Slashdot stories can be listened to in audio form via an RSS feed, as read by our own robotic overlord.

 



Forgot your password?
typodupeerror
Cellphones Businesses Security Apple

SMS Hack Could Make iPhones Vulnerable 254

Posted by CmdrTaco
from the up-against-the-wall-and-spread-'em dept.
mhx writes "A single character sent by text message could allegedly compromise every iPhone released to date. The technique involves sending only one unusual text character or else a series of 'invisible' messages that confuse the phone and open the door to attack. Apple has not released any updates yet, so little can be done, except to power off your iPhone to avoid being hacked."
This discussion has been archived. No new comments can be posted.

SMS Hack Could Make iPhones Vulnerable

Comments Filter:
  • by Algorithmn (1601909) on Thursday July 30, 2009 @09:17AM (#28881703) Homepage
    I saw this one coming. Some cell phones cannot distinguish between a moble provider sending binary encoded XML enabled SMS messages or an attacker through an SMS gateway. Amateur security model/practices.
  • As I recall Apple (DRM) was stating that jailbreaking cellphones was something to be done by terrorists who want to destroy cellphone infrastructure.

    Interesting that a SMS message can destroy apples;)

  • Lots can be done... (Score:4, Interesting)

    by John Whitley (6067) on Thursday July 30, 2009 @09:25AM (#28881857) Homepage

    So little can be done, except power off your iPhone to avoid being hacked

    Little can be done... except block such messages entirely at the provider level. When the attack vector is clearly defined, it's easy to scan for it.

  • Weird article. (Score:1, Interesting)

    by sootman (158191) on Thursday July 30, 2009 @09:28AM (#28881907) Homepage Journal

    Gotta love the way things get prioritized to create an attention-grabbing headline.

    "Though Miller and Mulliner say they notified Apple about the vulnerability more than a month ago, the company hasn't released a patch..."

    OMG, ONE WHOLE MONTH! Oh, and by the way, "...in the last 18 months, cybercriminals have begun using text messages to send links to malicious Web sites that infect the phone with malware, says Mikko Hyppönen, an F-Secure researcher. One seemingly-Chinese variant, known as 'Sexy View' and currently targeting the Symbian operating system, is far more threatening than an iPhone attack, given that around 50% of cellphones use Symbian, [emphasis added] Hyppönen says."

    Miller also says "Texting applications' insecurity isn't due to the software's complexity so much as the security community's inattention and the expense of sending thousands of text messages to test a phone's security..."--um, I have an unlimited texting plan (AT&T, USA) and it's... well, I forget how much, but it's not a lot.

    That said, a) it shouldn't be that hard to lock down an app whose main job is to send, receive, and display TEXT, and 2) because of that, I hope Apple issues a fix for this soon.

  • Re:Good (Score:2, Interesting)

    by psychokitten (819123) on Thursday July 30, 2009 @09:31AM (#28881941)
    Funny how you mention that since just the other day at work we were noticing how my Edge connection on T-Mobile is faster than a co-worker's 3G AT&T connection was.
  • Re:Text character? (Score:4, Interesting)

    by MaerD (954222) on Thursday July 30, 2009 @10:17AM (#28882647)
    This reminds me of the days when on a BBS a badly calibrated modem would actually hang up if someone put +++ATH0 in the message. *sigh* I feel so old.
  • by FelxH (1416581) on Thursday July 30, 2009 @10:27AM (#28882787)
    According to the previous article [blackhat.com], they have found a way to send sms messages without any provider: "This method does not use the carrier and so is free (and invisible to the carrier)". So blocking at the provider level won't work unfortunately
  • by FireFury03 (653718) <slashdot@CHEETAHnexusuk.org minus cat> on Thursday July 30, 2009 @12:05PM (#28884153) Homepage

    Correct me if I'm wrong, but since the SMS messages have to go through the carrier towers, can't this character be "cleaned" from the message there before it even hits the phone?

    What if I want to use that character legitimately?

  • by Sentax (1125511) on Thursday July 30, 2009 @01:13PM (#28885297)
    If there is a vulnerability with said character, then just using it would not be legitimate until the problem was fixed on the phone firmware.

    Cleaning the character at the carrier could prevent problems spreading to the phone and be a "quick fix", but doesn't make it go away, the phone would need to release a patch eventually, then you can use your Unicode heart character (or whatever else char it is) in your text messages again.
  • by Anonymous Coward on Thursday July 30, 2009 @01:39PM (#28885763)

    One vendor released a fix, one vendor did not (yet). The open or closed nature of the platform had nothing to do with it in this case, it is not as if Joe Nobody fixed the flaw for all Android users from his basement.

Never tell people how to do things. Tell them WHAT to do and they will surprise you with their ingenuity. -- Gen. George S. Patton, Jr.

Working...