Slashdot Mirror

← Back to Stories (view on slashdot.org)

iPhone Vulnerability Yields Root Access Via SMS

Posted by timothy on from the tweet-hack dept.

snydeq writes "Pwn2Own winner Charlie Miller has revealed an SMS vulnerability that could provide hackers with root access to the iPhone. Malicious code sent by SMS to run on the phone could include commands to monitor location using GPS, turn on the phone's microphone to eavesdrop on conversations, or make the phone join a DDoS attack or botnet, Miller said. Miller did not provide detailed description of the SMS vulnerability, citing an agreement with Apple, which is working to fix the vulnerability in advance of Black Hat, where Miller plans to discuss the attack in greater detail. 'SMS is a great vector to attack the iPhone,' Miller said, as SMS can send binary code that the iPhone processes without user interaction. Sequences can be sent to the phone as multiple messages that are automatically reassembled, thereby surpassing individual SMS message limits of 140 bytes."

34 of 186 comments (clear)

  1. Wonder how this goes together .. by Anonymous Coward · · Score: 3, Insightful

    Wondering if this can be combined with iPhone's ability to heat red hot while in your pocket

  2. Can't Carriers Stop this? by forand · · Score: 3, Insightful

    So this is bad news for the iPhone but it seems like any carrier of the iPhone should want to implement a simple filter to remove any malicious SMSs from the system.

    1. Re:Can't Carriers Stop this? by amicusNYCL · · Score: 4, Insightful

      It's not the carrier's responsibility to look at all SMS messages going through their system and filter them out, it's the iPhone's responsibility to not execute untrusted code in the first place. If this was a Microsoft device that's exactly what people would be saying.

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
  3. iPhone Vulnerability Yields Root Access Via SMS by Anonymous Coward · · Score: 5, Funny

    "...Malicious code sent by SMS to run on the phone could include commands to monitor location using GPS, turn on the phone's microphone to eavesdrop on conversations,..."

    Cool now my wife can have that iphone she always wanted.

    1. Re:iPhone Vulnerability Yields Root Access Via SMS by phillips321 · · Score: 2, Funny

      Why not just lock her in the house redneck style?

  4. Prevention/Defense by InsertWittyNameHere · · Score: 5, Funny

    If any of you iPhone users wants to know how to prevent this attack, please reply with your cellphone number and I will TXT you the details.

    You're welcome!

    1. Re:Prevention/Defense by Comatose51 · · Score: 2, Funny

      9-1-1 I'm going to disable SMS for now just to be safe so just call it and tell me. If my hot blonde, high libido girlfriend picks up, say some obscene things to her. Just act out your fantasy right over the phone. She loves that.

      --
      EvilCON - Made Famous by /.
  5. Run up your bill too by nurb432 · · Score: 3, Insightful

    Nice little dDos attack device, with one hell of a use fee at the end of the month ...

    --
    ---- Booth was a patriot ----
    1. Re:Run up your bill too by Joce640k · · Score: 3, Funny

      Even better: 1) Record a crappy song, upload it to iTunes 2) Get every iPhone in the USA to "buy" a copy. 3) Babeland

      --
      No sig today...
    2. Re:Run up your bill too by arndawg · · Score: 2, Funny

      Even better: 1) Record a crappy song, upload it to iTunes 2) Get every iPhone in the USA to "buy" a copy. 3) Babeland

      I think that is kind of glorifying the showers in prison.

  6. Re:Ouch! by Canazza · · Score: 5, Funny

    1) Hacker Sends SMS to target phone
    2) Phone gets virus, virus looks up address book and sends itself to everyone in their address book
    3) Phone with virus does evil stuff to phone

    Damn, that's excellent... erm, I mean... too bad... for... you know... California... and Art Students...
    Phones are for phoning people
    PDAs/Netbooks/Laptops are for doing business on the move
    Laptops/Gameboys are for mobile gaming

    The only combination I'll accept are mobile phones that play my MP3's... since it's a small, simple extension of the already availible 'ringing' feature of phones :P
    Oh, and cameras... I'll accept camera phones... They're useful.
    And Skype access
    And Wifi for the Skype...
    and while we've got Wifi we might as well have a browser
    and maybe the ability to put other apps on it too...

    *damnit* I've fallen for feature creep... someone help!

    --
    It pays to be obvious, especially if you have a reputation for being subtle.
  7. Well there's your problem! by Anonymous Coward · · Score: 5, Insightful

    "as SMS can send binary code that the iPhone processes without user interaction"

    Why is it even possible to send raw binary? Shouldn't it allow only a heavily-filtered subset of characters?

    1. Re:Well there's your problem! by Peregr1n · · Score: 3, Funny

      Yeah! Ban the characters '0' and '1' from text messages and stop this binary nonsense!

    2. Re:Well there's your problem! by topham · · Score: 2, Informative

      Actually, they do MMS just fine.

      But I wouldn't expect you to know that.

    3. Re:Well there's your problem! by pwfffff · · Score: 2

      OK, so people (not in the US (who've upgraded to 3.0)) can MMS.

      Still hilarious that it didn't come stock.

      Apple fanboys are awfully rabid today aren't they, putting words in my mouth and all...

    4. Re:Well there's your problem! by kv9 · · Score: 2, Insightful

      Apple bashers seemingly have one thing in common: they are inordinately smug c*** suckers

      I thought that's the one thing that Apple fanbois had in common... now I'm confused.

      --
      Stop Computers/Cars Analogies on S
  8. i sense a disturbence in the force by timmarhy · · Score: 3, Funny

    it was as if 1000 apple fanbois cried out and then were silent...

    --
    If you mod me down, I will become more powerful than you can imagine....
  9. Next thing ... by Stavr0 · · Score: 5, Funny

    Could the iPhone be jailbroken via SMS?

  10. Re:Ouch! by Jurily · · Score: 5, Insightful

    Who the fuck though it would be a good idea to automatically execute the content of a message you have no control over whatsoever?

  11. Re:Ouch! by Joce640k · · Score: 2, Funny

    He used to work for Microsoft where he spent his time adding "can execute code" to all their media file formats. Now he's at Apple (and continuing the good work...)

    --
    No sig today...
  12. At least SOMEBODY has full access to my iPhone! by just+fiddling+around · · Score: 5, Informative

    That's just great. I can't use all the features of the iPhone because it is crippled by the providers, but any dumbass can get root by SMS?

    If I had "bought" one (I consider the current way of getting it as rent-to-own), I would be pissed.

    --
    You're not old until regret takes the place of your dreams.
  13. SMS limit isn't 140 characters by praseodym · · Score: 5, Informative

    SMS has a limit of 160 characters, not 140. Twitter has a 140-character limit because of its SMS-interface which leaves 20 characters for commands etc. in addition to the message.

  14. Seems to affect other smart phones as well ... by FelxH · · Score: 5, Informative

    from the second link: "We present techniques which allow a researcher to inject SMS messages into iPhone, Android, and Windows Mobile devices."

    1. Re:Seems to affect other smart phones as well ... by El_Muerte_TDS · · Score: 2, Insightful

      No learn to read. The second link says that they have technology to send an SMS Message to a phone without needing a carrier. It doesn't say anything about exploiting bugs in the handling of the SMS Message.

  15. Re:Ouch! by GeorgeStone22 · · Score: 2, Interesting

    I don't get your mindset. The phone has obviously sold millions upon millions. It's doing something right. It's called usability and the iPhone has it by the bucket loads. Before the iPhone came about putting apps onto a phone was annoying and awkward for the average user. You had to download the .sis (On symbian OS) then put it on a memory card, then finally install it. Apple have made mobile applications accessible to the masses, and Grindr is proof of that. I don't agree with everything Apple has done with the iPhone, but I agree with enough of it to have just ordered a 3Gs. My previous phone was a Nokia 6600 which was probably more feature rich, but using it was torture.

  16. Re:Ouch! by Nerdfest · · Score: 2, Informative

    That would be Steve Jobs ... but he's a sick man.

  17. Re:Ouch! by fmobus · · Score: 2, Insightful

    Yeah, because the same happened in the webserver market. Apache installations get rooted every single minute.

  18. Re:Ouch! by L4t3r4lu5 · · Score: 4, Interesting

    This might be linked to the MobileMe Find My iPhone, Remote Wipe, and remote message facilities. If these are commands sent by SMS message from MobileMe, then perhaps they can be overflowed to run arbitrary commands.

    After all, if you can wipe the phone remotely, then that system has root access, does it not?

    N.B. I am not a security researcher.

    --
    Finally had enough. Come see us over at https://soylentnews.org/
  19. Re:Ouch! by Sockatume · · Score: 2, Interesting

    It's not a true SMS-to-root exploit. So far he's only been able to crash part of the device's software with it, he's still looking into whether it can be used to run arbitrary code.

    --
    No kidding!!! What do you say at this point?
  20. Apples Newest Product... by Sfing_ter · · Score: 4, Funny

    The iPwn. Be the first on your network to get iPwned.

    Pwn Different!

    Just Pwn.

    http://www.screenprintingasap.com/EBAY/ipwn/ipwn_a.jpg

    --
    A computer once beat me at chess, but it was no match for me at kick boxing. Emo Philips
  21. Depends how you define characters by multipartmixed · · Score: 3, Interesting

    And the case of binary data, you're dead wrong.

    GSM SMS payload is 140 8-bit characters, or bytes, depending how you look at it.

    The default SMS text encoding format uses 7-bits, and employs a bit-shifting algorithm to pack 160 7-bit characters in to 140 bytes. Binary formats can't use this compression, as, well, they need all eight bits.

    --

    Do daemons dream of electric sleep()?
    1. Re:Depends how you define characters by praseodym · · Score: 2, Informative

      You're correct. And to complete it:

      "Larger content (Concatenated SMS, multipart or segmented SMS or "long sms") can be sent using multiple messages, in which case each message will start with a user data header (UDH) containing segmentation information. Since UDH is inside the payload, the number of characters per segment is lower: 153 for 7-bit encoding, 134 for 8-bit encoding and 67 for 16-bit encoding." -- from Wikipedia

      So, in this case it's 134 bytes and not 140 since the payload probably doesn't fit in a single 140 bytes.

  22. Re:SMS? by Short+Circuit · · Score: 2, Interesting

    Any privilege elevation exploit will benefit anyone seeking elevated privileges on your equipment. This included law enforcement, the mafia and your mom.

    Nice little bit of paranoia you've got going there.

    --
    tasks(723) drafts(105) languages(484) examples(29106)
  23. Cancel Texting by joNDoty · · Score: 3, Insightful

    I recently canceled texting completely on my iPhone 3GS. Texting fees are outrageous and I'm not putting up with them anymore. If you want to text me, send it to my email address. Your phone probably supports texting to an email address and you don't even realize it. You can also reply to free texts I send you and I get notified instantly.

    Sure, I can't receive texts sent to my phone number, but that's a sacrifice I'm willing to make if I'm going to help my country kick this ridiculous habit of overpaying for tiny emails.