Slashdot Mirror
iPhone Vulnerability Yields Root Access Via SMS
snydeq writes "Pwn2Own winner Charlie Miller has revealed an SMS vulnerability that could provide hackers with root access to the iPhone. Malicious code sent by SMS to run on the phone could include commands to monitor location using GPS, turn on the phone's microphone to eavesdrop on conversations, or make the phone join a DDoS attack or botnet, Miller said. Miller did not provide detailed description of the SMS vulnerability, citing an agreement with Apple, which is working to fix the vulnerability in advance of Black Hat, where Miller plans to discuss the attack in greater detail. 'SMS is a great vector to attack the iPhone,' Miller said, as SMS can send binary code that the iPhone processes without user interaction. Sequences can be sent to the phone as multiple messages that are automatically reassembled, thereby surpassing individual SMS message limits of 140 bytes."
We do not know the details of this yet, but if this is really an "sms to root" exploit, it can be used for sms-based virusses that can spread very fast.
thomasdamgaard.dk.
Wondering if this can be combined with iPhone's ability to heat red hot while in your pocket
So this is bad news for the iPhone but it seems like any carrier of the iPhone should want to implement a simple filter to remove any malicious SMSs from the system.
"...Malicious code sent by SMS to run on the phone could include commands to monitor location using GPS, turn on the phone's microphone to eavesdrop on conversations,..."
Cool now my wife can have that iphone she always wanted.
Now where did I leave my Dynatac???
Wow, buffer overflows in 2009.
I guess ARM needs to implement No Execute Bit in their CPUs. You can't protect against dumb programmers.
If it wasn't a buffer overflow, then how in the name of all that is chocolate did some binary data get to be executable?!
--
Slashdot requires you to wait between each successful posting of a comment to allow everyone a fair chance at posting a comment.
It's been 13 minutes since you last successfully posted a comment
LOL.
If any of you iPhone users wants to know how to prevent this attack, please reply with your cellphone number and I will TXT you the details.
You're welcome!
DERRRRRRRRRRRRRRRRHHHH!!!!! Steve Jobs derrhrhhhhhhhhhhhhhh.
Nice little dDos attack device, with one hell of a use fee at the end of the month ...
---- Booth was a patriot ----
"as SMS can send binary code that the iPhone processes without user interaction"
Why is it even possible to send raw binary? Shouldn't it allow only a heavily-filtered subset of characters?
it was as if 1000 apple fanbois cried out and then were silent...
If you mod me down, I will become more powerful than you can imagine....
Could the iPhone be jailbroken via SMS?
easy to stop on att just have them block txt.
the real bad part about this is that if you don't have a txt plan some one can spam you and you pay $0.20 per in coming txt how ever this may be a good thing as if this goes big time then they may be forced to make incoming free.
Seems more like a back door than anything and now that it has been discovered Apple will try to fix (hide it better) the problem. Seems to me like most of the vulnerabilities would benefit law enforcement the most, weird huh? It not like this never happened with Microsoft, encryption key, and the FBI.
Surely, the awesomeness of the iPhone protects it users? No? Hmm.. wait, but you know, it is *shiny*, and does get very hot, so hot you can't hold it. Yeah, this phone is the biz.
SMS crashes phone? Epic Fail Apple. What sort of crappy programmer doesn't know how to handle and parse text safely.
That's just great. I can't use all the features of the iPhone because it is crippled by the providers, but any dumbass can get root by SMS?
If I had "bought" one (I consider the current way of getting it as rent-to-own), I would be pissed.
You're not old until regret takes the place of your dreams.
SMS has a limit of 160 characters, not 140. Twitter has a 140-character limit because of its SMS-interface which leaves 20 characters for commands etc. in addition to the message.
Laptops/Gameboys are for mobile gaming
What do you recommend for mobile gaming that meets my cousin's criteria?
Laptops fail 1, Game Boy fails 2, and GP2X fails 3. The only video gaming platform we could find that meets all these criteria is a Texas Instruments graphing calculator, so he bought a TI-84 Plus Silver.
How does this compare to the story from two weeks ago?
from the second link: "We present techniques which allow a researcher to inject SMS messages into iPhone, Android, and Windows Mobile devices."
"Macs don't get viruses."
Turns out to be a lie. :)
I'm a pc.
Maybe we can work this into a way to cripple IPhone enough so that Apple losses its place as the smartphone market dominate hot chick. Then Microsoft or Palm can take the spotlight with a pricier less advanced more restrictive replacement with an even more expensive data plan........
More seriously it will be interesting to see how Apple handles the hacker "attention". Normally its M$ who has to release patch after patch in the interest of security
How the hell can a format that's supposed to be passive plain text yield root access? Just receive and store the damn text, don't try to interpret it! If other apps want to peek into received messages and perform actions on that, fine, but this is just Outlook all over again!
"Good news, everyone!"
Please don't promote skype in this space. It is too proprietary, and consumes too much battery power running as a 3rd party app.
Why not buy a true SIP phone? Then you can set it up like an extension at your office/PBX, or configure it directly to a service like www.voipcheap.com. Personally, I won't buy a phone unless it is supported on a list like this one:
http://www.forum.nokia.com/Technology_Topics/Mobile_Technologies/VoIP/Nokia_VoIP_Framework/VoIP_support_in_Nokia_devices.xhtml
In the US, T-mobile sells uncapped (AFAIK) mobile internet for $40 a month. Another 'perk' under such a plan is A-GPS (combined cell-tower plus true GPS for speed).
This makes your mobile device much closer to being a standardized 'client' to web services. In fact I even turn my N95 into a 3g router, using www.joikuspot.com (so I don't have to swap the SIM with my USB modem).
You can't be ahead of the curve, if you're stuck in a loop.
The iPwn. Be the first on your network to get iPwned.
Pwn Different!
Just Pwn.
http://www.screenprintingasap.com/EBAY/ipwn/ipwn_a.jpg
A computer once beat me at chess, but it was no match for me at kick boxing. Emo Philips
And the case of binary data, you're dead wrong.
GSM SMS payload is 140 8-bit characters, or bytes, depending how you look at it.
The default SMS text encoding format uses 7-bits, and employs a bit-shifting algorithm to pack 160 7-bit characters in to 140 bytes. Binary formats can't use this compression, as, well, they need all eight bits.
Do daemons dream of electric sleep()?
Can be purchased with cash in the United States [...] GP2X fails
Keep your eye on http://www.openpandora.org/
I am aware of the Pandora PDA, expected to be out by the fourth quarter of 2009, but I am not aware of a U.S. retail chain that has committed to stock it. As I understand it, it will be available exclusively through mail order, an option that isn't open to children who are paying with accumulated cash.
now the manufacturers can patch the vulnerability by sending out a text message to everyone. Gain root access, and do what ever they need to get it fixed. Hopefully the bad guys don't get there first or there could be a bunch of lawsuits waiting at apple's front door.
This is a serious sentence?
The way it probably works (I am not 100% sure) is with the persistent Internet connection the phone maintains for push notifications support.
Phones are for phoning people
PDAs/Netbooks/Laptops are for doing business on the move
[For gaming,] Any Windows Mobile PDA will do actually.
Good luck finding a new Windows Mobile Classic (formerly Pocket PC) device in 2009. All the stores are pushing devices that run Windows Mobile Standard (smartphone) or Windows Mobile Professional (smartphone with touch screen), and the whole premise of this thread is to find a device without a phone and without the 2-year service commitment that comes with most phones.
I recently canceled texting completely on my iPhone 3GS. Texting fees are outrageous and I'm not putting up with them anymore. If you want to text me, send it to my email address. Your phone probably supports texting to an email address and you don't even realize it. You can also reply to free texts I send you and I get notified instantly.
Sure, I can't receive texts sent to my phone number, but that's a sacrifice I'm willing to make if I'm going to help my country kick this ridiculous habit of overpaying for tiny emails.
Sounds more like an FBI Backdoor than an exploit.
Oh but dont worry, the federal government has your interest at heart.
Not that difficult. Shall I name a few device names?
- Pharos 535v
- HP iPaq 111
- HP iPaq 211 (would go for that one, 4" VGA screen rocks)
Motorola/Symbol still make lots of them but they are way too expensive, and not as robust as they look like.
The used market should be huge.
And by the way, is it really the case that you cannot buy a Windows Mobile phone without a contract? In Germany it wouldn't be a problem at all.
"It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
They want someway to control the devices on their network or update them remotely if so needed.
Wait, are you talking about cell providers or botnet operators?
I suddenly feel this appetite for brains... *turns off phone* hmm...
</cynicism>
You really think that Grindr is as essential to a phone as a wheel is to a car?
Dude, Grindr is an application that helps you find sex. A wheel on a car helps you to drive to a location where you can find sex. If you remove either one, the result is the same -- it's more difficult to find sex. What's so difficult to understand here?
Children can't shop online, and I haven't seen the iPAQ products at the local Best Buy or Office Depot store. So how would a kid who is holding $400 in $20 Federal Reserve notes buy such a PDA?
Is buying a $400 Visa/Mastercard gift card, then using that to shop online, an option?
Telling Apple about this first will not go well.. Here's almost a 100% chance of what will happen:
1) Apple will sit on their hands and do nothing, or work to fix this bug at a GLACIAL pace. They will not get it done before BlackHat.
2) They will then legally threaten the discoverer into not presenting.
3) They will then call up LEGIONS of Apple fanbois to lie and claim "Well, he didn't present because he didn't have an exploit! This bug doesn't exist!"
4) When they get around for it they will release a patch, saying it adds features rather than fixing security holes.
This is the EXACT tact Apple used for at least the wifi buffer overflows found a few years ago (which were in fact found to work on nearly every card on the market.). Apple fanbois STILL falsely claim the flaw was non-exploitable on Apples, even though it was exploitable on everything else that had a similar flaw.
Apple has shown themselves to be a bad actor regarding security flaws. If I find one, you all will be the FIRST to know, and Apple can find out whenever their employees get around to reading about it on the blogosphere.
Sounds to me like Apple needs to stop pretending they're too smart for modern programming languages.
I don't know why anybody hasn't linked the two together, but SMS control codes are how the police get your phone to send your GPS coordinates when making a 911 call. Control codes are also there for turning the mic on and broadcasting the audio -- and who knows what else? (look up "roaming bug" for more info.)
Back when I owed credit cards, I became concerned I was about to go over my minutes in my plan. So I powered down my cell, but the carrier continued to bill me for incoming calls from creditors using overtime minutes and sent me a bill for hundreds of dollars. Beware.