iPhone Vulnerability Yields Root Access Via SMS

snydeq writes "Pwn2Own winner Charlie Miller has revealed an SMS vulnerability that could provide hackers with root access to the iPhone. Malicious code sent by SMS to run on the phone could include commands to monitor location using GPS, turn on the phone's microphone to eavesdrop on conversations, or make the phone join a DDoS attack or botnet, Miller said. Miller did not provide detailed description of the SMS vulnerability, citing an agreement with Apple, which is working to fix the vulnerability in advance of Black Hat, where Miller plans to discuss the attack in greater detail. 'SMS is a great vector to attack the iPhone,' Miller said, as SMS can send binary code that the iPhone processes without user interaction. Sequences can be sent to the phone as multiple messages that are automatically reassembled, thereby surpassing individual SMS message limits of 140 bytes."

Re:easy to stop on att just have them block txt.

[Anonymous Coward]

It still never ceases to amaze me that US carriers get away with charging for INCOMING text messages.

Here in the UK we don't always get the best or cheapest service plans, but one thing that every plan from every provider has in common is that incoming standard text messages are free.

Re:Ouch!

[GeorgeStone22]

I don't get your mindset. The phone has obviously sold millions upon millions. It's doing something right. It's called usability and the iPhone has it by the bucket loads. Before the iPhone came about putting apps onto a phone was annoying and awkward for the average user. You had to download the .sis (On symbian OS) then put it on a memory card, then finally install it. Apple have made mobile applications accessible to the masses, and Grindr is proof of that. I don't agree with everything Apple has done with the iPhone, but I agree with enough of it to have just ordered a 3Gs. My previous phone was a Nokia 6600 which was probably more feature rich, but using it was torture.

Re:Ouch!

[L4t3r4lu5]

This might be linked to the MobileMe Find My iPhone, Remote Wipe, and remote message facilities. If these are commands sent by SMS message from MobileMe, then perhaps they can be overflowed to run arbitrary commands.

After all, if you can wipe the phone remotely, then that system has root access, does it not?

N.B. I am not a security researcher.

Re:Ouch!

[Sockatume]

It's not a true SMS-to-root exploit. So far he's only been able to crash part of the device's software with it, he's still looking into whether it can be used to run arbitrary code.

Depends how you define characters

[multipartmixed]

And the case of binary data, you're dead wrong.

GSM SMS payload is 140 8-bit characters, or bytes, depending how you look at it.

The default SMS text encoding format uses 7-bits, and employs a bit-shifting algorithm to pack 160 7-bit characters in to 140 bytes. Binary formats can't use this compression, as, well, they need all eight bits.

Re:SMS?

[Short Circuit]

Any privilege elevation exploit will benefit anyone seeking elevated privileges on your equipment. This included law enforcement, the mafia and your mom.

Nice little bit of paranoia you've got going there.