X

Researchers attack my iPhone via SMS

Two security researchers prove to a reporter during Black Hat that they can indeed "Pwn" her iPhone by just sending a text message.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
3 min read

Researchers Collin Mulliner and Charlie Miller shortly before they proved they could attack my iPhone with a text message, even after a beer or two. Elinor Mills/CNET News

LAS VEGAS--Researchers have discovered a way to take complete control over an iPhone merely by sending special SMS messages and demonstrated it on my iPhone at theBlack Hat security conference on Wednesday.

Although an attacker could exploit the hole to make calls, steal data, send text messages, and do basically anything that I can do with my iPhone, the researchers were kind and merely rendered it temporarily inoperable.

Here's what happened: While I was talking on the phone to Charlie Miller, his partner, Collin Mulliner, sent me a text message from his phone. One minute I'm talking to Miller and the next minute my phone is dead, and this time it's not AT&T's fault. After a few seconds it came back to life, but I was not able to make or receive calls until I rebooted.

My iPhone is not jailbroken and it is running iPhone OS 3.0.

The attack is enabled by a serious memory corruption bug in the way the iPhone handles SMS messages, said Miller, a senior security researcher at Independent Security Evaluators.

There is no patch, despite the fact that Apple was notified of the problem about six weeks ago, he said. All current versions of the iPhone operating system are affected.

The attack is similar to an SMS attack demonstration CNET News wrote about in April in which mobile security firm Trust Digital was able to send an SMS to a phone that opened up a Web browser and directed the phone to a malicious Web site where malware could be downloaded.

In the more recent research, Android-based phones were found to be similarly susceptible to an SMS attack, only an attacker could temporarily knock the phone off the cell network but not take control, according to Mulliner, who's getting his PhD at the Technical University of Berlin. Google patched the hole last week within a day or two of being notified of the problem, he said.

Meanwhile, a bug in the code written by HTC that controls the user interface on Windows Mobile devices could also be exploited via the SMS messages to make it so there are no buttons to push so the phone can't be used, said Miller.

For the attack to work, an attacker must send hundreds of SMS control messages, which are different from regular SMS messages, according to Miller. Only the initial SMS may be seen, he said.

The researchers will demonstrate the attack on an Android phone and an iPhone during their presentation on Thursday.

Previous iPhone attacks required an attacker to lure the iPhone user to visit a malicious Web site or open a malicious file, but this attack requires no effort on the part of the user and requires only that an attacker have the victim's phone number, Miller said.

Once inside a victim's phone, the attacker could then send an SMS to anyone in the victim's address book and spread the attack from phone to phone, he said.

Previously, Miller discovered a hole in the mobile version of Safari shortly after the iPhone was launched in 2007 and earlier this year he won a contest at CanSecWest by exploiting a hole in Safari.

Asked what an iPhone user can do when attacked, Miller replied: "Rebooting wouldn't be a bad idea. It would stop all but the most sophisticated attacker. However, it doesn't take but a second to grab all your personal info from the device, and as soon as you turn it back on, the bad guy could attack you again. That's why I think this is so serious."

Updated July 30 at 4:45 p.m. PDT to include that phone attacked was not jailbroken and was running iPhone OS 3.0, and at 8:18 a.m. with Miller talking about what a victim can do when attacked.