Researchers attack my iPhone via SMS
Researchers Collin Mulliner and Charlie Miller shortly before they proved they could attack my iPhone with a text message, even after a beer or two.
(Credit: Elinor Mills/CNET News)LAS VEGAS--Researchers have discovered a way to take complete control over an iPhone merely by sending special SMS messages and demonstrated it on my iPhone at the Black Hat security conference on Wednesday.
Although an attacker could exploit the hole to make calls, steal data, send text messages, and do basically anything that I can do with my iPhone, the researchers were kind and merely rendered it temporarily inoperable.
Here's what happened: While I was talking on the phone to Charlie Miller, his partner, Collin Mulliner, sent me a text message from his phone. One minute I'm talking to Miller and the next minute my phone is dead, and this time it's not AT&T's fault. After a few seconds it came back to life, but I was not able to make or receive calls until I rebooted.
My iPhone is not jailbroken and it is running iPhone OS 3.0.
The attack is enabled by a serious memory corruption bug in the way the iPhone handles SMS messages, said Miller, a senior security researcher at Independent Security Evaluators.
There is no patch, despite the fact that Apple was notified of the problem about six weeks ago, he said. All current versions of the iPhone operating system are affected.
The attack is similar to an SMS attack demonstration CNET News wrote about in April in which mobile security firm Trust Digital was able to send an SMS to a phone that opened up a Web browser and directed the phone to a malicious Web site where malware could be downloaded.
In the more recent research, Android-based phones were found to be similarly susceptible to an SMS attack, only an attacker could temporarily knock the phone off the cell network but not take control, according to Mulliner, who's getting his PhD at the Technical University of Berlin. Google patched the hole last week within a day or two of being notified of the problem, he said.
Meanwhile, a bug in the code written by HTC that controls the user interface on Windows Mobile devices could also be exploited via the SMS messages to make it so there are no buttons to push so the phone can't be used, said Miller.
For the attack to work, an attacker must send hundreds of SMS control messages, which are different from regular SMS messages, according to Miller. Only the initial SMS may be seen, he said.
The researchers will demonstrate the attack on an Android phone and an iPhone during their presentation on Thursday.
Previous iPhone attacks required an attacker to lure the iPhone user to visit a malicious Web site or open a malicious file, but this attack requires no effort on the part of the user and requires only that an attacker have the victim's phone number, Miller said.
Once inside a victim's phone, the attacker could then send an SMS to anyone in the victim's address book and spread the attack from phone to phone, he said.
Previously, Miller discovered a hole in the mobile version of Safari shortly after the iPhone was launched in 2007 and earlier this year he won a contest at CanSecWest by exploiting a hole in Safari.
Asked what an iPhone user can do when attacked, Miller replied: "Rebooting wouldn't be a bad idea. It would stop all but the most sophisticated attacker. However, it doesn't take but a second to grab all your personal info from the device, and as soon as you turn it back on, the bad guy could attack you again. That's why I think this is so serious."
Updated July 30 at 4:45 p.m. PDT to include that phone attacked was not jailbroken and was running iPhone OS 3.0, and at 8:18 a.m. with Miller talking about what a victim can do when attacked.
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor. 
Last I heard they were still trying to execute arbitrary code, they haven't done it yet. It pays to know whats actually going on in the security community, instead of reading Cnet News.
and glad to know that there's no mention of SYMBIAN OS
If you have any doubts, then go buy a phone running Windows Mobile 6.1 or Palm OS.
:-) Sorry, couldn't help it.
SMS was never intended for smart phones. It started on dumb phones. Then, to "make things easier" for people to configure their phones, SMS got control messages, which was STUPID.
My old Sony phone could easily be hijacked by someone this way.
But that doesn't fly with what all of the Apply fanboys say -- Apple products are inherantly more secure because of their OS roots than Winbloze from Micro$haft. It just goies to show that the OS can't protect you from everything -- especially yourself.
Apple has so few viruses only because there are far more Windows users to exploit then Apple users. If Apple ever got the kind of market share Windows enjoys then they would have just as many viruses because that would make them a bigger target. Rigth now Apple just isn't worth it.
Blackberry > Windows Mobile > Android > iPhone
Only iPhone allowed the hacker to gain complete control, On Windows mobile it only attacked a third party app and thus only HTC phones and only managed to temporarily lock up the UI. Blackberry seemed bulletproof.
again, they are only machine
You're making excuses for Apple. It's a flaw in the design and they need to do something about it. Don't try to make excuses for them or explain it away. None of that will change the fact the problem exists and that it needs to be addressed.
Oh, wait, they didn't.
Patience.
Comments will come.
@Perry: no it's not, however everyone slams MS (and has done so for years) so time to slap Apple in the face, and deservedly so!
...with a geek-stick, and sitting in front of the computer...
"He didn't even try to do that in Windows 7 because..."
...Windows 7 wasn't even in beta yet, and he's a Mac coder.
TO QUOTE MYSELF FROM ANOTHER FORUM:
-----------------------------------
'...who managed at best to do it with local access to the machine, with a geek stick, and local sudo account privs.
'So much for "if an attacker cared to target them it would be easier for them", eh?
'Call me when someone manages to do it remotely.'
>>>>Either you're not reading responses to your posts, or you have dementia, or you're in denial. Let's go over this once again:
http://securitywatch.eweek.com/apple/mac_hacked_via_safari_browser_in_pwn2own_contest.html
http://www.darknet.org.uk/2008/03/mac-owned-on-2nd-day-of-pwn2own-hack-contest/
http://blogs.zdnet.com/security/?p=2917
http://www.linuxtoday.com/news_story.php3?ltsn=2009-04-17-030-35-SC-SW
As I have spelled out for you before, Charlie Miller, Dino Dai Zovi, and Nils did NOT have local access to the target machine. Their assistants did, and they did not sudo, either; they simply visited the URL specified. These demonstrations were Safari exploits, also known as "DRIVE-BY DOWNLOADS."
Since 2007, OS X has been pwned four times at CanSecWest by three different people, each time on day 2 of the competition (pwning preinstalled browsers). I may be mistaken, but I'm only aware of one person pwning Vista through IE at CanSecWest, and that was Nils (who followed up by pwning the Mac through Safari, then Vista once more through Firefox). And just like all the others, he states that hacking OS X is easy, while Vista is much more difficult.
Once again, WHY would anyone give away thousands of dollars in annual competitions just to see what you can install locally? It doesn't take a buffer overflow and remote privilege escalation to install software with local access and sudo; you can install ANYTHING locally. Once again, you are a novice user, trying to debate topics you know nothing about.
BTW, Nils uses both Mac and Windows. And, just like ALL THE OTHERS, he says Windows is getting "pretty hard" to hack, while Mac OS is easy.
'Charlie Miller is Principal Analyst at Independent Security Evaluators. He was the first person to publically create a remote exploit against Apple's iPhone and the G1 Google phone running Android. He has discovered flaws in numer¬ous applications on various operating systems. He was the winner of the 2008 PwnToOwn contest for breaking into a fully patched MacBook Air. He has spoken at numerous information-security conferences and is author of Fuzzing for Software Security Testing and Quality Assurance (Artech House, 2008). He was listed as one of the top 10 hackers of 2008 by Popular Mechanics magazine, and has a PhD from the University of Notre Dame.'
Now, what was that about Miller being a "Mac coder?" Only a brainwashed slave would be so subjective as to make up excuses as to why a person was able to hack OS X and not Windows. On the contrary, Miller said that he chose OS X because he wanted to spend as little time as possible coming up with an exploit, and that you can find and exploit about 5-10 OS X bugs in the amount of time it takes to find one Vista bug. He also said that Nils' hacks were worth about $50,000 each, ten times what he got for them. Sorry to bust your bubble, but science trumps religion this time.
You could be right; they did say that Firefox on Mac OS was itself a pretty easy target, while Firefox on Windows is one of the hardest (next to Chrome) to take down. But Nils took down IE too. Do you have a link to verify this? I wouldn't mind if you're right, but I just want to be sure. Thanks.
"The attack is enabled by a serious memory corruption bug in the way the iPhone handles SMS messages, said Miller, a senior security researcher at Independent Security Evaluators. There is no patch, despite the fact that Apple was notified of the problem about six weeks ago, he said."
second: the answer to potential crimes isn't to take a technological step back. You don't go back to a cash only basis because someone can steal your credit card and spend "exorbitant" amounts of money on expensive things like an iphone. You patiently work for a solution. It sucks that there is h-commerce. But the fact that it exists shouldn't make us step back in time. The iPhone is a great tool for communication, entertainment and productivity. A cheap kyocera doesn't quite fit in the same category. Thats like asking us all to go from our current computers back to type-writers because the internet poses a terrible threat to our security.
third: do you know the definition of the word smart? or even oxymoron for that matter?
fourth: It bugs me that Apple is so secretive, it pisses me off that they ignore blatent problems some times (like app store approvals). But did you ever consider that an exploit in an operating system as complicated as the iPhone might be a little difficult to repair, that they are working on it, and that they will release it soon.
fourth: in all seriousness - how many people do you think will be attacked by this, 100, 1000 - even if 10,000 or 1,000,000 people got attacked, the information on the iphone isn't exactly "its the end of my life, I couldn't use my phone for a day and they stole the number to my top secret masseuse and therapist."
I'm not a fanboy I'm a realist. They iPhone is expensive. Its a sophisticated piece of technology that I think the world needed, embraced and is loving - which is why all the other manufacturers are trying to hard to mimic it.
Yeah...You're not taken seriously with your post. Try changing your name, it might help a bit.
I could name several companies that have deployed these en masse, switching from other mobile solutions such as BES, and they now have a user-base using exploitable devices containing a lot of important information thanks to Apple's retardedly slow response to this issue when they were notified some time ago.
The iphone WAS innovative ... great, however the device has become more of a joke - i.e. farting apps, rifles that you **** by shaking it, rating sexual performance etc - as well as strongly moving towards becoming a gaming device. It is a consumer device, and not something that should be used in a corporate environment IMHO unless Apple gets off its' proverbial posterior to address exploits and can be locked down for proper business use.
If I ever buy a jailbroken iPhone, I'll take that under advisement. ;)
Quoting Elinor Mills:
'Article has been updated to say that all current versions of the OS are vulnerable and that the attacked iPhone was not jail broken and was running v 3.0.'
I'd suggest you take heed whether the iPhone is jail broken or not.
I have not found that info anywhere.
'Course, the phone doesn't work *either*, but at least it's safe. :)
Apple is implementing ASLR into OS X Snow Leopard, to offer some defense against drive-by downloads when the Mac joins Windows in the target range. I imagine they'll do the same with the iPhone. Let's just hope they don't drag their feet patching bugs in response to ItW threats like they do with PoCs. Cheers!
As for the iPhone, if the zealots are right, then with a tiny 1.8% market share why should hackers even bother? Because they're hackers, that's why, just like the guys you're reading about in the article. No doubt many of the contributors to this thread would love to see a virus spread through the OS X "Mactard" community. Are there no skilled hackers who feel this way? I doubt it.
http://securitywatch.eweek.com/apple/mac_hacked_via_safari_browser_in_pwn2own_contest.html
http://www.darknet.org.uk/2008/03/mac-owned-on-2nd-day-of-pwn2own-hack-contest/
http://blogs.zdnet.com/security/?p=2917
http://www.linuxtoday.com/news_story.php3?ltsn=2009-04-17-030-35-SC-SW
Firstly, you're thinking from the perspective of a script kiddie looking for notoriety. That's not what Russian and Chinese criminal syndicates are interested in; they're interested in money. They use malware to herd together millions of machines into botnets, then rent out partitions of these botnets to spammers, pump-and-dump stock fraudsters, click fraudsters, etc. Cybercrime is the #1 most lucrative industry in the underworld today, having surpassed drug trafficking back in 2004.
Secondly, security researchers are the people who make a living scanning code for bugs and reporting vulnerabilities; they are the authorities on how very vulnerable or not so vulnerable a platform is. Of course they are human like everybody else, but when they've reached a consensus, especially when the tables have turned, it's a resounding trumpet in the IT industry. Mac OS really is the most vulnerable platform on the market.
Thirdly, status quo does not equate to genuine, inherent security. To depend on status quo is to be a sitting duck, placing your life in the hands of the hunter and hoping he'll pass you over for a larger animal. Criminals have already started to attack the Mac (iBotnet, anyone?). And just like with Windows XP and IE6 when they were first released, criminals must crawl before they can walk. They're starting with socially engineered Trojan horses, and will work their way up to remote exploits as they learn more about the platform.
Macs make up almost 10% of Internet-connected machines now, and criminal hackers have been failing at remotely infiltrating Vista for three years. And with new technologies such as Safe Unlinking to introduce still stronger security with Windows 7, criminals are forced to explore new territories before they have nowhere left to go. Three of the most widely used antivirus products (Norton, McAfee, AVG) now include protection against browser exploits; XP machines are not as easy to attack as they used to be. It's not IF the Mac gets attacked; it's under attack right now.
Fourthly, both my sisters use MacBooks. And no, I do NOT want to see them unwittingly get their systems pwned, their bank accounts cleaned out, and their MacBooks confiscated for spam activity (cops have a tendency to forget to return things). You're jumping to the defensive, like a typical religious zealot. But Windows is not a deity to me. This is NOT a debate about whose god is mightier, this is an alert.
Security Now explained it all. OSX is as secure as Swiss Cheese.
THAT is scary.
I have an iPhone and I cannot say right this moment if my information is safe or not.
When you hear about a vulnerability in an Apple software release, keep in mind that any particular version of an Apple operating system, say iPhone OS v3.0.0, only has a shelf life of a couple of months. All of the Apple platforms have automatic system updates built-in, which makes them all moving targets, very hard to exploit professionally because by the time you find a vulnerability, create an exploit and ready it for distribution so it can be used in real world attacks, the platform upgrades en masse from say iPhone OS v3.0.0 to v3.0.1 and your exploit is worthless. I can remember at least one iPhone release and at least one Mac release that only lasted a week before they were replaced, in response to a particular vulnerability being found.
Contrast that to any Microsoft system. The reason there are so many XP exploits is not just because it lacks basic 1980's network security but also because a particular version of XP such as SP2 will run for years and years. Hackers can take their time creating and marketing exploits, and the exploits have very long shelf lives. Similarly, whatever Windows Mobile version you have, it's likely your phone will be born, live, and die with that same version.
Everybody gets the kinds of problems like this SMS exploit, but people will be suffering from this on other platforms for years while on iPhone it will be a distant memory very soon. iPhone OS updates download through iTunes like a movie or song, you just don't run one all that long before you get a new one.
Further, the researching in this article, Charlie Miller, has cracked both Mac and Windows and he enthusiastically recommends the Mac.
Apple fanboy much? Oh, and the little comment about how Microsoft software never changes... you must have never used XP or MS software before then because patches for security holes get released during MS's patch Tuesday schedule. Now, back to the iPhone... 6 WEEKS is kind of long for such a serious security hole although all this does is cause headaches. I also find dontbejealousofmyiphone's comment just as amusing. When will the fanboys learn their lesson?
Cheers, Brian.
But I can dispute you on what you did say about Windows Mobile.. "Similarly, whatever Windows Mobile version you have, it's likely your phone will be born, live, and die with that same version"
You could be very correct and probably are, IF this were a statement about cellphones in general.
But, I bought NEW a Windows Mobile based smartphone a Motorola Q9h Global, almost 2 yrs ago, it was not BORN with WINDOWS MOBILE 6.1 that came a few months AFTER I bought it, and I downloaded and installed it, and just as of this week when I went to AT&T Corporate Store too see when my contract is up (so I can upgrade to an Iphone) they told me that VERY SOON Windows Mobile will be comming out with WINDOWS MOBILE 6.5. So My phone has not been BORN with nor LIVED with nor will DIE with the SAME OPERATING SYSTEM.
Also, since all apps run as root, it isn't as easy to lock down the phone to avoid this sort of issue without crippling other functions. That's going to be tricky for Apple to fix in a very short time.
Chris
http://worstiphoneapps.blogspot.com
Read:
http://news.cnet.com/8301-27080_3-10300536-245.html?part=rss&subj=news&tag=2547-1_3-0-20
- by workshopmusic July 30, 2009 10:33 PM PDT
- Jeez, so much bile and vindictiveness over a freakin' phone.
- Like this Reply to this comment
-
-
- by sciontcya July 31, 2009 11:30 AM PDT
- Yeah, and so much for millions of iPhones being hacked yesterday.
- Like this
-
Showing 1 of 2 pages (84 Comments)All I got was an SMS from my daughter and DOominos pizza :)