Slashdot Mirror

← Back to Stories (view on slashdot.org)

The iPhone SMS Hack Explained

Posted by timothy on from the en-percent dept.

GhostX9 writes "Tom's Hardware just interviewed Charlie Miller, the man behind the iPhone remote exploit hack and winner of Pwn2Own 2009. He explains the (now patched) bug in the iPhone which allowed him to remotely exploit the iPhone in detail, explaining how the string concatenation code was flawed. The most surprising thing was that the bug could be traced back to several previous generations of the iPhone OS (he stopped testing at version 2.2). He also talks about the failures of other devices, such as crashing HTC's Touch by sending a SMS with '%n' in the text."

25 of 94 comments (clear)

  1. Why OSS needs financial backing by BadAnalogyGuy · · Score: 5, Insightful

    Though it hasn't been so directly argued for a while, there is still the belief that OSS is somehow unique and better than closed source software because it engages the lone hacker sitting in his basement writing code in his spare time. What I found interesting was Charlie Miller's take on unpaid effort.

    This SMS stuff is a good example. Between us, Collin and I found one bug in iPhone, Android, and Windows Mobile. Then we stopped testing. We had enough for our talk, what motivation did we have to keep looking? This is really an unpaid hobby for us, so we do the minimum level of work possible to get results good enough for conference presentations.

    Financial incentive is, despite the feeble arguments to the contrary, still the thing that gets code written (and bugs found). Without paying the developers, Linux never would have gotten to the stage it is now. Yes, the source code is open, but it is primarily because there is a team of developers getting paid to write the OS source code that we have such a great system today.

    The hobbyist is still just a user. The real developers do it as their job.

    1. Re:Why OSS needs financial backing by camcorder · · Score: 4, Insightful

      How is it related with open source at all? A good software need a dedicated coder(s) and in order to motivate them for a long time money is a good tool. What you say is a generic thing, and nobody said since code will be open, people will work for free software like slaves to make applications good enough. Free software concept is much more than good software.

      Your argument is valid for everything, if you need to build something good you need dedication. And this dedication is only possible with a motivation that is what money is used these days. But believe me there are better motivators than money still today.

    2. Re:Why OSS needs financial backing by OzPeter · · Score: 3, Informative

      But believe me there are better motivators than money still today.

      No Money -> No food -> Starve

      Yes there are better motivators than money, but unless your basic needs are met (food, shelter, clothing etc) then all the other motivation in the world won't help you. The only solution in that case is you better hope that the dedication to a cause is more addictive than crack.

      Otherwise eventually there has to be money somewhere

      --
      I am Slashdot. Are you Slashdot as well?
    3. Re:Why OSS needs financial backing by Lord+Bitman · · Score: 3, Insightful

      OSS doesn't mean "nobody gets paid" it means "a product you are free to modify is superior to a product which is locked-down. Modifications which can be freely shared or incorporated back into the upstream are superior to modifications which are constantly repeated"

      With "proprietary" software, the person who does the initial development is often the same as with OSS. But OSS can get those people and whoever else wants to scratch an itch.

      It annoys the crap out of me that I can't, for example, write improvements to the software on my set-top box. People essentially turning away free labor because hardware manufacturers can't decide what it is they're selling.

      --
      -- 'The' Lord and Master Bitman On High, Master Of All
    4. Re:Why OSS needs financial backing by Stele · · Score: 5, Insightful

      No, "real developers" do as much as they can to meet a deadline. No more... but often quite a bit less. ...
      Unlike a "professional" who will stop as soon as possible and get the hell out, because there is no reason for any more, and usually reason for less.

      Bullshit.

      I don't know what cube farm you met these "real developers" of yours at but in my business "professionals" do what it takes to make the customer happy.

      Having shipped dozens of commercial products in somewhat niche markets I can tell you that if you want to eat you do a great job and keep doing it, working directly with key customers if necessary to craft tools that will help them do their jobs better/faster/easier.

      And being part of a small company means my income is directly based on those of my users, and in this economy it means working my ass off on as many projects as possible to keep the fridge full and shoes on my kids' feet, and each and every one of them has to be near-perfect at V1.0. There is no "fix these known things in a patch after we release."

      I've seen more than my share of open source projects where your "non-real programmers" got tired and stopped at the horribly designed config file, or documentation, or at the "well it works good enough for me" part and people should be *glad* to sift through the code to figure out how it works.

      *Professional* programmers have to go that extra 20% at the end, which usually takes 90% of the time, to make the software into a polished, finished, product, and we have to do it in such a way to minimize idiot user questions, which *will* happen, so we don't waste all our money dealing with tech support. Your open-source guys can just say "read the source" if you don't understand something.

      How's that for generalizations?

    5. Re:Why OSS needs financial backing by DJRumpy · · Score: 4, Insightful

      Risking Karma here, but I have to agree. OSS as a rule simply doesn't have the polish that P2P software typically does (yes this is a generalization). It might run better, lighter, smaller footprint, etc, but as a whole product/pkg, it typically just doesn't have that sparkle that lets it compete with P2P.

      Take Gimp for example. It mimics almost everything in Photoshop and it does a great job generally, but there are many things that are just downright glitchy. Things that would never fly in a pay product, but I suspect for OSS, they were categorized as 'good enough' and lowered in priority for other bug fixes. Things like having to sometimes click on a tool 2 or 3 times before it registers or you end up applying the wrong tool. I haven't been using gimp for oh..say more than 2 years give or take, but the problem still exists. Don't get me wrong. I love OSS. Without it I think the quality of P2P software would be poor at best. OSS keeps them on their toes in a way that other P2P software can't. Get it right, or lose out. It doesn't take much to push someone away from a product when you combine cost and poor quality.

      OO.o tends to follow in MS's footsteps (scary thought). Although it might excel in some areas like ODF, it simply plays catch-up for the larger product. I think another part of the problem is we the user. I've caught myself far too many times saying "hey, it's free..why complain?".

    6. Re:Why OSS needs financial backing by TheLink · · Score: 2

      I daresay there aren't as many open source software that are really polished compared to commercial software.

      Most OSS developers are happy enough to get things to the point of "mostly works" or more infamously: "WorksForMe".

      Of course, the extra polishing or effort rarely goes to security, since real security rarely sells, you can get away with just _claiming_ bullshit like "Unbreakable" (like Oracle did).

      But really, with commercial software, you're more likely (though still not common) to have some annoying noncoder that the programmer HAS to listen to, who's standing there and saying, "Nope that's not good enough for the users, it's got to be better than that". Yes, this is not that common, but it's still more likely than for OSS.

      Because with most OSS the programmer doesn't have to listen to mere noncoders or anybody - they can just say - "Not good enough for you? Go fork yourself!". Heck lots of Slashdotters say that sort of thing when people complain about OSS - "Download the source, and fix it yourself".

      --
    7. Re:Why OSS needs financial backing by ratboy666 · · Score: 2, Insightful

      Your take on this is... interesting.

      Charlie and Collin look for these bugs AS A HOBBY. Not as a job. The reward they get is the response from the talk they deliver at the next conference.

      At three bugs (one per platform) they had enough for the conference.

      Why did they find these bugs? Because the "professional" developers and QA people either hadn't found them, or the products (ALL of them) were released with known bugs.

      All this tells me is that vendors are releasing buggy products. And that there are at least two hobbyists who find it interesting to look for the defects. Why do they do that? I don't know; that's their itch to scratch. Why do the vendors not apply more quality? That would be money.

      All of which makes your final comment

      "The hobbyist is still just a user. The real developers do it as their job."

      rather laughable.

      --
      Just another "Cubible(sic) Joe" 2 17 3061
    8. Re:Why OSS needs financial backing by mjwx · · Score: 2, Insightful

      Financial incentive is, despite the feeble arguments to the contrary, still the thing that gets code written (and bugs found).

      Flaw was found in Windows Mobile, Iphone and Android.

      Android was fixed within days, WinMo shortly after that and the flaw is still present in the Iphone. This is why it's refered to as the "iphone" SMS bug, not just the SMS bug.

      You were saying.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
  2. Jailbreak by SnakeEater251 · · Score: 5, Interesting

    Makes you wonder how many iPhone owners who have jailbreaked (-broken?) their devices are still vulnerable to this hack. It isn't exactly fun to have to jailbreak every time an update gets released.

    --
    -FB
    1. Re:Jailbreak by Anonymous Coward · · Score: 2, Insightful

      Ever since the release of the iPhone, I've been quite astounded at what people think of the jailbreak process. Yes, it's great that people can do stuff with their phone that Apple didn't intend. But... The existence of this means that your phone has a security hole.

      I seem to recall that the original jailbreak technique was a specially-crafted TIFF image that caused remote code execution. So you'd just go to a website in Safari that had the image, and it would essentially root your phone.

      And iPhone users were fine with this! Yeah, my cool iPhone, Apple can do no wrong! When you ask these same people about Apple's security track record, they'll often say it's great. They don't draw the connection between their cool unapproved apps and Apple's laziness and bad engineering.

      Maybe the situation has gotten better since this was the case. But it's a pretty clear example of the junction of fanboyism and technical ignorance.

  3. %n by RMH101 · · Score: 5, Funny

    Take that, HTC-fanboys!

    1. Re:%n by webreaper · · Score: 2, Interesting

      We've tested this with a mate's HTC Touch, and the crash doesn't happen....

    2. Re:%n by Tom9729 · · Score: 4, Informative

      Crashes usually turn into remote exploits.

    3. Re:%n by Anonymous Coward · · Score: 5, Informative

      No, that's not what he means. If you're causing memory corruption because of unsanitised inputs, it's only a matter of time before a method is discovered to inject something malicious into that memory space.

    4. Re:%n by TheRaven64 · · Score: 2, Insightful
      To quote the OpenBSD team:

      The difference between a bug and a vulnerability is the intelligence of the attacker.

      --
      I am TheRaven on Soylent News
  4. more interesting hack hinted at in last paragraph by circletimessquare · · Score: 3, Interesting

    DoS or gain root to a celltower?:

    Alan: What about the claim that a jailbroken iPhone could crash cell phone towers--has anyone ever looked at the security of the software running cell phone towers?

    Charlie: This is complete BS. You can diff a jailbroken kernel with a standard iPhone kernel and there are very few places that are changed. In particular, it doesn't mess with anything that has to do with the communication with the carrier. Even if it did do something crazy, which it doesn't, I would hope that the towers are robust enough to handle it. Just as the software in the iPhone should be able to handle any type of input it receives, the cell towers should too. I hope the carriers adequately test their equipment. If not, they can always give me a call, I'd be happy to help. In other words, if all it takes for a terrorist to take down cellular communication in this country is have a jailbroken iPhone, we're in trouble.

    As an aside, that was another reason I liked the injection method of testing SMS messages locally. I think if I fuzzed the phone using the carrier network, I probably would have crashed something. Even though it would be unintended, I could see them throwing me in jail for that, and that's one place I don't want to visit!

    "Just as the software in the iPhone should be able to handle any type of input it receives, the cell towers should too."

    except Charlie just proved this to be false

    "I think if I fuzzed the phone using the carrier network, I probably would have crashed something. Even though it would be unintended, I could see them throwing me in jail for that, and that's one place I don't want to visit!"

    The carrier should be paying you six figures for revealing the hack to them benignly, rather than with malintention

    look, carriers: if there is a hack out there, someone will exploit it one day. your choices are:

    1. have no idea who is doing what until something awful happens to your network and your customers and you need to pay big bucks to fix it, not to mention the financial hit from the hit to your reputation

    2. offer up front a cash reward to anyone who discovers a bug (scaled to severity), and you will paying great rewards and still be paying 1/10th or 1/100th of what you would pay if you found the hack out the hard way

    and instead, people like Charlie are under threat of jail for doing what they do in good faith, to your benefit

    talk about shortsighted

    you catch more flies with honey than with vinegar

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  5. Re:Let me guess...the code was in C, right? by lhunath · · Score: 3, Insightful

    Almost as never ending as the flow of programmers that don't bother to learn the intricacies of their language.

    --
    ``OK, so ten out of ten for style, but minus several million for good thinking, yeah?''
  6. Re:Let me guess...the code was in C, right? by Shin-LaC · · Score: 4, Informative

    The HTC bug, however, looks like it's caused by improper use of string formatting. That sort of problem can occur with any language, as seen with the host of sites (most of them written in high-level languages) that have had SQL injection vulnerabilities in the past.
    It's true that some languages and constructs are more dangerous than others, but at some level, programmers just have to bear in mind what they're doing and how they're using their data.

  7. I think he misunderstood Apple's comment by yabos · · Score: 2, Insightful

    I think Charlie and the interviewer(Alan) misunderstood Apple's comments on jailbreaking. The point they were making is that jailbreaking could allow people to crash the cell towers by installing malicious software on the phones, not that jailbreaking itself would cause problems. And technically this could be true depending on how crappy the cell tower software is.

  8. Re:more interesting hack hinted at in last paragra by ChienAndalu · · Score: 3, Interesting

    He didn't prove anything, he was just guessing that sending 500 malformed SMS messages *could* affect the towers negatively and the carriers probably wouldn't like that.

  9. Re:Let me guess...the code was in C, right? by jmac_the_man · · Score: 2, Interesting

    Look at COBOL. It's essentially a dead language, but look at how much live COBOL code is still out there. There's a hell of a lot more C out there than COBOL. If you wanted to replace all the C code that's out there, it would be many more billions than the total caused by bugs in C. And nobody is going to want to make that investment.

  10. Re:more interesting hack hinted at in last paragra by ArcCoyote · · Score: 2, Insightful

    Miller mentions using AT commands to the GSM modem to send all the bogus SMS messages. That's nice. Did you know you could do that with any Motorola phone and a serial cable long before the iPhone was a clever idea in someone's head? You can even buy bare GSM modem modules for control and security systems, telemetry, etc... insert your SIM and go.

    Could you cause cell network mayhem and/or go to jail for what you're able to do with AT commands? Probably. Look at all the phreaky fun you could (can still?) have with the POTS network and a modem. But it has nothing to do with the iPhone or jailbreaking in particular. Jailbreaking is just opening up the iPhone's OS to user code. Once you've done that, you could get into the other parts of the phone, such as the baseband processor. That's where you unlock the phone or... well, I suppose if you were clever enough to load custom firmware into the baseband, you could do really nasty stuff at the RF packet level to the towers. But again, every model of phone has a baseband, and they're all reprogrammable (that's how carriers lock phones in the first place)

  11. Re:more interesting hack hinted at in last paragra by Tony+Hoyle · · Score: 2, Interesting

    Pretty much all USB 3G dongles work like this. They present a USB interface that takes AT commands.. exactly the same ones that Apple are so scared will being down civilisation as we know it.

  12. Re:more interesting hack hinted at in last paragra by Anarchduke · · Score: 2, Funny

    hmmm....dongle.

    that is a really funny word.

    dongle
    dongle
    dongle
    dongle


    Sorry, going a couple days without sleep makes you kind of screwy. but still...



    Dongle.

    --
    who prays for Satan? Who in 18 centuries has had the humanity to pray for the 1 sinner that needed it most? ~Mark Twain