The iPhone SMS Hack Explained

GhostX9 writes "Tom's Hardware just interviewed Charlie Miller, the man behind the iPhone remote exploit hack and winner of Pwn2Own 2009. He explains the (now patched) bug in the iPhone which allowed him to remotely exploit the iPhone in detail, explaining how the string concatenation code was flawed. The most surprising thing was that the bug could be traced back to several previous generations of the iPhone OS (he stopped testing at version 2.2). He also talks about the failures of other devices, such as crashing HTC's Touch by sending a SMS with '%n' in the text."

Jailbreak

[SnakeEater251]

Makes you wonder how many iPhone owners who have jailbreaked (-broken?) their devices are still vulnerable to this hack. It isn't exactly fun to have to jailbreak every time an update gets released.

Re:%n

[webreaper]

We've tested this with a mate's HTC Touch, and the crash doesn't happen....

more interesting hack hinted at in last paragraph

[circletimessquare]

DoS or gain root to a celltower?:

Alan: What about the claim that a jailbroken iPhone could crash cell phone towers--has anyone ever looked at the security of the software running cell phone towers?

Charlie: This is complete BS. You can diff a jailbroken kernel with a standard iPhone kernel and there are very few places that are changed. In particular, it doesn't mess with anything that has to do with the communication with the carrier. Even if it did do something crazy, which it doesn't, I would hope that the towers are robust enough to handle it. Just as the software in the iPhone should be able to handle any type of input it receives, the cell towers should too. I hope the carriers adequately test their equipment. If not, they can always give me a call, I'd be happy to help. In other words, if all it takes for a terrorist to take down cellular communication in this country is have a jailbroken iPhone, we're in trouble.

As an aside, that was another reason I liked the injection method of testing SMS messages locally. I think if I fuzzed the phone using the carrier network, I probably would have crashed something. Even though it would be unintended, I could see them throwing me in jail for that, and that's one place I don't want to visit!

"Just as the software in the iPhone should be able to handle any type of input it receives, the cell towers should too."

except Charlie just proved this to be false

"I think if I fuzzed the phone using the carrier network, I probably would have crashed something. Even though it would be unintended, I could see them throwing me in jail for that, and that's one place I don't want to visit!"

The carrier should be paying you six figures for revealing the hack to them benignly, rather than with malintention

look, carriers: if there is a hack out there, someone will exploit it one day. your choices are:

1. have no idea who is doing what until something awful happens to your network and your customers and you need to pay big bucks to fix it, not to mention the financial hit from the hit to your reputation

2. offer up front a cash reward to anyone who discovers a bug (scaled to severity), and you will paying great rewards and still be paying 1/10th or 1/100th of what you would pay if you found the hack out the hard way

and instead, people like Charlie are under threat of jail for doing what they do in good faith, to your benefit

talk about shortsighted

you catch more flies with honey than with vinegar

Professionalism in TFA?

[OzPeter]

From the end of TFA where they are talking about jail broken phones crashing cell toweres

Charlie: This is complete BS. You can diff a jailbroken kernel with a standard iPhone kernel and there are very few places that are changed. In particular, it doesn't mess with anything that has to do with the communication with the carrier. Even if it did do something crazy, which it doesn't, I would hope that the towers are robust enough to handle it. Just as the software in the iPhone should be able to handle any type of input it receives, the cell towers should too. I hope the carriers adequately test their equipment. If not, they can always give me a call, I'd be happy to help. In other words, if all it takes for a terrorist to take down cellular communication in this country is have a jailbroken iPhone, we're in trouble.

He starts of by asserting that it is BS, but then goes on to invoke an awful lot of belief in unicorns and pixie dust to support his statement. And even applies the same logic to the iPhone, even though the entire FA is all about how the real world isn't so magical.

It sort of leaves me wondering about the quality of his off-the-cuff statements about things that he hasn't tested (which I suppose is a bit ad-hominem-ish, but it does come across as wishful thinking)

Re:more interesting hack hinted at in last paragra

[ChienAndalu]

He didn't prove anything, he was just guessing that sending 500 malformed SMS messages *could* affect the towers negatively and the carriers probably wouldn't like that.

Re:Let me guess...the code was in C, right?

[jmac_the_man]

Look at COBOL. It's essentially a dead language, but look at how much live COBOL code is still out there. There's a hell of a lot more C out there than COBOL. If you wanted to replace all the C code that's out there, it would be many more billions than the total caused by bugs in C. And nobody is going to want to make that investment.

Re:more interesting hack hinted at in last paragra

[Tony+Hoyle]

Pretty much all USB 3G dongles work like this. They present a USB interface that takes AT commands.. exactly the same ones that Apple are so scared will being down civilisation as we know it.