snydeq writes "Pwn2Own winner Charlie Miller has revealed an SMS vulnerability that could provide hackers with root access to the iPhone. Malicious code sent by SMS to run on the phone could include commands to monitor location using GPS, turn on the phone's microphone to eavesdrop on conversations, or make the phone join a DDoS attack or botnet, Miller said. Miller did not provide detailed description of the SMS vulnerability, citing an agreement with Apple, which is working to fix the vulnerability in advance of Black Hat, where Miller plans to discuss the attack in greater detail. 'SMS is a great vector to attack the iPhone,' Miller said, as SMS can send binary code that the iPhone processes without user interaction. Sequences can be sent to the phone as multiple messages that are automatically reassembled, thereby surpassing individual SMS message limits of 140 bytes."
So this is bad news for the iPhone but it seems like any carrier of the iPhone should want to implement a simple filter to remove any malicious SMSs from the system.
Actually this type of exploit has been known to effect Nokia phones for awhile already. It seems only normal someone would figure out how to do it to an iPhone, (unless Apple was proactive in thwarting such an attack, which hasn't been the case)
It's not the carrier's responsibility to look at all SMS messages going through their system and filter them out, it's the iPhone's responsibility to not execute untrusted code in the first place. If this was a Microsoft device that's exactly what people would be saying.
by Anonymous Coward
on Friday July 03, @08:08AM (#28570743)
"...Malicious code sent by SMS to run on the phone could include commands to monitor location using GPS, turn on the phone's microphone to eavesdrop on conversations,..."
Cool now my wife can have that iphone she always wanted.
9-1-1
I'm going to disable SMS for now just to be safe so just call it and tell me. If my hot blonde, high libido girlfriend picks up, say some obscene things to her. Just act out your fantasy right over the phone. She loves that.
Why would it do that? When you only have a small number of bytes, you want a character set that uses them all. SMS originally used a 7-bit character set, where every 7-bit sequence was a valid printing character. Now you can use 8-bit or 16-bit encodings, but every value is valid. Or do you think there is some magical difference between text and binary? Text is just binary where there is a well-defined mapping from numbers to characters.
if only... even if every mac on the planet turned into a robot and killed a baby before collapsing into a pile of toxic debris, it would only shut the fanboys up for 5 minutes before they resumed bleating on about garage band and iphoto...
I note Symbian is conspicuously absent from that list. Interesting, considering that it has around 70+% of the market (isn't market share the excuse MS apologists always give for exploits?). Still a large enough installed base for a very irritating SMS-spam botnet though.
SMS has a limit of 160 characters, not 140. Twitter has a 140-character limit because of its SMS-interface which leaves 20 characters for commands etc. in addition to the message.
GSM SMS payload is 140 8-bit characters, or bytes, depending how you look at it.
The default SMS text encoding format uses 7-bits, and employs a bit-shifting algorithm to pack 160 7-bit characters in to 140 bytes. Binary formats can't use this compression, as, well, they need all eight bits.
No learn to read. The second link says that they have technology to send an SMS Message to a phone without needing a carrier. It doesn't say anything about exploiting bugs in the handling of the SMS Message.
How the hell can a format that's supposed to be passive plain text yield root access? Just receive and store the damn text, don't try to interpret it! If other apps want to peek into received messages and perform actions on that, fine, but this is just Outlook all over again!
With the current 3GPP specification SMS can also be concatenated, contain pictures and sounds, configure your phone’s browser, contain "push" links etc.
99% of this functionality is crap and was made obsolete by MMS, but phones still have to support it.
I recently canceled texting completely on my iPhone 3GS. Texting fees are outrageous and I'm not putting up with them anymore. If you want to text me, send it to my email address. Your phone probably supports texting to an email address and you don't even realize it. You can also reply to free texts I send you and I get notified instantly.
Sure, I can't receive texts sent to my phone number, but that's a sacrifice I'm willing to make if I'm going to help my country kick this ridiculous habit of overpaying for tiny emails.
1) Hacker Sends SMS to target phone 2) Phone gets virus, virus looks up address book and sends itself to everyone in their address book 3) Phone with virus does evil stuff to phone
Damn, that's excellent... erm, I mean... too bad... for... you know... California... and Art Students... Phones are for phoning people PDAs/Netbooks/Laptops are for doing business on the move Laptops/Gameboys are for mobile gaming
The only combination I'll accept are mobile phones that play my MP3's... since it's a small, simple extension of the already availible 'ringing' feature of phones:P Oh, and cameras... I'll accept camera phones... They're useful. And Skype access And Wifi for the Skype... and while we've got Wifi we might as well have a browser and maybe the ability to put other apps on it too...
*damnit* I've fallen for feature creep... someone help!
Well, I hope you removed the air conditioner and the stereo from your car because A/C is for cooling and stereo is for listening. They have no purpose in the car. While we're at it, let's take out the headlights too. Oh that starter motor is just a total dead weight. Talk about feature creep! Wheel, brakes, and an engine should be all you have in your car.
I don't get your mindset.
The phone has obviously sold millions upon millions.
It's doing something right.
It's called usability and the iPhone has it by the bucket loads.
Before the iPhone came about putting apps onto a phone was annoying and awkward for the average user. You had to download the.sis (On symbian OS) then put it on a memory card, then finally install it.
Apple have made mobile applications accessible to the masses, and Grindr is proof of that.
I don't agree with everything Apple has done wi
He used to work for Microsoft where he spent his time adding "can execute code" to all their media file formats. Now he's at Apple (and continuing the good work...)
This might be linked to the MobileMe Find My iPhone, Remote Wipe, and remote message facilities. If these are commands sent by SMS message from MobileMe, then perhaps they can be overflowed to run arbitrary commands.
After all, if you can wipe the phone remotely, then that system has root access, does it not?
It's not a true SMS-to-root exploit. So far he's only been able to crash part of the device's software with it, he's still looking into whether it can be used to run arbitrary code.
the real bad part about this is that if you don't have a txt plan some one can spam you and you pay $0.20 per in coming txt how ever this may be a good thing as if this goes big time then they may be forced to make incoming free.
Any privilege elevation exploit will benefit anyone seeking elevated privileges on your equipment. This included law enforcement, the mafia and your mom.
Nice little bit of paranoia you've got going there.
Wonder how this goes together .. (Score:3, Insightful)
Wondering if this can be combined with iPhone's ability to heat red hot while in your pocket
Can't Carriers Stop this? (Score:4, Insightful)
Re: (Score:2)
Re: (Score:2)
Humanity </Zarkov>
Re: (Score:2)
Actually this type of exploit has been known to effect Nokia phones for awhile already. It seems only normal someone would figure out how to do it to an iPhone, (unless Apple was proactive in thwarting such an attack, which hasn't been the case)
http://www.google.com/search?q=nokia+malformed+sms&ie=utf-8&oe=utf-8&aq=t&rls=com.ubuntu:en-US:unofficial&client=firefox-a [google.com]
Re:Can't Carriers Stop this? (Score:5, Insightful)
It's not the carrier's responsibility to look at all SMS messages going through their system and filter them out, it's the iPhone's responsibility to not execute untrusted code in the first place. If this was a Microsoft device that's exactly what people would be saying.
Parent
Re: (Score:2)
iPhone Vulnerability Yields Root Access Via SMS (Score:5, Funny)
"...Malicious code sent by SMS to run on the phone could include commands to monitor location using GPS, turn on the phone's microphone to eavesdrop on conversations,..."
Cool now my wife can have that iphone she always wanted.
Prevention/Defense (Score:5, Funny)
If any of you iPhone users wants to know how to prevent this attack, please reply with your cellphone number and I will TXT you the details.
You're welcome!
Re: (Score:3, Funny)
Run up your bill too (Score:4, Insightful)
Nice little dDos attack device, with one hell of a use fee at the end of the month ...
Re:Run up your bill too (Score:4, Funny)
Parent
Well there's your problem! (Score:5, Insightful)
"as SMS can send binary code that the iPhone processes without user interaction"
Why is it even possible to send raw binary? Shouldn't it allow only a heavily-filtered subset of characters?
Re: (Score:2)
Re:Well there's your problem! (Score:4, Funny)
Parent
Re: (Score:2)
"as SMS can send binary code that the iPhone processes without user interaction"
Why is it even possible to send raw binary? Shouldn't it allow only a heavily-filtered subset of characters?
you mean allows only Chinese or Russian to pass through?
The unicode used is UTF-16, not UTF-8, which almost means every binary code is valid except for some range.
Re: (Score:3, Informative)
Actually, they do MMS just fine.
But I wouldn't expect you to know that.
Re: (Score:3, Insightful)
Apple bashers seemingly have one thing in common: they are inordinately smug c*** suckers
I thought that's the one thing that Apple fanbois had in common... now I'm confused.
i sense a disturbence in the force (Score:3, Funny)
Re: (Score:2, Flamebait)
Re: (Score:2)
Next thing ... (Score:5, Funny)
At least SOMEBODY has full access to my iPhone! (Score:5, Informative)
That's just great. I can't use all the features of the iPhone because it is crippled by the providers, but any dumbass can get root by SMS?
If I had "bought" one (I consider the current way of getting it as rent-to-own), I would be pissed.
SMS limit isn't 140 characters (Score:5, Informative)
SMS has a limit of 160 characters, not 140. Twitter has a 140-character limit because of its SMS-interface which leaves 20 characters for commands etc. in addition to the message.
Depends how you define characters (Score:4, Interesting)
And the case of binary data, you're dead wrong.
GSM SMS payload is 140 8-bit characters, or bytes, depending how you look at it.
The default SMS text encoding format uses 7-bits, and employs a bit-shifting algorithm to pack 160 7-bit characters in to 140 bytes. Binary formats can't use this compression, as, well, they need all eight bits.
Parent
Didn't this just happen? (Score:2)
Seems to affect other smart phones as well ... (Score:5, Informative)
Re: (Score:3, Insightful)
No learn to read. The second link says that they have technology to send an SMS Message to a phone without needing a carrier. It doesn't say anything about exploiting bugs in the handling of the SMS Message.
Outlook all over again? (Score:2)
How the hell can a format that's supposed to be passive plain text yield root access? Just receive and store the damn text, don't try to interpret it! If other apps want to peek into received messages and perform actions on that, fine, but this is just Outlook all over again!
Re: (Score:2)
99% of this functionality is crap and was made obsolete by MMS, but phones still have to support it.
Apples Newest Product... (Score:5, Funny)
The iPwn. Be the first on your network to get iPwned.
Pwn Different!
Just Pwn.
http://www.screenprintingasap.com/EBAY/ipwn/ipwn_a.jpg [screenprintingasap.com]
Cancel Texting (Score:4, Insightful)
I recently canceled texting completely on my iPhone 3GS. Texting fees are outrageous and I'm not putting up with them anymore. If you want to text me, send it to my email address. Your phone probably supports texting to an email address and you don't even realize it. You can also reply to free texts I send you and I get notified instantly.
Sure, I can't receive texts sent to my phone number, but that's a sacrifice I'm willing to make if I'm going to help my country kick this ridiculous habit of overpaying for tiny emails.
Re:Ouch! (Score:5, Funny)
1) Hacker Sends SMS to target phone
2) Phone gets virus, virus looks up address book and sends itself to everyone in their address book
3) Phone with virus does evil stuff to phone
Damn, that's excellent... erm, I mean... too bad... for... you know... California... and Art Students...
Phones are for phoning people
PDAs/Netbooks/Laptops are for doing business on the move
Laptops/Gameboys are for mobile gaming
The only combination I'll accept are mobile phones that play my MP3's... since it's a small, simple extension of the already availible 'ringing' feature of phones :P
Oh, and cameras... I'll accept camera phones... They're useful.
And Skype access
And Wifi for the Skype...
and while we've got Wifi we might as well have a browser
and maybe the ability to put other apps on it too...
*damnit* I've fallen for feature creep... someone help!
Parent
Re: (Score:2, Funny)
Re: (Score:2)
1) I don't own a car
2) You missed the point
3) You really think that Grindr [apptism.com] is as essential to a phone as a wheel is to a car?
Re: (Score:2, Interesting)
Mobile homebrew gaming? (Score:2)
Laptops/Gameboys are for mobile gaming
What do you recommend for mobile gaming that meets my cousin's criteria?
Laptops fail 1, Game Boy fails 2, and GP2X fails 3. The only video gaming platform we could
Re: why skype and not SIP (voip) (Score:2)
Please don't promote skype in this space. It is too proprietary, and consumes too much battery power running as a 3rd party app.
Why not buy a true SIP phone? Then you can set it up like an extension at your office/PBX, or configure it directly to a service like www.voipcheap.com. Personally, I won't buy a phone unless it is supported on a list like this one:
http://www.forum.nokia.com/Technology_Topics/Mobile_Technologies/VoIP/Nokia_VoIP_Framework/VoIP_support_in_Nokia_devices.xhtml [nokia.com]
In the US, T-mobile sells
Re: (Score:2)
Re:Ouch! (Score:5, Insightful)
Who the fuck though it would be a good idea to automatically execute the content of a message you have no control over whatsoever?
Parent
Re: (Score:3, Funny)
Re: (Score:2)
Re: (Score:3, Informative)
Re:Ouch! (Score:5, Interesting)
After all, if you can wipe the phone remotely, then that system has root access, does it not?
N.B. I am not a security researcher.
Parent
Re: (Score:3, Insightful)
Yeah, because the same happened in the webserver market. Apache installations get rooted every single minute.
Re: (Score:2)
...it can be used for sms-based virusses that can spread very fast.
A blackhat could have a field day with this on Twitter!
Re: (Score:3, Interesting)
It's not a true SMS-to-root exploit. So far he's only been able to crash part of the device's software with it, he's still looking into whether it can be used to run arbitrary code.
easy to stop on att just have them block txt. (Score:2)
easy to stop on att just have them block txt.
the real bad part about this is that if you don't have a txt plan some one can spam you and you pay $0.20 per in coming txt how ever this may be a good thing as if this goes big time then they may be forced to make incoming free.
Re: (Score:2)
Re: (Score:3, Interesting)
Any privilege elevation exploit will benefit anyone seeking elevated privileges on your equipment. This included law enforcement, the mafia and your mom.
Nice little bit of paranoia you've got going there.