iPhone Vulnerability Yields Root Access Via SMS

snydeq writes "Pwn2Own winner Charlie Miller has revealed an SMS vulnerability that could provide hackers with root access to the iPhone. Malicious code sent by SMS to run on the phone could include commands to monitor location using GPS, turn on the phone's microphone to eavesdrop on conversations, or make the phone join a DDoS attack or botnet, Miller said. Miller did not provide detailed description of the SMS vulnerability, citing an agreement with Apple, which is working to fix the vulnerability in advance of Black Hat, where Miller plans to discuss the attack in greater detail. 'SMS is a great vector to attack the iPhone,' Miller said, as SMS can send binary code that the iPhone processes without user interaction. Sequences can be sent to the phone as multiple messages that are automatically reassembled, thereby surpassing individual SMS message limits of 140 bytes."

At least SOMEBODY has full access to my iPhone!

[just+fiddling+around]

That's just great. I can't use all the features of the iPhone because it is crippled by the providers, but any dumbass can get root by SMS?

If I had "bought" one (I consider the current way of getting it as rent-to-own), I would be pissed.

SMS limit isn't 140 characters

[praseodym]

SMS has a limit of 160 characters, not 140. Twitter has a 140-character limit because of its SMS-interface which leaves 20 characters for commands etc. in addition to the message.

Seems to affect other smart phones as well ...

[FelxH]

from the second link: "We present techniques which allow a researcher to inject SMS messages into iPhone, Android, and Windows Mobile devices."

Re:Can't Carriers Stop this?

if any of you had RTFA:

allow a researcher to inject SMS messages into iPhone, Android, and Windows Mobile devices. This method does not use the carrier and so is free (and invisible to the carrier). .

the key is "this method does not use the carrier"

you're welcome

Re:Ouch!

[Nerdfest]

That would be Steve Jobs ... but he's a sick man.

Re:Well there's your problem!

[topham]

Actually, they do MMS just fine.

But I wouldn't expect you to know that.

Re:Depends how you define characters

[praseodym]

You're correct. And to complete it:

"Larger content (Concatenated SMS, multipart or segmented SMS or "long sms") can be sent using multiple messages, in which case each message will start with a user data header (UDH) containing segmentation information. Since UDH is inside the payload, the number of characters per segment is lower: 153 for 7-bit encoding, 134 for 8-bit encoding and 67 for 16-bit encoding." -- from Wikipedia

So, in this case it's 134 bytes and not 140 since the payload probably doesn't fit in a single 140 bytes.

Not likely

The way it probably works (I am not 100% sure) is with the persistent Internet connection the phone maintains for push notifications support.

Re:i sense a disturbence in the force

Non only apple fanboys

Yes, only apple fanboys.

From: http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Miller

We present techniques which allow a researcher to inject SMS messages into iPhone, Android, and Windows Mobile devices.

You'll note the specific absence of the phrases vulnerability or code execution in that description. And if you'd bothered to keep it in context, you would have included the next sentence, which mentions that the reason it's important is that this is the ability to inject SMS without using the carrier.

So yeah, it is only apple fanboys.

Re:Wonder how this goes together ..

http://www.theregister.co.uk/2009/07/02/critical_iphone_sms_bug/

This is an article that isn't full of the ridiculous hype bullshit that infoworld.com is printing.