CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
July 3rd, 2009

iPhone Crashing Bug Could Lead To Serious Exploit

Exploiting a bug in the way iPhones parse SMS messages, the principal analyst at Independent Security Evaluators has demonstrated how to crash a part of the phone that allows him to temporarily disconnect the device from the network. He’s still trying to figure out if the vulnerability will allow him to remotely execute code, a feat that would allow attackers to do much more nefarious things, including sending malicious commands to monitor the phone’s location or turn on its microphone so it becomes a remote bugging device.

“I can definitely make the thing crash,” Miller said. “I have still to determine whether it’s actually exploitable or not. This thing has the potential to be really serious, but I’m still looking at it and Apple is still looking at it.”

Miller presented his findings at the SyScan conference in Singapore on Thursday and plans to offer additional details later this month at the Black Hat security conference in Las Vegas. Researcher Collin Mulliner was also instrumental in discovering the bug, Miller said.

If the vulnerability turns out to be exploitable, it would be significant because there are few measures iPhone users can take to prevent an attack, said Dino Dai Zovi, a security researcher. Dai Zovi has yet to see technical details behind the vulnerability, but he has already experienced its effects last week.

While the two were speaking on a land line, Miller told Dai Zovi he found a new bug in the iPhone and, as a demonstration, instructed him to look at his own Apple handset. The display bore the words “No service.” (The outage caused by Miller’s proof of concept was only temporary).

“My reaction was that this has the potential to be a very serious vulnerability and likely the worst that has affected the iPhone to date,” Dai Zovi told The Register. “I was very surprised that he had a vulnerability that was triggerable with just an SMS message.”

Dai Zovi and several other iPhone experts said there is no way to prevent the iPhone from receiving SMS messages. While AT&T allows users to block text messages and multimedia messages sent as emails, there is no way to block all SMS messages. No comments were made by Apple so far.

Credit: The Register

Share this item with others:

More on CyberInsecure:
  • iPhone 2.0 Unlocked Before The Release
  • Researcher Finds Possible Flaw In Apple’s IPhone That Allows Shellcode On Unmodified Device
  • Unpatched iPhone Bug Can Virally Infect Phones Via SMS
  • Simple Method Allows iPhone Passcode Lock To Be Bypassed
  • SpyPhone iPhone App Can Silently Harvest And Email Personal Data

    • Posted in Apple, Hardware, Mobile, Vulnerabilities | Print This Post Print This Post

    This entry was posted on Friday, July 3rd, 2009 at 2:35 am and is filed under Apple, Hardware, Mobile, Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: iPhone Crashing Bug Could Lead To Serious Exploit

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.

    « «
    » »