iPhone SMS Vulnerability Found, Getting Patched

News — Thu, 02 Jul 2009 15:02:40 GMT

A *** in the iPhone's armor? Say it ain't so! During a presentation at the SyScan conference in Singapore, security researcher Charlie Miller made clear that there was a significant vulnerability in the iPhone's SMS system, a flaw that could "allow an attacker to remotely install and run unsigned software code with root access to the phone."

Of course, it's likely that this won't be exploited en masse, but the sheer fact that so many iPhones are out there makes this a serious risk. According to Miller, the attack "exploits a weakness in the way iPhones handle text messages received via SMS (Short Message Service)," but due to a prearranged agreement with Apple to keep the details out of the press, he refused to say more. In fairness, we're glad that he's passing the evidence onto Apple for it to mend up the problem before it becomes something more serious.

The only details Miller had were this: "The SMS vulnerability allows an attacker to run software code on the phone that is sent by SMS over a mobile operator's network. The malicious code could include commands to monitor the location of the phone using GPS, turn on the phone's microphone to eavesdrop on conversations, or make the phone join a distributed denial of service attack or a botnet."

Miller is planning to detail the hole more at the Black Hat USA expo in Las Vegas later this year, which gives Apple a short window of time to patch the vulnerability. If all goes planned, Apple will actually have a fix ready "later this month."

Cell Phones and Multi-Function Devices

iPhone SMS Vulnerability Found, Getting Patched