Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Security Cellphones Media Media (Apple)

iPhone Vulnerability Yields Root Access Via SMS 186

Posted by timothy
from the tweet-hack dept.
snydeq writes "Pwn2Own winner Charlie Miller has revealed an SMS vulnerability that could provide hackers with root access to the iPhone. Malicious code sent by SMS to run on the phone could include commands to monitor location using GPS, turn on the phone's microphone to eavesdrop on conversations, or make the phone join a DDoS attack or botnet, Miller said. Miller did not provide detailed description of the SMS vulnerability, citing an agreement with Apple, which is working to fix the vulnerability in advance of Black Hat, where Miller plans to discuss the attack in greater detail. 'SMS is a great vector to attack the iPhone,' Miller said, as SMS can send binary code that the iPhone processes without user interaction. Sequences can be sent to the phone as multiple messages that are automatically reassembled, thereby surpassing individual SMS message limits of 140 bytes."
This discussion has been archived. No new comments can be posted.

iPhone Vulnerability Yields Root Access Via SMS

Comments Filter:
  • We do not know the details of this yet, but if this is really an "sms to root" exploit, it can be used for sms-based virusses that can spread very fast.
    • Re:Ouch! (Score:5, Funny)

      by Canazza (1428553) on Friday July 03, 2009 @08:16AM (#28570813)

      1) Hacker Sends SMS to target phone
      2) Phone gets virus, virus looks up address book and sends itself to everyone in their address book
      3) Phone with virus does evil stuff to phone

      Damn, that's excellent... erm, I mean... too bad... for... you know... California... and Art Students...
      Phones are for phoning people
      PDAs/Netbooks/Laptops are for doing business on the move
      Laptops/Gameboys are for mobile gaming

      The only combination I'll accept are mobile phones that play my MP3's... since it's a small, simple extension of the already availible 'ringing' feature of phones :P
      Oh, and cameras... I'll accept camera phones... They're useful.
      And Skype access
      And Wifi for the Skype...
      and while we've got Wifi we might as well have a browser
      and maybe the ability to put other apps on it too...

      *damnit* I've fallen for feature creep... someone help!

      • Re: (Score:2, Funny)

        by Comatose51 (687974)
        Well, I hope you removed the air conditioner and the stereo from your car because A/C is for cooling and stereo is for listening. They have no purpose in the car. While we're at it, let's take out the headlights too. Oh that starter motor is just a total dead weight. Talk about feature creep! Wheel, brakes, and an engine should be all you have in your car.
        • by Canazza (1428553)

          1) I don't own a car
          2) You missed the point
          3) You really think that Grindr [apptism.com] is as essential to a phone as a wheel is to a car?

          • Re: (Score:2, Interesting)

            I don't get your mindset. The phone has obviously sold millions upon millions. It's doing something right. It's called usability and the iPhone has it by the bucket loads. Before the iPhone came about putting apps onto a phone was annoying and awkward for the average user. You had to download the .sis (On symbian OS) then put it on a memory card, then finally install it. Apple have made mobile applications accessible to the masses, and Grindr is proof of that. I don't agree with everything Apple has done wi
            • by kv9 (697238)

              Before the iPhone came about putting apps onto a phone was annoying and awkward for the average user. You had to download the .sis (On symbian OS) then put it on a memory card, then finally install it.

              all the apps on my Nokia have been installed by "clicking" on links from the browser. I never had to do any of the crazy shit you're talking about. it even has a thingy that lets me browse various categories of applications and install them with one click (kind of... like... an appstore... HOLY SHIT!). I never even have to plug the damn thing to transfer stuff because of bluetooth.

          • You really think that Grindr [apptism.com] is as essential to a phone as a wheel is to a car?

            Dude, Grindr is an application that helps you find sex. A wheel on a car helps you to drive to a location where you can find sex. If you remove either one, the result is the same -- it's more difficult to find sex. What's so difficult to understand here?

      • Laptops/Gameboys are for mobile gaming

        What do you recommend for mobile gaming that meets my cousin's criteria?

        1. Smaller than an Eee PC. Laptops are harder to carry than something that fits in a pocket.
        2. Allows students, hobbyists, and small companies to develop for the platform. Nintendo and Sony take stances against homebrew.
        3. Can be purchased with cash in the United States. Please don't shut out children who have saved their birthday and lawn mowing money.

        Laptops fail 1, Game Boy fails 2, and GP2X fails 3. The only video gaming platform we could

        • Any Windows Mobile PDA will do actually.

          • Phones are for phoning people
            PDAs/Netbooks/Laptops are for doing business on the move

            [For gaming,] Any Windows Mobile PDA will do actually.

            Good luck finding a new Windows Mobile Classic (formerly Pocket PC) device in 2009. All the stores are pushing devices that run Windows Mobile Standard (smartphone) or Windows Mobile Professional (smartphone with touch screen), and the whole premise of this thread is to find a device without a phone and without the 2-year service commitment that comes with most phones.

            • Not that difficult. Shall I name a few device names?

              - Pharos 535v
              - HP iPaq 111
              - HP iPaq 211 (would go for that one, 4" VGA screen rocks)

              Motorola/Symbol still make lots of them but they are way too expensive, and not as robust as they look like.

              The used market should be huge.

              And by the way, is it really the case that you cannot buy a Windows Mobile phone without a contract? In Germany it wouldn't be a problem at all.

              • by tepples (727027)
                Children can't shop online, and I haven't seen the iPAQ products at the local Best Buy or Office Depot store. So how would a kid who is holding $400 in $20 Federal Reserve notes buy such a PDA?
      • Please don't promote skype in this space. It is too proprietary, and consumes too much battery power running as a 3rd party app.

        Why not buy a true SIP phone? Then you can set it up like an extension at your office/PBX, or configure it directly to a service like www.voipcheap.com. Personally, I won't buy a phone unless it is supported on a list like this one:
        http://www.forum.nokia.com/Technology_Topics/Mobile_Technologies/VoIP/Nokia_VoIP_Framework/VoIP_support_in_Nokia_devices.xhtml [nokia.com]

        In the US, T-mobile sells

      • by Meneth (872868)
        You failed at "Skype". :)
    • Re:Ouch! (Score:5, Insightful)

      by Jurily (900488) <jurily&gmail,com> on Friday July 03, 2009 @08:20AM (#28570847)

      Who the fuck though it would be a good idea to automatically execute the content of a message you have no control over whatsoever?

      • Re: (Score:3, Funny)

        by Joce640k (829181)
        He used to work for Microsoft where he spent his time adding "can execute code" to all their media file formats. Now he's at Apple (and continuing the good work...)
      • by forand (530402)
        My best guess would be the cell providers. They want someway to control the devices on their network or update them remotely if so needed.
        • They want someway to control the devices on their network or update them remotely if so needed.

          Wait, are you talking about cell providers or botnet operators?

          I suddenly feel this appetite for brains... *turns off phone* hmm...

          </cynicism>

      • Re: (Score:3, Informative)

        by Nerdfest (867930)
        That would be Steve Jobs ... but he's a sick man.
      • Re:Ouch! (Score:5, Interesting)

        by L4t3r4lu5 (1216702) on Friday July 03, 2009 @09:29AM (#28571489)
        This might be linked to the MobileMe Find My iPhone, Remote Wipe, and remote message facilities. If these are commands sent by SMS message from MobileMe, then perhaps they can be overflowed to run arbitrary commands.

        After all, if you can wipe the phone remotely, then that system has root access, does it not?

        N.B. I am not a security researcher.
      • Indeed. Vulnerability, or backdoor? "Fixing" the solution probably involves verifying the text message came from Apple.

      • by sgt_doom (655561)

        "Who the fuck though it would be a good idea to automatically execute the content of a message you have no control over whatsoever?"

        Master control? The Illuminati? World Domination Society? Those Free Mason chaps? Hank Paulson, wherever the f**k he is? Goldman Sachs? JPMorgan Chase? Morgan Stanley? InterContinental Exchange? ICE US Trust? DTCC?

      • Obviously I don't know the details of the exploit, but no phone software would willingly execute code that they have no control over. These exploits take advantage of security bugs in the phone software to get them to execute code.

        A simple naive example is the classic stack buffer overflow [wikipedia.org]. I might send a malformed SMS that encodes a 200-byte message (140 bytes is the byte limit for SMS). If the software that processes the SMS didn't check that the byte count is less than 140, it might happily write those

        • by Jurily (900488)

          I might send a malformed SMS that encodes a 200-byte message

          No, you can't.

          Messages are sent with the MAP mo- and mt-ForwardSM operations, whose payload length is limited by the constraints of the signalling protocol to precisely 140 octets (140 octets = 140 * 8 bits = 1120 bits).

          • Let me repeat TWO of the disclaimers that I put in my original post:

            Obviously I don't know the details of the exploit,

            (This example is probably way too simple and is likely NOT how the actual phone exploit works; it is just to illustrate the point.)

            And you seem to have missed the very next paragraph in the Wikipedia article where it talks about multi-segment SMS, which (from just the /. summary) sounds like what this exploit targets.

      • by numbski (515011)

        The same person that thought it was good to have automatic voicemail notification. Most modern GSM phones have a special set of binary SMS that come through for various purposes, one being voicemail notification.

    • by rts008 (812749)

      ...it can be used for sms-based virusses that can spread very fast.

      A blackhat could have a field day with this on Twitter!

    • Re: (Score:3, Interesting)

      by Sockatume (732728)

      It's not a true SMS-to-root exploit. So far he's only been able to crash part of the device's software with it, he's still looking into whether it can be used to run arbitrary code.

  • by Anonymous Coward on Friday July 03, 2009 @08:08AM (#28570727)

    Wondering if this can be combined with iPhone's ability to heat red hot while in your pocket

    • Man I just found someone else openly describing the way to root an iPhone via SMS. (I don't know if he started to search after he heard this or what.)

      I HAVE to try this on some dudes (and I girl) I know.

      Then I will make a lolappleboi photo of them, and caption it with "Laem iPwn oozr iz laem." (Think of the original meaning of "lame".)
      Or, depending on what happens, I could use just one word: "iBurn". :D

      Ok, I know I'm evil. :D

  • by forand (530402) on Friday July 03, 2009 @08:08AM (#28570739) Homepage
    So this is bad news for the iPhone but it seems like any carrier of the iPhone should want to implement a simple filter to remove any malicious SMSs from the system.
    • by Joce640k (829181)
      Ummm, carriers stand to profit from this so why would they?
      • by Rogerborg (306625)

        Ummm, carriers stand to profit from this so why would they?

        Humanity </Zarkov>

      • Ummm, carriers stand to profit from this so why would they?

        Maybe I'm not thinking evilly enough, but how would a carrier profit from phones on their network being exploited? If anything, it would start costing them resources when the phones are used to launch DDoS attacks.

        • by dlgeek (1065796)
          The phones will start sending out floods of text messages. People who don't have text plans will pay $0.40 for the received texts. That could be hundreds of dollars caused by one infected iphone (with a text plan, so they won't have anything extra billed) but paid but a large number of customers who aren't going to get upset over $1-$2.
    • by SpzToid (869795)

      Actually this type of exploit has been known to effect Nokia phones for awhile already. It seems only normal someone would figure out how to do it to an iPhone, (unless Apple was proactive in thwarting such an attack, which hasn't been the case)

      http://www.google.com/search?q=nokia+malformed+sms&ie=utf-8&oe=utf-8&aq=t&rls=com.ubuntu:en-US:unofficial&client=firefox-a [google.com]

    • by Mista2 (1093071)

      And why not add some antivirus and a firewall on the phone, and make it a bit bigger, say like a netbook... damn, feature creep again 8)

    • by amicusNYCL (1538833) on Friday July 03, 2009 @01:16PM (#28573733)

      It's not the carrier's responsibility to look at all SMS messages going through their system and filter them out, it's the iPhone's responsibility to not execute untrusted code in the first place. If this was a Microsoft device that's exactly what people would be saying.

  • by Anonymous Coward on Friday July 03, 2009 @08:08AM (#28570743)

    "...Malicious code sent by SMS to run on the phone could include commands to monitor location using GPS, turn on the phone's microphone to eavesdrop on conversations,..."

    Cool now my wife can have that iphone she always wanted.

  • by InsertWittyNameHere (1438813) on Friday July 03, 2009 @08:12AM (#28570767)

    If any of you iPhone users wants to know how to prevent this attack, please reply with your cellphone number and I will TXT you the details.

    You're welcome!

    • Re: (Score:3, Funny)

      by Comatose51 (687974)
      9-1-1 I'm going to disable SMS for now just to be safe so just call it and tell me. If my hot blonde, high libido girlfriend picks up, say some obscene things to her. Just act out your fantasy right over the phone. She loves that.
  • by nurb432 (527695) on Friday July 03, 2009 @08:14AM (#28570799) Homepage Journal

    Nice little dDos attack device, with one hell of a use fee at the end of the month ...

  • by Anonymous Coward on Friday July 03, 2009 @08:16AM (#28570815)

    "as SMS can send binary code that the iPhone processes without user interaction"

    Why is it even possible to send raw binary? Shouldn't it allow only a heavily-filtered subset of characters?

    • Why would it do that? When you only have a small number of bytes, you want a character set that uses them all. SMS originally used a 7-bit character set, where every 7-bit sequence was a valid printing character. Now you can use 8-bit or 16-bit encodings, but every value is valid. Or do you think there is some magical difference between text and binary? Text is just binary where there is a well-defined mapping from numbers to characters.
    • by Peregr1n (904456) <ian.a.ferguson@gmail.com> on Friday July 03, 2009 @08:38AM (#28570983) Homepage
      Yeah! Ban the characters '0' and '1' from text messages and stop this binary nonsense!
    • by sam0737 (648914)

      "as SMS can send binary code that the iPhone processes without user interaction"

      Why is it even possible to send raw binary? Shouldn't it allow only a heavily-filtered subset of characters?

      you mean allows only Chinese or Russian to pass through?

      The unicode used is UTF-16, not UTF-8, which almost means every binary code is valid except for some range.

    • by da_matta (854422)
      Text messaging is actually just one service of the SMS bearer, and it can also used for sending binary content like configuration messages. There are also many variations (e.g. charactersets), which are defined be the PDU headers [dreamfabric.com]. Checkout the protocol identifiers for available services.

      This sounds like a classical failure to correctly validate the data or handle some unsupported combination resulting in a crash or a buffer overflow. What is amazing is that they can fit an actual payload to the message..
      • by kv9 (697238)

        Text messaging is actually just one service of the SMS bearer, and it can also used for sending binary content like configuration messages.

        this is correct, I've had the (mis)fortune of working with OTA provisioning in the past, and you can do some pretty crazy things to people's handsets. and because of the hugely incompatible standards and models out there not all will require the user's confirmation.

  • by timmarhy (659436) on Friday July 03, 2009 @08:20AM (#28570837)
    it was as if 1000 apple fanbois cried out and then were silent...
    • Re: (Score:2, Flamebait)

      if only... even if every mac on the planet turned into a robot and killed a baby before collapsing into a pile of toxic debris, it would only shut the fanboys up for 5 minutes before they resumed bleating on about garage band and iphoto...
      • by schon (31600)

        even if every mac on the planet turned into a robot and killed a baby before collapsing into a pile of toxic debris, it would only shut the fanboys up for 5 minutes

        This is blatantly false and you know it!

        If that happened, every true fanboy would immediately start talking about how awesome it was that Jobs had his own robot army.

      • by ae1294 (1547521)

        about garage band and iphoto..

        I thought you wrote ipotato.... I was getting all excited about a new Apple Product and shit...

    • ...because their iPwnes now cry for them. All day and all night. About Vi4gra, P3nis enlagrements, Xial1s, and in russian about DDOSing the iTunes store.

  • by Stavr0 (35032) on Friday July 03, 2009 @08:20AM (#28570841) Homepage Journal
    Could the iPhone be jailbroken via SMS?
  • by just fiddling around (636818) on Friday July 03, 2009 @08:35AM (#28570957) Journal

    That's just great. I can't use all the features of the iPhone because it is crippled by the providers, but any dumbass can get root by SMS?

    If I had "bought" one (I consider the current way of getting it as rent-to-own), I would be pissed.

  • by praseodym (813457) on Friday July 03, 2009 @08:40AM (#28571005) Homepage

    SMS has a limit of 160 characters, not 140. Twitter has a 140-character limit because of its SMS-interface which leaves 20 characters for commands etc. in addition to the message.

    • by multipartmixed (163409) on Friday July 03, 2009 @09:46AM (#28571645) Homepage

      And the case of binary data, you're dead wrong.

      GSM SMS payload is 140 8-bit characters, or bytes, depending how you look at it.

      The default SMS text encoding format uses 7-bits, and employs a bit-shifting algorithm to pack 160 7-bit characters in to 140 bytes. Binary formats can't use this compression, as, well, they need all eight bits.

      • Re: (Score:2, Informative)

        by praseodym (813457)

        You're correct. And to complete it:

        "Larger content (Concatenated SMS, multipart or segmented SMS or "long sms") can be sent using multiple messages, in which case each message will start with a user data header (UDH) containing segmentation information. Since UDH is inside the payload, the number of characters per segment is lower: 153 for 7-bit encoding, 134 for 8-bit encoding and 67 for 16-bit encoding." -- from Wikipedia [wikipedia.org]

        So, in this case it's 134 bytes and not 140 since the payload probably doesn't fit

  • How does this compare to the story from two weeks ago? [slashdot.org]
  • by FelxH (1416581) on Friday July 03, 2009 @08:46AM (#28571067)
    from the second link: "We present techniques which allow a researcher to inject SMS messages into iPhone, Android, and Windows Mobile devices."
    • Re: (Score:3, Insightful)

      by El_Muerte_TDS (592157)

      No learn to read. The second link says that they have technology to send an SMS Message to a phone without needing a carrier. It doesn't say anything about exploiting bugs in the handling of the SMS Message.

    • Apparently no Symbian devices. I know that Nokia allows for apps to be installed in a way, in which they somehow go trough the generic message inbox (the one that gets SMS, e-Mail, etc)
      But the Symbian devices lets you jump trough at least two hoops before it gets installed. First you have to agree to run the installer. And then you have to agree for the installer having the right to install anything that will survive a reboot, without the usually needed certificate.

  • How the hell can a format that's supposed to be passive plain text yield root access? Just receive and store the damn text, don't try to interpret it! If other apps want to peek into received messages and perform actions on that, fine, but this is just Outlook all over again!

    • by peppepz (1311345)
      With the current 3GPP specification SMS can also be concatenated, contain pictures and sounds, configure your phone’s browser, contain "push" links etc.
      99% of this functionality is crap and was made obsolete by MMS, but phones still have to support it.
    • by ae1294 (1547521)

      How the hell can a format that's supposed to be passive plain text yield root access? Just receive and store the damn text, don't try to interpret it! If other apps want to peek into received messages and perform actions on that, fine, but this is just Outlook all over again!

      Simple.. you send the message -

      root ...

  • by Sfing_ter (99478) on Friday July 03, 2009 @09:39AM (#28571581) Homepage Journal

    The iPwn. Be the first on your network to get iPwned.

    Pwn Different!

    Just Pwn.

    http://www.screenprintingasap.com/EBAY/ipwn/ipwn_a.jpg [screenprintingasap.com]

  • Cancel Texting (Score:4, Insightful)

    by joNDoty (774185) on Friday July 03, 2009 @11:15AM (#28572551)

    I recently canceled texting completely on my iPhone 3GS. Texting fees are outrageous and I'm not putting up with them anymore. If you want to text me, send it to my email address. Your phone probably supports texting to an email address and you don't even realize it. You can also reply to free texts I send you and I get notified instantly.

    Sure, I can't receive texts sent to my phone number, but that's a sacrifice I'm willing to make if I'm going to help my country kick this ridiculous habit of overpaying for tiny emails.

    • by Tony Hoyle (11698)

      Very, very few phones support email, and those that do mostly don't come with setups to talk to a compliant SMTP server, because nobody uses it. I once tried to make a nokia do it.. 'its easy' said the fanboys. 3 days later I gave up.. and that's with control of my own SMTP server and the ability to reflash the firmware to enable the email options.

      Email is dead, anway. If you want to wade through penis enlargement adverts sure keep using email. Everyone else has moved on.

  • Sounds more like an FBI Backdoor than an exploit.

    Oh but dont worry, the federal government has your interest at heart.

"It's ten o'clock... Do you know where your AI programs are?" -- Peter Oakley

Working...