Researchers have discovered a way to take complete control over an iPhone simply by sending special SMS messages.
An attacker could exploit the hole to make calls, steal data, send text messages, and do more or less anything a person can do on their iPhone, researchers Charlie Miller and Collin Mulliner claimed at the Black Hat security conference in Las Vegas on Wednesday.
The attack is enabled by a serious memory corruption bug in the way the iPhone handles SMS messages, said Miller, a senior security researcher at Independent Security Evaluators. There is no patch, despite the fact Apple was notified of the problem about six weeks ago, he said.
The attack is similar to an SMS attack demonstration CNET News.com wrote about in April in which mobile security firm Trust Digital was able to send an SMS to a phone that opened up a web browser and directed the phone to a malicious website where malware could be downloaded.
In the more recent research, Android-based phones were found to be similarly susceptible to an SMS attack. However, while an attacker could temporarily knock the phone off the cell network, they could not take control, according to Mulliner, who is getting his PhD at the Technical University of Berlin. Google patched the hole last week within a day or two of being notified of the problem, he said.
Meanwhile, a bug in the code written by HTC that controls the user interface on Windows Mobile devices could also be exploited via the SMS messages to create a situation where there are no buttons to push, so the phone cannot be used, said Miller.
For the attack to work, an attacker must send hundreds of SMS control messages, which are different from regular SMS messages, according to Miller. Only the initial SMS may be seen, he said.
The researchers will demonstrate the attack on an Android phone and an iPhone during their presentation on Thursday.
Previous iPhone attacks required an attacker to lure the iPhone user to visit a malicious website or open a malicious file, but this attack requires no effort on the part of the user and requires only that an attacker have the victim's phone number, Miller said.
Once inside a victim's phone, the attacker could then send an SMS to anyone in the victim's address book and spread the attack from phone to phone, he said.
Previously, Miller discovered a hole in the mobile version of Safari shortly after the iPhone was launched in 2007, and earlier this year he won a contest at CanSecWest by exploiting a hole in Safari.
Researchers Collin Mulliner and Charlie Miller plan to demo the attack on an Android phone and an iPhone during their presentation on Thursday.