Security

This is a screenshot of the SMS the hacked iPhone users received.

(Credit: Tweakers.net)

A hacker in the Netherlands broke into some jailbroken iPhones and sent text messages to the owners asking them to pay to find out how to secure their phones, according to postings in a Dutch forum called Tweakers.net.

One of the victims posted a screenshot from his iPhone of the SMS received. It said: "Your iPhone's been hacked because it's really insecure! Please visit doiop.com/iHacked and secure your iPhone right now! Right now, I can access all your files."

The URL provided now displays a message indicating that it was reported for spam or phishing abuse and has been deactivated.

Ars Technica reports that before the page was removed, it asked that victims send 5 euros ($7.36) to a PayPal account and then await an e-mail with instructions on how to secure the phone. The fix probably would involve restoring the factory settings, according to the Ars Technica post.

"If you don't pay, it's fine by me," the hacker's page said. "But remember, the way I got access to your iPhone can be used by thousands of others--they can send text messages from your number (like I did), use it to call or record your calls, and actually whatever they want, even use it for their hacking activities! I can assure you, I have no intention of harming you or whatever, but, some hackers do! It's just my advice to secure your phone."

iPhone and iPhone 3G users hit a roadblock last week trying to login to Exchange 2007 servers after upgrading to iPhone OS 3.1.

(Credit: Apple)

Because the problems began with the latest update, it may seem reasonable to assume that the update is to blame, but it's not. In fact, everything is working exactly how it's supposed to be, according to Apple.

"iPhone OS 3.1 is working properly with Exchange Server 2007," Apple representative Natalie Harrison told CNET News. "We added device encryption information to the data that can be managed by IT administrators using Exchange Server 2007. The policy of whether to support iPhone 3G, in addition to iPhone 3GS, which always has on-device encryption, on Exchange Server 2007 is set by the administrator and can be changed at any time."

What this means is that iPhone OS 3.1 now properly identifies itself to Exchange 2007 as having hardware encryption, and that's what is causing the problems for iPhone and iPhone 3G users.

iPhone OS 3.0 did not identify itself properly to Exchange 2007 on any iPhone. This means that if you had a 3G and Exchange 2007 was configured to require hardware encryption, you could still login, even though the device does not have hardware encryption.

With iPhone OS 3.1, all iPhones identify themselves properly to the server, essentially fixing a glitch in the previous operating system. However, now iPhone and iPhone 3G users that upgraded to iPhone OS 3.1 cannot login to Exchange 2007 servers that require hardware encryption.

If you use the new iPhone 3GS, you won't notice any change. Apple's newest phone is equipped with hardware encryption, so it will meet the requirements of the Exchange server when identifying itself.

If you already upgraded to iPhone OS 3.1 on an iPhone or iPhone 3G and connect to an Exchange 2007 server, you can ask that the IT admin turn off the hardware encryption requirement for those devices.

Company IT administrators who require hardware encryption to access Exchange 2007 will need to decide whether they want older iPhones to access their servers. If so, they will need to configure Exchange to not require encryption from the iPhone and iPhone 3G.

Of course, if you haven't upgraded your iPhone, it will continue to access Exchange 2007 as it always did.

Apple on Friday fixed an SMS-related security flaw in the iPhone that had been at the center of one of the most talked-about exploits at this week's Black Hat security conference.

"We appreciate the information provided to us about SMS vulnerabilities which affect several mobile phone platforms," Apple representative Tom Neumayr told CNET.

"This morning, less than 24 hours after a demonstration of this exploit," Neumayr continued, "we've issued a free software update that eliminates the vulnerability from the iPhone. Contrary to what's been reported, no one has been able to take control of the iPhone to gain access to personal information using this exploit."

The security flaw involved malicious SMS messages that could allow hackers to take control of an iPhone. The flaw could have let them make calls, send text messages, or almost anything they wanted on the victim's iPhone.

Security researchers Collin Mulliner and Charlie Miller showed the flaw in action at Black Hat earlier this week. Miller said the flaw could take control of the iPhone because of the way the device handled the SMS message. Researchers at Black Hat also showed how SMS-related vulnerabilities can affect Windows Mobile smartphones including those from HTC, Motorola, and Samsung.

Miller said that Apple was first notified of the flaw six weeks ago.

According to Apple, the iPhone 3.0.1 update released today improves the device's memory handling, essentially fixing the exploit.

The update is available by plugging your iPhone into your computer and clicking on the Check for Update button in iTunes.

LAS VEGAS--Researchers at the Black Hat security conference on Thursday showed how an attacker could spoof a type of SMS message that appears to be sent from the carrier or some other trusted source.

This attack on MMS (multimedia messaging service) messages, a type of SMS message, could allow an attacker to trick the recipient into visiting a malicious Web site or ultimately do something else to harm the phone or steal data.

The attacks work potentially on any type of phone that is MMS-enabled and operating on Global System for Mobile communications (GSM) networks, said Zane Lackey, a senior consultant at ISEC Partners, and independent researcher Luis Miras.

Luis Miras and Zane Lackey prepare for their presentation on SMS spoofing at Black Hat.

(Credit: Elinor Mills/CNET)

They used a jailbroken iPhone for their demos of their proof-of-concept code that allows for bypassing carrier protections for SMS communications by sending specially crafted MMS messages.

SMS communications are used by carriers to do administration on the phone and contact customers. For example, voice mail notifications are often delivered over SMS, according to Lackey.

As a result, such admin messages are trusted by recipients, despite the fact that they typically do not reveal the source of the message and other details, they said. Spoofed messages could appear to come from any trusted company like a bank or PayPal.

"This is a carrier issue," Miras said. "We disclosed to them and they're working on a fix."

The researchers also have shared information with the GSM Alliance, which is providing details of the exploit to carriers, they said.

In one demo, they sent a victim a message that offered a $20 credit and included a link to a supposedly malicious site. In other demos the researchers sent a fake voice mail alert and sent an SMS that prompted the recipient to accept or decline unknown new phone settings.

If the recipient accepted the changes believing they were something routine from the carrier, an attacker could be using the permission granted to do something behind the scenes like route all the phone's Internet traffic through an attacker's server instead of a carrier server, which would allow the attacker to spy on all the communications.

The SMS exploits the researchers showed allow an attacker to "bypass the carrier spoofing protections" including anti-malware filtering, Lackey said. The attacks also could be used to find out what operating system a phone is running so that someone could launch an attack targeted for that software, he said.

Lackey and Miras released a tool called TAFT (There's an Attack For That) that automates the implementation flaws that have been fixed. It does not allow for the spoofing issues, which carriers still need to address, they said.

SMS attacks are getting easier because iPhones and Android devices are easily modified and because SMS functionality has been built at higher layers that provide full access to an attacker, said Lackey.

The researchers also said they uncovered an SMS implementation flaw that they exploited to temporarily crash the phone process of an Android phone so no calls or texts could be sent or received. Google fixed that flaw, they said.

They also discovered a flaw in a third-party iPhone app from SwirlySpace that interfered with the phone and texting capabilities and that too has been fixed, Miras said.

There isn't much someone can do to protect against these attacks except be wary of SMS messages in general, he said.

Researchers Collin Mulliner and Charlie Miller shortly before they proved they could attack my iPhone with a text message, even after a beer or two.

(Credit: Elinor Mills/CNET News)

LAS VEGAS--Researchers have discovered a way to take complete control over an iPhone merely by sending special SMS messages and demonstrated it on my iPhone at the Black Hat security conference on Wednesday.

Although an attacker could exploit the hole to make calls, steal data, send text messages, and do basically anything that I can do with my iPhone, the researchers were kind and merely rendered it temporarily inoperable.

Here's what happened: While I was talking on the phone to Charlie Miller, his partner, Collin Mulliner, sent me a text message from his phone. One minute I'm talking to Miller and the next minute my phone is dead, and this time it's not AT&T's fault. After a few seconds it came back to life, but I was not able to make or receive calls until I rebooted.

My iPhone is not jailbroken and it is running iPhone OS 3.0.

The attack is enabled by a serious memory corruption bug in the way the iPhone handles SMS messages, said Miller, a senior security researcher at Independent Security Evaluators.

There is no patch, despite the fact that Apple was notified of the problem about six weeks ago, he said. All current versions of the iPhone operating system are affected.

The attack is similar to an SMS attack demonstration CNET News wrote about in April in which mobile security firm Trust Digital was able to send an SMS to a phone that opened up a Web browser and directed the phone to a malicious Web site where malware could be downloaded.

In the more recent research, Android-based phones were found to be similarly susceptible to an SMS attack, only an attacker could temporarily knock the phone off the cell network but not take control, according to Mulliner, who's getting his PhD at the Technical University of Berlin. Google patched the hole last week within a day or two of being notified of the problem, he said.

Meanwhile, a bug in the code written by HTC that controls the user interface on Windows Mobile devices could also be exploited via the SMS messages to make it so there are no buttons to push so the phone can't be used, said Miller.

For the attack to work, an attacker must send hundreds of SMS control messages, which are different from regular SMS messages, according to Miller. Only the initial SMS may be seen, he said.

The researchers will demonstrate the attack on an Android phone and an iPhone during their presentation on Thursday.

Previous iPhone attacks required an attacker to lure the iPhone user to visit a malicious Web site or open a malicious file, but this attack requires no effort on the part of the user and requires only that an attacker have the victim's phone number, Miller said.

Once inside a victim's phone, the attacker could then send an SMS to anyone in the victim's address book and spread the attack from phone to phone, he said.

Previously, Miller discovered a hole in the mobile version of Safari shortly after the iPhone was launched in 2007 and earlier this year he won a contest at CanSecWest by exploiting a hole in Safari.

Asked what an iPhone user can do when attacked, Miller replied: "Rebooting wouldn't be a bad idea. It would stop all but the most sophisticated attacker. However, it doesn't take but a second to grab all your personal info from the device, and as soon as you turn it back on, the bad guy could attack you again. That's why I think this is so serious."

Updated July 30 at 4:45 p.m. PDT to include that phone attacked was not jailbroken and was running iPhone OS 3.0, and at 8:18 a.m. with Miller talking about what a victim can do when attacked.

The encryption functionality of the iPhone 3GS is so easy to crack that it is essentially "broken" as far as protecting sensitive personal data like credit card and social security numbers, according to a forensics expert and iPhone developer.

"I don't think any of us [developers] have ever seen encryption implemented so poorly before, which is why it's hard to describe why it's such a big threat to security," Jonathan Zdziarski told Wired.

With physical access to a 3GS iPhone and some free software data can be extracted within two minutes and an image of the entire raw disk in about 45 minutes, he said. The iPhone decrypts the data on its own once the extraction has begun, he explains in a video demonstration.

Apple has been touting the encryption and other features to entice corporate users to the device. And it seems to be working. Nearly 20 percent of Fortune 100 companies have purchased 10,000 or more iPhones per company, the company said on its financial results conference call on Tuesday.

A security researcher said on Thursday that he hopes that Apple has a fix later this month for what he believes could be a vulnerability in the iPhone that could allow an attacker to gain control of the device remotely via SMS, according to IDG News Service.

An attacker could exploit a possible weakness in the way iPhones handle SMS (short message service) messages to do things like use GPS to track the phone's location, turn on the microphone for eavesdropping, or take control of the device and add it to a botnet, Charlie Miller, co-author of The Mac Hacker's Handbook and principal security analyst at Independent Security Evaluators, said in a presentation at the SyScan conference in Singapore.

Miller said he plans to give a more detailed presentation on the hole at the Black Hat conference in Las Vegas at the end of the month.

Despite the SMS hole, which "could be a critical vulnerability," the iPhone is more secure than OS X on computers, Miller said. That is because the iPhone doesn't support Adobe Flash and Java, only runs software digitally signed by Apple, includes hardware protection for data stored in memory, and runs applications in a sandbox, he said.

Apple representatives did not immediately respond to an e-mail request for comment.

Correction at 8:45 p.m. PDT July 29:This post was updated to correct that the researcher said he hopes Apple will fix the flaw, not that it will.

Apple has issued an advisory regarding security enhancements included in the iPhone OS 3.0 release Wednesday.

(Credit: Apple)

Here is a synopsis of the 46 iPhone security vulnerabilities addressed by the latest operating-system update for the iPhone and iPod Touch. As may be expected, many of these security patches focus on the Web-browsing framework WebKit.

CoreGraphics Changes to CoreGraphics prevent maliciously crafted image and PDF files from causing unexpected application termination or arbitrary code execution; vulnerabilities causing the same problems in FreeType v2.3.8 were also patched.

Exchange Changes were made to prevent a user from connecting to a malicious Exchange server that could lead to the disclosure of sensitive information by adding improvements to the handling of untrusted certificate exceptions.

ImageIO Changes to ImageIO prevent the use of maliciously crafted PNG images from causing unexpected application termination or arbitrary code execution.

International Components for Unicode Changes to Unicode prevent the use of maliciously crafted content that may bypass Web site filters and result in cross-site scripting.

IPSec Changes to IPSec patch multiple vulnerabilities in the racoon daemon that may lead to a denial-of-service attack.

Libxml Changes to XML library Libxml patch multiple vulnerabilities in Libxml2 version 2.6.16.

Mail Changes were made to the Mail app to give users control over the loading of remote images in HTML messages (see below). Additionally, the app was changed to prevent an application from causing an alert to appear that may be used to initiate a phone call without user interaction.

MPEG-4 Video Codec Changes to the MPEG-4 Video Codec will prevent the viewing of maliciously crafted MPEG-4 video files that may lead to an unexpected device reset.

Profiles Changes to Profiles will prohibit the installation of a configuration profile that may weaken the passcode policy defined by Exchange ActiveSync.

Safari Changes to Safari support the clearing of Safari's history via the Settings application, allowing prevention of disclosure of the search history to a person with physical access to the device. Now search history is actually removed. Additionally, if a user were to interact with a maliciously crafted Web site, a patch has been put in place to prevent unexpected action on another site such as "clickjacking."

Telephony Changes to Telephony address a problem in which a remote attacker may cause an unexpected device reset.

WebKit Changes to Web-browsing framework WebKit were very numerous in this release, given how popular the iPhone has become for Web use. They included many fixes to prevent arbitrary code or script execution, when visiting maliciously crafted Web sites. Some of these vulnerabilities could lead to app crashes and unexpected device resets, or the disclosure of sensitive information.

Previous coverage: Security updates in iPhone OS 2.2.

Earlier today, Apple updated iTunes to get it ready for the anticipated iPhone firmware upgrade to version 3.0. The company also updated its QuickTime video player.

iTunes 8.2, for Windows and Mac, makes the program ready for the iPhone and iPod Touch operating system upgrade by pushing out changes made to recent prerelease versions of iTunes that had been available to only iPhone developers. It also includes one security fix.

Quicktime 7.6.2, for Windows and Mac, contains several security fixes, including patches for holes that could have been exploited to run arbitrary code by maliciously created PSD, JP2, and some movie files.