How to capture iPhone SMS tokens: video

How to capture iPhone SMS tokens: video

Summary: Pure Hacking chief technology officer Ty Miller has posted a demonstration video of how an attack can steal SMS-based two-factor authentication tokens from Apple iPhones, and possibly Android devices.


Pure Hacking chief technology officer Ty Miller has posted a demonstration video showing how SMS-based two-factor authentication tokens can be stolen from Apple iPhones and possibly Android devices.

The demonstration can be launched after a jailbroken iPhone is compromised by a number of non-specific attack vectors initiated by users opening malicious websites or email attachments.

Once an attacker has compromised the phone, they can view SMS tokens, popular as a means of authentication by Australian banks, stored in a SQLite3 database on the phone.

The demonstration also shows how usernames and passwords stored in the phones' auto-complete feature can be stolen.

A separate attack on a jailbroken iPhone by a researcher from Sense of Security demonstrated that a modded iPhone can create a bridge between the public internet and a "secure" internal network.

Topics: Apple, Banking, iPhone, Mobility, Security

Darren Pauli

About Darren Pauli

Darren Pauli has been writing about technology for almost five years, he covers a gamut of news with a special focus on security, keeping readers informed about the world of cyber criminals and the safety measures needed to thwart them.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • As per, once again this is with *jailbroken* iPhone and does therefore not reflect the configuration used by a majority of consumers.

    If the stated attack vectors used i.e. "opening malicious websites or email attachments", such as are *missing* from this video. Rather SSH, which provided the remote access, is installed after jailbreaking the iPhone.

    Also SMS 2FA Auth Tokens can only be used once and within a particular timeout period so recovering past SMS messages does *not* increase their attack surface.
    • I agree, the token in the first case is not that valuable. However, the username and password they intercepted is... Then I suppose the attacker could login to your online banking and get it to send you an SMS and then use this technique to intercept it and .... I suppose that could be valuable.

      While this attack vector only currently exists on Jailbroken phones, the article is pointing to the fact that an attacker could compromise the phone first, install SSH and then use this technique to access online banking.

      I'm not sure your negative comment does anything but to serve your inflated opinion of your security knowledge.
      • @stu5,

        The SMS would be displayed on compromised iPhone therefore alerting the end user that their internet banking credentials have been compromised.

        Furthermore, since the SMS token is mostly required for transactions with a higher value, then the likelihood of this being conducted on an iPhone is much lower then say the home desktop PC. Hence, why SMS is intended as an out of band communications channel and this would require the desktop PC to be compromised also to obtain their Internet Banking credentials.

        Perhaps the video could demonstrate how you would compromise an iPhone that isn't jailbroken and then installed a *signed*, i.e. accepted by Apple, SSH server binary as a listening service?

        I would suggest that you consider other articles were Pure Hacking are featured, such as or (note the comments), etc prior to suggesting that I have an "inflated opinion of ... security knowledge"?
  • .. in other news, people who steal your car can drive it!

    If someone has physical access to a device or system its game over.

    Purely, this is not 'hacking'.