres an idea...
oncall 2nd Jul 2009
pocket smoke detectors!!!!
I'll be rich! But yes, I already moved the flammables away from it.
0 Votes
+ -
Here's an idea for a new iPhone app
eMJayy 2nd Jul 2009
The revolutionary iPhone cigarette lighter app...To light a cigarette just run app while holding cigarette in contact with rear of iPhone...Call it iLighter...Genius! happy
0 Votes
+ -
ROFL!!
NonZealot 2nd Jul 2009
Now THAT one truly did make me laugh out loud! happy
0 Votes
+ -
Alright. Now...
wrenchy 2nd Jul 2009
I can hear the Apple faithful scream out "It's a feature, not a bug!"

It's either that or flat out denial that Apple has made one of the most serious security blunders you can make.

I'll stick with Google's Android thanks!
0 Votes
+ -
IT'S A FEATURE!!!!
Pete "athynz" Athens 3rd Jul 2009
IT'S NOT A BUG!!!

I figured I'd just go ahead and do it so the Apple Zealots don't have too... happy

Interesting that this is so far the only documented security issue with the iPhone - at least the only one I have heard of. How many such flaws have Windows Mobile, Symbian, Blackberry, Palm OS, WebOS, Android and other mobile platforms had? Not an attack BTW but genuine curiosity to compare the figures.
0 Votes
+ -
The only documented security issue?
honeymonster 3rd Jul 2009
Did you miss the fact that iPhone OS 3 closed some 47 security holes?

And a search on secunia for iPhone vulns returns a list of some 96 vulnerabilities; almost all of them very severe (highly critical - system compromise).

As for your "other mobile platforms" you can look up Windows Mobile and the others as well.

Windows Mobile 6.x: 2 vulnerabilities (both of them rated "less critical").

Windows Mobile 5.x: 0 vulnerabilities!

Nice try, though.
0 Votes
+ -
AntiVirus for your Phone? There is an App for that.
JoeMama_z 2nd Jul 2009
0 Votes
+ -
late to the party
voyager529 2nd Jul 2009
There are already antivirus apps for Symbian and WinMo. It's quite a challenge to write one for a (standard issue) iPhone, since they don't do very well at multitasking and battery life would have a noticeable decrease if a daemon is running constantly.

I think that this exploit would be better classified as a rootkit than a virus, despite it being a part of the system and not being delivered by a third party.

Joey
0 Votes
+ -
Nothing wrong with root, really
honeymonster 3rd Jul 2009
Many daemons on *nix operating systems execute as root. You really don't want background processes to execute as the logged-on user. Often the process will need more privileges than what is currently assigned to the logged-in user.

The problem is that there is a vulnerability in the first place. This is much akin to vulnerability conficker exploited on XP (XP also executes many services with the "root" account - Vista/7 have hardened the daemons/services).

While most *nix'es indeed execute daemons as root, they often are subject to mandatory access control like e.g. apparmour restricting what the process is allowed to do, even if it is compromised.

Apple has been late in implementing anything like service hardening (Windows) or apparmour (*nix). They did prepare for an apparmour style MAC (mandatory access control) but they never developed profiles for services.

I suspect that iPhone has no such protection. That's why a simple vulnerability may indeed compromise the entire device.

0 Votes
+ -
Why the claims of being *nix makes me laugh
NonZealot Updated - 3rd Jul 2009
Apple has been late in implementing anything like service hardening (Windows) or apparmour (*nix). They did prepare for an apparmour style MAC (mandatory access control) but they never developed profiles for services.

Many of *nix security advantages come from the amazing amount of control you have over the system so that you can harden it against both known and unknown attacks. However, if you don't implement those security features, *nix provides you with no inherent security advantages. Open all the ports, use poor ssh passwords, run everything as root, etc. and you will have an incredibly easy to hack system. This is why the claims that OS X must be secure because it is *nix makes me laugh. *nix isn't inherently secure, it can simply be configured to be secure. Apple didn't configure it to be secure, they configured it to be easy enough for your average Apple consumer to use (thus it has to be configured to be VERY easy to use). This explains why OS X is consistently the easiest OS to hack in any hacking contest.
0 Votes
+ -
Oh. Joy.
HypnoToad72 3rd Jul 2009
Hopefully a fix will be quick.
0 Votes
+ -
I don't know about you...
msalzberg 3rd Jul 2009
but I only give my cell number to those I know personally; I doubt any of
them will be sending me vicious binaries as text messages.

I have no worries about this. It should be fixed, but it's not the end of
the world.
0 Votes
+ -
Use your imagination
honeymonster 3rd Jul 2009
This bug is severe. It will run code sent in an SMS as root on your phone without user intervention.

A SMS sent to some a few people with self-replication code (a "worm") which takes over their phones and start sending itself to people in the device phonebook.

This bug - if exploited before a patch is ready - has the potential for a *major* outbreak. You can be hit without knowing it, simply because a friend of a friend of a friend was hit. And then your friends will be hit.

This is the worst kind. Miller made good by adhering to responsible disclosure.
0 Votes
+ -
Yes, it could be a problem, IF...
msalzberg 4th Jul 2009
someone knows you have an iPhone, and wants to send it to you.

There are well over 150,000,000 cell phones in the US. Do you think
someone is going to push hundreds of millions of text messages, just
hoping to get an iPhone?

Yes, this is a bug with serious implications. In the real world, I doubt it
will be much of a problem.
0 Votes
+ -
RE: iPhone executes SMS binary code as root
jackson1984-24316069205748857739440257893812 10th Oct
I basically appreciated learning this submit. Remarkable phase by cycle mulberry bag sale description!

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix