Unpatched SMS flaw lets hackers ‘take control’ of iPhone

Apple Inc. has just over a day left to patch a bug in its iPhone software that could let hackers take over the iPhone, just by sending out an SMS (Short Message Service) message.

The bug was discovered by noted iPhone hacker Charlie Miller, who first talked about the issue at the SyScan conference in Singapore.

At the time, he said he’d discovered a way to crash the iPhone via SMS, and that he thought that the crash could ultimately lead to working attack code.

View now – Slideshow: iPhone 3GS – nine nifty new features

Since, then he’s been working hard, and he said he’s able to take over the iPhone with a series of malicious SMS messages.

In an interview Tuesday, Miller said he will show how this can be done during a presentation at the Black Hat security conference in Las Vegas on Thursday with security researcher Collin Mulliner.

“SMS is an incredible attack vector for mobile phones,” said Miller, an analyst with Independent Security Evaluators. “All I need is your phone number. I don’t need you to click a link or anything.”

Miller reported the flaw to Apple about six weeks ago, but the iPhone’s maker has yet to release a patch for the issue.

Apple representatives could not be reached for comment, but the company typically keeps quiet about software flaws until it releases a patch.

Miller identified a similar SMS bug in the Google Android system that would enable a hacker would be able block the device from its wireless network for around 10 seconds.

This exploit could be repeated several times to keep the user offline for a long time, Miller noted in another interview with Forbes.com.

But he said while Google has patched the Android flaw, this second iPhone bug also remains unpatched.

At the SyScan ’09 Conference in Signapore earlier this month Miller revealed some details about the iPhone SMS flaw.

He said it lets attackers “run software code on the phone that is sent by SMS over a mobile operator’s network to monitor the location of the phone using GPS, turn on the phone’s microphone to eavesdrop on conversations, or make the phone join a distributed denial of service attack or a botnet.”

At the SyScan Conference, Miller also warned that jailbreaking iPhones posed a huge security risk.

By jailbreaking an  iPhone you strip away most (80 per cent) of the Apple’s security protections and increase many times over your vulnerability to attacks, Miller warned.

The iPhone’s operating system is pared down version of Mac OS X – the latest OS version for Mac computers. Compared to their Windows counterparts, Macs are far less prone to security risks.
Likewise, non-jailbroken iPhones generally only run applications digitally signed by Apple.

However, when an iPhone is opened up on apps available on Cydia or Icy – both free replacement packaging and repository managers for the original Installer.app for the iPhone or iPod touch – then there’s less control over what is being installed.

In 2007, Miller was the first person to remotely hijack the iPhone using a flaw in its browser. That vulnerability gave the attacker a similar power over the phone’s functions as the SMS exploit.

However it required tricking the users into visiting an infected Web site to where – unknown to them – malicious code would be downloaded to their device.

When Miller alerted Apple in July of that year, the company patched the vulnerability before Miller publicized the bug at the Black Hat conference the following month.  

In sharp contrast, the new SMS exploits would be possible without any action required on the part of the users. They are virtually unpreventable, Miller and Mulliner’s research reveals.

The iPhone SMS bug is just one of a series that the researchers plan to reveal in their presentation at the Black Hat Conference.

The researchers are also expected to disclose details about a texting vulnerability they’ve identified in Windows Mobile that would enable a hacker to remotely control smart phones running the OS.

If it does release a pre-Black Hat patch, Apple will not be alone.

Microsoft had to scramble to put out an emergency fix for an issue in its Active Template Library (ATL), which is used to build ActiveX controls. This “out-of-cycle” patch was released Tuesday, ahead of another Black Hat presentation on that particular vulnerability.

Miller’s attack doesn’t pop up shellcode — the basic software attackers use as a stepping stone to launch their own programs on a hacked machine — but it lets him control the instructions that are within the phone’s processor.

With some more work, someone could take this exploit and run shellcode, Miller said.

Although it’s an old technology, SMS is emerging as a promising area of analysis as security researchers use the powerful computing capabilities of the iPhone and Google’s Android to take a closer look at the way it works on mobile networks.

On Thursday, two other researchers, Zane Lackey and Luis Miras, will show how they can spoof SMS messages that would normally only be sent by servers on the carrier.

This type of attack could be used to change someone’s phone settings, simply by sending them a SMS message.

Miller believes that more SMS bugs are likely to emerge, and to help find them, he and Mulliner have developed an SMS “fuzzing” tool that can be used to hammer a mobile device with thousands of SMS messages without actually sending the messages over the wireless network (a costly endeavor).

The tool, which he calls the Injector, runs on the iPhone OS, Android and Windows Mobile mobile phones.

The tool insets itself between the phone’s computer processor and the modem and makes it look like the SMS messages are coming through the modem, when they’re being generated by the phone.

Source: Computerworld.com

Share on LinkedIn Share with Google+