Researcher hopes Apple fixes possible iPhone SMS security hole

Possible vulnerability in the way iPhones handle text messages could be used to track the location of the phone, turn on the microphone, or turn phone into botnet zombie.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills

A security researcher said on Thursday that he hopes that Apple has a fix later this month for what he believes could be a vulnerability in the iPhone that could allow an attacker to gain control of the device remotely via SMS, according to IDG News Service.

An attacker could exploit a possible weakness in the way iPhones handle SMS (short message service) messages to do things like use GPS to track the phone's location, turn on the microphone for eavesdropping, or take control of the device and add it to a botnet, Charlie Miller, co-author of The Mac Hacker's Handbook and principal security analyst at Independent Security Evaluators, said in a presentation at the SyScan conference in Singapore.

Miller said he plans to give a more detailed presentation on the hole at the Black Hat conference in Las Vegas at the end of the month.

Despite the SMS hole, which "could be a critical vulnerability," the iPhone is more secure than OS X on computers, Miller said. That is because the iPhone doesn't support Adobe Flash and Java, only runs software digitally signed by Apple, includes hardware protection for data stored in memory, and runs applications in a sandbox, he said.

Apple representatives did not immediately respond to an e-mail request for comment.

Correction at 8:45 p.m. PDT July 29:This post was updated to correct that the researcher said he hopes Apple will fix the flaw, not that it will.