Wednesday, July 29, 2009

Black Hat Nails iPhone SMS Security Hole

I don't follow iPhone security, but this one is major. It is also coming out of Black Hat USA 2009. So if you have an iPhone, you'd better read this! Or you may become INFECTED!

Short version: SMS stands for Short Message Service. Thanks to a security hole in the iPhone OS, your iPhone can get pwned via a malevolent SMS message. To quote Forbes Magazine:
If you receive a text message on your iPhone any time after Thursday afternoon containing only a single square character, Charlie Miller would suggest you turn the device off. Quickly.
Why Thursday? At 11:15 AM, Los Vegas, NV time, our pal Dr. Charlie Miller along with cybersecurity expert Collin Mulliner give their talk "Fuzzing The Phone In Your Phone". To quote Dr. Miller from his website Security Evaluators (you owe me for all this publicity Charlie!):
In this talk they will show how to find vulnerabilities in smart phones. Not in the browser or mail client or any software you could find on a desktop, but rather in the phone specific software. They will present techniques which allow a researcher to inject SMS messages into iPhone, Android, and Windows Mobile devices. This method does not use the carrier and so is free (and invisible to the carrier). They’ll show how to use the Sulley fuzzing framework to generate fuzzed SMS messages for the smart phones as well as ways to monitor the software under stress. Finally, they will present the results of this fuzzing and discuss their impact on smart phones and cellular security.
As you can see, the SMS security hole is NOT just on the iPhone.

Apparently Dr. Miller notified Apple about this hole over a month ago. One website said Apple knew about the hole 6 months ago. Apple is slow poke. Ars Technica reported July 3rd that Apple are working on a patch for this problem. At the moment there is no patch from Apple or any announcement regarding this problem. Theoretically the patch will be in iPhone OS X v3.1. World of Apple reports that yesterday, July 28, Beta 3 of iPhone OS X v3.1 was distributed for testing. They believe the release will be in mid-August. Oops. That's a couple weeks away. Time for suspense!

Some further reading pleasure can be found at MacFixIt, PCWorld and InfoWorld.

My suggested, but I don't have an iPhone, interim work around: Turn OFF incoming SMS on your iPhone. Or just leave your phone off, like that's an option.

Here is a discussion on how to stop SMS on the iPhone:


Note that turning off SMS previews is NOT effective. You want to stop the messages from getting to your phone entirely. (You have permission to hit me if I am incorrect on this point).

Oh BTW: Dino Dai Zovi gave his talk "Macsploitation with Metasploit" today at 10:oo AM Los Vegas time and his talk "Advanced Mac OS X Rootkits" at 11:15 AM Los Vegas time. When I learn of any important ramifications, I'll post. There is an audio interview with Dino Dai Zovi at that reviews his interest and experience in Metasploit and Mac Rootkits.


  1. But is this limited to the iPhone alone, what about Android or the newly renamed Windows Phone?

  2. No! This SMS hole is apparently in SMS itself and other smartphones are potentially vulnerable. Dr. Charlie says the means Android and WinCE phones. I was a bit surprised how the iPhone was singled out today in the news as being THE victim. Even fell for it. Lazy press! I tossed a comment up at SlashDot scolding them.

    But nothing new for Mac fans. It's like Apple is the planet with a force of gravity that draws in ridiculously manic press writers. The hyper rumor mill rubbish this past week about the non-existant Apple 'tablet' is another excellent example. Lazy crazy press.