Slashdot Mirror

← Back to Stories (view on slashdot.org)

SMS Hack Could Make iPhones Vulnerable

Posted by CmdrTaco on from the up-against-the-wall-and-spread-'em dept.

mhx writes "A single character sent by text message could allegedly compromise every iPhone released to date. The technique involves sending only one unusual text character or else a series of 'invisible' messages that confuse the phone and open the door to attack. Apple has not released any updates yet, so little can be done, except to power off your iPhone to avoid being hacked."

10 of 254 comments (clear)

  1. Binary Encoded Messages by Algorithmn · · Score: 5, Interesting

    I saw this one coming. Some cell phones cannot distinguish between a moble provider sending binary encoded XML enabled SMS messages or an attacker through an SMS gateway. Amateur security model/practices.

    1. Re:Binary Encoded Messages by FireFury03 · · Score: 2, Interesting

      Correct me if I'm wrong, but since the SMS messages have to go through the carrier towers, can't this character be "cleaned" from the message there before it even hits the phone?

      What if I want to use that character legitimately?

      --
      http://blog.nexusuk.org
    2. Re:Binary Encoded Messages by Sentax · · Score: 2, Interesting

      If there is a vulnerability with said character, then just using it would not be legitimate until the problem was fixed on the phone firmware.

      Cleaning the character at the carrier could prevent problems spreading to the phone and be a "quick fix", but doesn't make it go away, the phone would need to release a patch eventually, then you can use your Unicode heart character (or whatever else char it is) in your text messages again.

    3. Re:Binary Encoded Messages by Anonymous Coward · · Score: 1, Interesting

      One vendor released a fix, one vendor did not (yet). The open or closed nature of the platform had nothing to do with it in this case, it is not as if Joe Nobody fixed the flaw for all Android users from his basement.

  2. Is this why they were distracting us yesterday? by amcdiarmid · · Score: 4, Interesting

    As I recall Apple (DRM) was stating that jailbreaking cellphones was something to be done by terrorists who want to destroy cellphone infrastructure.

    Interesting that a SMS message can destroy apples;)

  3. Lots can be done... by John+Whitley · · Score: 3, Interesting

    So little can be done, except power off your iPhone to avoid being hacked

    Little can be done... except block such messages entirely at the provider level. When the attack vector is clearly defined, it's easy to scan for it.

    1. Re:Lots can be done... by FelxH · · Score: 4, Interesting

      According to the previous article, they have found a way to send sms messages without any provider: "This method does not use the carrier and so is free (and invisible to the carrier)". So blocking at the provider level won't work unfortunately

  4. Weird article. by sootman · · Score: 1, Interesting

    Gotta love the way things get prioritized to create an attention-grabbing headline.

    "Though Miller and Mulliner say they notified Apple about the vulnerability more than a month ago, the company hasn't released a patch..."

    OMG, ONE WHOLE MONTH! Oh, and by the way, "...in the last 18 months, cybercriminals have begun using text messages to send links to malicious Web sites that infect the phone with malware, says Mikko Hyppönen, an F-Secure researcher. One seemingly-Chinese variant, known as 'Sexy View' and currently targeting the Symbian operating system, is far more threatening than an iPhone attack, given that around 50% of cellphones use Symbian, [emphasis added] Hyppönen says."

    Miller also says "Texting applications' insecurity isn't due to the software's complexity so much as the security community's inattention and the expense of sending thousands of text messages to test a phone's security..."--um, I have an unlimited texting plan (AT&T, USA) and it's... well, I forget how much, but it's not a lot.

    That said, a) it shouldn't be that hard to lock down an app whose main job is to send, receive, and display TEXT, and 2) because of that, I hope Apple issues a fix for this soon.

    --
    Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
  5. Re:Good by psychokitten · · Score: 2, Interesting

    Funny how you mention that since just the other day at work we were noticing how my Edge connection on T-Mobile is faster than a co-worker's 3G AT&T connection was.

  6. Re:Text character? by MaerD · · Score: 4, Interesting

    This reminds me of the days when on a BBS a badly calibrated modem would actually hang up if someone put +++ATH0 in the message. *sigh* I feel so old.

    --
    I put on my robe and wizard hat..