Daily cyber threats and internet security news: network security, online safety and latest security alerts
July 30th, 2009

Unpatched iPhone Bug Can Virally Infect Phones Via SMS

If you receive a text message on your iPhone any time after Thursday afternoon containing only a single square character, Charlie Miller would suggest you quickly turn the device off.

That small cipher will likely be your only warning that someone has taken advantage of a bug that Miller and his fellow cybersecurity researcher Collin Mulliner plan to publicize Thursday at the Black Hat cybersecurity conference in Las Vegas. Using a flaw they’ve found in the iPhone’s handling of text messages, the researchers say they’ll demonstrate how to send a series of mostly invisible SMS bursts that can give a hacker complete power over any of the smart phone’s functions. That includes dialing the phone, visiting Web sites, turning on the device’s camera and microphone and, most importantly, sending more text messages to further propagate a mass-gadget hijacking.

“This is serious. The only thing you can do to prevent it is turn off your phone,” Miller says. “Someone could pretty quickly take over every iPhone in the world with this.”

Though Miller and Mulliner say they notified Apple about the vulnerability more than a month ago, the company hasn’t released a patch, and it didn’t respond to Forbes’ repeated calls seeking comment.

The iPhone SMS bug is just one of a series that the researchers plan to reveal in their talk. They say they’ve also found a similar texting bug in Windows Mobile that allows complete remote control of Microsoft based devices. Another pair of SMS bugs in the iPhone and Google’s Android phones would purportedly allow a hacker to knock a phone off its wireless network for about 10 seconds with a series of text messages. The trick could be repeated again and again to keep the user offline, Miller says. Though Google has patched the Android flaw, this second iPhone bug also remains unpatched, he adds.

The new attacks can strike a phone without any action on the part of the user and are virtually unpreventable while the phone is powered on, according to Miller and Mulliner’s research. And unlike the earlier exploits, Apple has inexplicably left them unpatched, Miller says. “I’ve given them more time to patch this than I’ve ever given a company to patch a bug,” he says.

The Windows bug he and Mulliner plan to reveal hasn’t been patched either, says Miller, though he admits that he and Mulliner discovered the Windows flaw on Monday and hadn’t yet alerted Microsoft to its existence.

The attack developed by Miller and Mulliner works by exploiting a missing safeguard in the phones’ text messaging software that prevents code in the messages’ text from overflowing into other parts of the device’s memory where it can run as an executable program. The two researchers plan to demonstrate how a series of 512 SMS messages can exploit the bug, with only one of those messages actually appearing on the phone, showing a small square. (Someone could easily design the attack to show a different message or without any visible messages, Miller cautions.) The entire process of infecting an iPhone and then using the device to infect another phone on the user’s contact list would take only a few minutes, Miller says.

The researchers’ concerns aren’t merely theoretical. Finnish security firm F-Secure says it’s found nearly 500 different variants of mobile phone malicious software since 2004, mostly using Bluetooth to hop between phones in close proximity. But in the last 18 months, cybercriminals have begun using text messages to send links to malicious Web sites that infect the phone with malware, says Mikko Hyppönen, an F-Secure researcher.

One seemingly-Chinese variant, known as “Sexy View” and currently targeting the Symbian operating system, is far more threatening than an iPhone attack, given that around 50% of cellphones use Symbian, Hyppönen says. “After years of the security industry wondering why we aren’t seeing text message worms, it’s starting to happen now,” he says.

As dangerous as his iPhone attack sounds, Miller argues that it’s important to expose flaws in SMS software before they can be exploited by more malicious actors. Texting applications’ insecurity isn’t due to the software’s complexity so much as the security community’s inattention and the expense of sending thousands of text messages to test a phone’s security, Miller says.

“The bad news is that SMS is the perfect attack vector, but the good news is that it’s probably possible to build it securely,” he says. “As a researcher, I can only show [Apple] the bugs. It’s up to them to fix them.”


Share this item with others:

More on CyberInsecure:
  • iPhone Crashing Bug Could Lead To Serious Exploit
  • Simple Method Allows iPhone Passcode Lock To Be Bypassed
  • Malware In Online Game For Mobile Phones Launders Money
  • New Symbian OS Malware Silently Transfers Mobiles Account Credit
  • Researcher Finds Possible Flaw In Apple’s IPhone That Allows Shellcode On Unmodified Device

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Unpatched iPhone Bug Can Virally Infect Phones Via SMS

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.