madison
Home / News & Blogs

Researchers take control of iPhone via SMS

Eliinor Mills | July 30, 2009 4:58 AM PDT

Summary

Two security researchers have discovered a way to take complete control over an iPhone simply by sending a text message.

Topics

Apple iPhone, Phone, Researcher, Attacker, SMS, Attack, Text Messaging/SMS/MMS, Telephony, Cellular Phones, Smart Phones, Telecom & Utilities, Consumer Electronics, Personal Technology, Online Communications, Networking, Black Hat, security, Eliinor Mills
Researchers have discovered a way to take complete control over an iPhone simply by sending special SMS messages.

An attacker could exploit the hole to make calls, steal data, send text messages, and do more or less anything a person can do on their iPhone, researchers Charlie Miller and Collin Mulliner claimed at the Black Hat security conference in Las Vegas on Wednesday.

The attack is enabled by a serious memory corruption bug in the way the iPhone handles SMS messages, said Miller, a senior security researcher at Independent Security Evaluators. There is no patch, despite the fact Apple was notified of the problem about six weeks ago, he said.

The attack is similar to an SMS attack demonstration CNET News.com wrote about in April in which mobile security firm Trust Digital was able to send an SMS to a phone that opened up a web browser and directed the phone to a malicious website where malware could be downloaded.

In the more recent research, Android-based phones were found to be similarly susceptible to an SMS attack. However, while an attacker could temporarily knock the phone off the cell network, they could not take control, according to Mulliner, who is getting his PhD at the Technical University of Berlin. Google patched the hole last week within a day or two of being notified of the problem, he said.

Meanwhile, a bug in the code written by HTC that controls the user interface on Windows Mobile devices could also be exploited via the SMS messages to create a situation where there are no buttons to push, so the phone cannot be used, said Miller.

For the attack to work, an attacker must send hundreds of SMS control messages, which are different from regular SMS messages, according to Miller. Only the initial SMS may be seen, he said.

The researchers will demonstrate the attack on an Android phone and an iPhone during their presentation on Thursday.

Previous iPhone attacks required an attacker to lure the iPhone user to visit a malicious website or open a malicious file, but this attack requires no effort on the part of the user and requires only that an attacker have the victim's phone number, Miller said.

Once inside a victim's phone, the attacker could then send an SMS to anyone in the victim's address book and spread the attack from phone to phone, he said.

Previously, Miller discovered a hole in the mobile version of Safari shortly after the iPhone was launched in 2007, and earlier this year he won a contest at CanSecWest by exploiting a hole in Safari.


Researchers Collin Mulliner and Charlie Miller plan to demo the attack on an Android phone and an iPhone during their presentation on Thursday.

This article was originally posted on CNET News.

Talkback Most Recent of 79 Talkback(s)

  • I was wondering
    Would the start menu still be accessablebecause the htc interface (TouchFlo) does not block this and it remains in its normal form even if touch flo is turned on.
    ZDNet Gravatar
    jdbukis@...
    30th Jul 2009
  • really
    so you thought software produced by Microsoft were the only insecure ones? This is just reality, nothing is really secure
    ZDNet Gravatar
    nessrapp
    30th Jul 2009
  • Awww... but iPhone is sooooo perfect
    Apple has horrendous security. And it's only time before they are going to get whacked. Other than the US at less than 10% marketshare, Apple has virtually nothing around the world... no one wants to hack Macs.

    Time and time again, it's proven to be quite easy. And now the iPhone can be totally taken over, by what, an SMS message. Lol.

    Silly Apple fanboys.
    ZDNet Gravatar
    trance2tec
    30th Jul 2009
  • Its SMS jackazs - not iPhone or Apple
    People like you are THE problem out there.
    ZDNet Gravatar
    VoiceOfLogic
    1st Aug 2009
  • It is Apple
    Read the article - google fixed it almost immediately after being notified, apple still hasn't after almost two months.

    The holes in SMS may not directly be apple's fault, but their slow response shows that apple really doesn't care about security.

    It has been pretty well acknowledged by experts that Apple products are not inherently safer than non Apple products, but there is less incentive to create a virus.

    Remember - viruses are like computer terrorist attacks. If a farm in Nebraska has never been hit by a terrorist attack does that mean it's got more security than the pentagon?

    Apple is subscribing to the line of thought that, yes, the farm in Nebraska has much higher security than the pentagon, simply because there've been no attacks.
    ZDNet Gravatar
    kymac
    2nd Aug 2009
  • and Microsoft also
    there wasn't anything in this article that said MS closed a similar hole... so chill with the hate for Apple.
    ZDNet Gravatar
    Pete "athynz" Athens
    6th Aug 2009
  • Duh!!!!!!
    Maybe because WM didn't have the "hole"?
    ZDNet Gravatar
    brianpeterson@...
    6th Aug 2009
  • Dude
    Why is it that you are on EVERY SINGLE Apple/ iPhone post bashing them like a rejected ZDNet blogger? I think you have iPhone envy issues...
    ZDNet Gravatar
    Pete "athynz" Athens
    6th Aug 2009
  • RE: Researchers take control of iPhone via SMS
    LOLOLOLOLOLOLOL!!

    Yet another reason I don't want an iphone.
    ZDNet Gravatar
    Loverock Davidson
    30th Jul 2009
  • Marketshare or low hanging fruit?
    So, is this because the iPhone has such big marketshare or because its security is the worst out of all the mobile platforms out there?

    Oh, wait, I forgot that this doesn't count because this is only a proof of concept. No "bad guy" could ever figure this one out, only researchers can.
    ZDNet Gravatar
    NonZealot
    30th Jul 2009
  • Other phones have similar bugs
    Android and Windows Mobile phones have a very similar issue. This article decided to focus on the iPhone because it brings in more views.

    The issue with all three phone OS's is supposed to be shown.
    ZDNet Gravatar
    Stuka
    30th Jul 2009
  • ROFL ROFL ROFL!!!
    Let's compare the 3 issues, shall we?
    iPhone - Send an SMS and attacker gets complete control over the phone
    An attacker could exploit the hole to make calls, steal data, send text messages, and do more or less anything a person can do on their iPhone

    Android - Send an SMS and knock the phone off the network but no control could be taken
    while an attacker could temporarily knock the phone off the cell network, they could not take control

    WM - Send an SMS and make HTC phone unresponsive to button presses but no control could be taken and this issue only affects HTC made phones so it isn't even correct to label this one as a WM flaw.
    a bug in the code written by HTC that controls the user interface on Windows Mobile devices could also be exploited via the SMS messages to create a situation where there are no buttons to push

    And you think these 3 issues are similar?!?! ROFL ROFL ROFL!!!

    Stuka, do me a favour and from now on, whenever you see an article that highlights a flaw in an Apple product, I want you to think: How would I react if this was a Microsoft flaw? and go from there. happy

    ROFL!!! I still can't get over how you think that taking complete control over a device is "similar" to being able to make a device unresponsive. To add insult to injury, check out this quote:
    Once inside a victim's phone, the attacker could then send an SMS to anyone in the victim's address book and spread the attack from phone to phone, he said.

    So this is a self replicating worm that requires no user interaction!!! But yeah, other than that, it is similar to making buttons unresponsive!

    ROFL ROFL ROFL!!!

    And finally we have the coup de grace:
    There is no patch, despite the fact Apple was notified of the problem about six weeks ago, he said.

    SIX WEEKS AND NO RESPONSE FROM APPLE!
    ZDNet Gravatar
    NonZealot
    30th Jul 2009
  • And to think....
    ...that they actually wanted to promote the iPhone for enterprise...
    ZDNet Gravatar
    eMJayy
    30th Jul 2009
  • Never was an Apple fan but.....
    ....its amazing how they can take something solid like BSD and put so many holes in it. So much for the so called ease of use the supposedly brought to *nix.
    ZDNet Gravatar
    storm14k
    30th Jul 2009
  • This highlights something important
    There was a story a while back about how Apple had coded the SMS parsing routines to run as "root". The kernel is faithfully doing everything it is asked to do within the security context that it has been passed. To do anything else would mean the kernel was broken. There are no holes in the kernel, it is working perfectly. happy
    ZDNet Gravatar
    NonZealot
    30th Jul 2009
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity