SMS Hack Could Make iPhones Vulnerable

mhx writes "A single character sent by text message could allegedly compromise every iPhone released to date. The technique involves sending only one unusual text character or else a series of 'invisible' messages that confuse the phone and open the door to attack. Apple has not released any updates yet, so little can be done, except to power off your iPhone to avoid being hacked."

Binary Encoded Messages

[Algorithmn]

I saw this one coming. Some cell phones cannot distinguish between a moble provider sending binary encoded XML enabled SMS messages or an attacker through an SMS gateway. Amateur security model/practices.

Re:Binary Encoded Messages

[sopssa]

This was detailed a few days ago -- more details on http://www.computerworld.com/s/article/9136008/Some_SMS_networks_vulnerable_to_attack [computerworld.com]

How many times it needs to be said.. *never* trust the client.

Re:Binary Encoded Messages

[Algorithmn]

http://www.blackhat.com/presentations/bh-europe-09/Gassira_Piccirillo/BlackHat-Europe-2009-Gassira-Piccirillo-Hijacking-Mobile-Data-Connections-whitepaper.pdf [blackhat.com] The weakest link is always exploited first. Trust nothing.

Re:Binary Encoded Messages

[clang_jangle]

Apparently it's not just the iPhone affected. FTFA:

The iPhone SMS bug is just one of a series that the researchers plan to reveal in their talk. They say they've also found a similar texting bug in Windows Mobile that allows complete remote control of Microsoft-based devices. Another pair of SMS bugs in the iPhone and Google's Android phones would purportedly allow a hacker to knock a phone off its wireless network for about 10 seconds with a series of text messages. The trick could be repeated again and again to keep the user offline, Miller says. Though Google has patched the Android flaw, this second iPhone bug also remains unpatched, he adds.

Re:

[YouWantFriesWithThat]

so the bug can knock the user off the wireless network, eh? some sort of denial of service for cell phones? almost like they are being jammed? [dealextreme.com]

Re:Binary Encoded Messages

[SanityInAnarchy]

In other words, Android, the open platform, patched before iPhone, the closed platform.

Yet I still occasionally run into people trying to claim that the iPhone being closed is somehow good, as it's more secure.

Re:

[SanityInAnarchy]

Those are other claims. If you want to talk about them, we can, but it's getting a bit offtopic.

It seamlessly syncs with my calendar, address book, etc.

Is that not true on Android?

Browsing the web works quickly and pages render pretty well.

Are you really going to tell me that's unique? Both Android and iPhone use Webkit-based browsers.

Even in the event that my iPhone gets hacked by a vulnerability apple fails to fix, I won't regret my decision.

That sounds very much like a fanboi or astroturf position. You won't regret it? Not even for a moment?

Tell me... just how much would Apple have to screw up for you to regret it?

There's no worthwhile information on it to steal, and it gets backed up every time I plug it in (every day).

That tells me you're either naive or a naive asshole.

Suppose someone cracks your phone and uses it to send thousan

Re:

[d3ac0n]

What about the Pre?

Nothing about that in the article.

Re:Binary Encoded Messages

[davester666]

Nope, the 3 Pre users are completely safe. They only text amongst themselves.

Re:

[FireFury03]

Correct me if I'm wrong, but since the SMS messages have to go through the carrier towers, can't this character be "cleaned" from the message there before it even hits the phone?

What if I want to use that character legitimately?

Re:

[FireFury03]

If there is a vulnerability with said character, then just using it would not be legitimate until the problem was fixed on the phone firmware.

I haven't seen anything saying what the character is (and more saying that the character being displayed is just a side effect of the crack, not actually the vulnerability). But, that aside, if a legitimate character affects a vulnerability on a *single device*, the service provider has no business breaking legitimate uses of that character by the majority of people (i.e. those that don't own an iphone).

As much as you may like to believe that there is no legitimate use for non-ASCII characters, you are wro

Re:

[FireFury03]

I already get pissed off that there is no way to enter a "Å" character into my P900

Seems Slashdot is also broken at handling unicode characters - that is supposed to be a "Y" with a "^" accent.

Re:

[pegdhcp]

GSM operators would not give a half portion fart for the solution, as long as the problem does not put their infrastructure in danger. Otherwise we are talking about lots of phones, each sending SMSs to other phones, without knowledge or intervention of the subscriber. It is a dream that come true for operators....

"SMS Hack Could Makes iPhones Vulnerable"

[Anonymous Coward]

In other news, the same SMS hack can be used to make headlines appear with wrongly used verbs...

Re:

[Ihmhi]

RTFA. It's from one of the newer Slashdot editors, T0k1WAR2th.

Re:

[Shatrat]

Hah, it took me a second to get that.
Good one.

App Store

[oldspewey]

Want to pwn every apple smartphone in the world?

There's an app for that.

Re:App Store

[Bemopolis]

Well there *will* be, once it gets through the App Store approval process. So, next year.

Re:App Store

[jDeepbeep]

So, never.

fixed that for you :D

Re:Beer summit

[sexconker]

BEEP BEEP
I AM AC
I AM A ROBOT
I HAVE A ROBOT VAGINA
BOOP

Filter error: Don't use so many caps. It's like YELLING. I AM NOT YELLING I AM A ROBOT THIS IS HOW ROBOTS TALK BOOP

Text character?

[pushing-robot]

The technique involves sending only one unusual text character

Let me guess: "Q". Damned "Q".

Re:

[Yvan256]

I guess he got bored of annoying only a handful of starship captains.

Re:Text character?

[viking099]

Thanks a lot ass^7'89-NO CARRIER

Re:Text character?

[MaerD]

This reminds me of the days when on a BBS a badly calibrated modem would actually hang up if someone put +++ATH0 in the message. *sigh* I feel so old.

Re:

[TheRaven64]

That continued into the Internet era. There used to be apps that sent ICMP packets with the string +++ATH0 in the payload. Some modems would hang up when they received it.

Re:

[MaerD]

Either way, we've got 20+ years of evidence that allowing information from a unvalidated and untrusted remote data stream to cause hardware to do things that should only be issued from a local command (or at least trusted remote source) is a bad thing.


How do we keep making the same design mistakes?

Re:Text character?

[sexconker]

Because it's easier for me to test, dammit.
I make all these fucking routers and cable modems and shit by hand. Maybe if one of you fuckers would help me we wouldn't have this problem.

Read about this yesterday

[DigitalSorceress]

FYI: It's not that one character can break your iPhone, it's about 512 text messages sent at your phone, causing certain buffer overflows. The proof on concept ended up where the slew of messages (apparently arrived at originally by fuzzing) winds up only showing one visible character (appears as a box).

The author said that it could probably be refined so that it wouldn't send anything that would show up.

500 or so un-seen text messages, and you're iPwned.

Gotta love the Black Hat Briefings.

Re:Read about this yesterday

[emag]

500?! Egads, that's gonna cost a _fortune_ at today's txting rates!

Re:

[d3ac0n]

unless you have an unlimited plan.

Re:

[Kral_Blbec]

No, that just means you got screwed in advance.

Re:

[Tony Hoyle]

Say I don't have an unlimited plan (which nearly everyone does, but..)

SMS costs £0.04 on average. Let's say you're on a really expensive pay as you talk plan and it costs 3 times that.. so £0.12.

£60

Hardly a 'fortune' if you're planning to take out a phone anyway.. and unlimited plans on pay as you talk cost far less than that anyway so you'd never pay that even in the worst case.

Re:

[Sandbags]

...and the carrier doesn't have a facility in place for limiting the number of text messages sent to a particiular device in a given time frame? say max of 1 in any 2 second interval??? ...and they can't simply block SMS messages that contain non-standard characters in certain known formats that could be exploits??? i know they can filter by sender, receiver, zip code, and pretty much any other relational expression i could come up with. Prior to getting my iPhone, i auto-blocked everything text related

Re:

[BrokenHalo]

...and the carrier doesn't have a facility in place for limiting the number of text messages sent to a particiular device in a given time frame?

There is a confusion of functions here. The purpose of a carrier is to carry messages, not to refuse them. Much better for the carrier to do its job and let the client decide whether or not it wants to accept the message.

Re:

[sexconker]

Yeah, and with the service I get, they'll send them to me and I'll only get half of them, then I'll get 2 more a week every week, all out of order.

Is this why they were distracting us yesterday?

[amcdiarmid]

As I recall Apple (DRM) was stating that jailbreaking cellphones was something to be done by terrorists who want to destroy cellphone infrastructure.

Interesting that a SMS message can destroy apples;)

Re:Is this why they were distracting us yesterday?

[DigitalSorceress]

Actually, that's exactly what I was thinking.

Once you've taken over someone's iPhone in this manner, it seems to me you've got more power to use the thing than the original owner had (unless they had Jailbroken their phone already).

Interestingly enough, this vulnerability is in the factory-spec iPhone - it doesn't require it to have been jailbroken.

So, yeah, Apple claims they're jailing your phone to protect you from bad guys and to protect the infrastructure from you, but this goes to prove that the only thing they're protecting are their (and AT&T's) pockets.

All this from a company where the CEO's liver is replaceable, but the battery in your phone or laptop is not.

~ducking~

Re:Is this why they were distracting us yesterday?

[Bemopolis]

All this from a company where the CEO's liver is replaceable, but the battery in your phone or laptop is not.

The battery in the iPhone and laptop are replaceable, just not by the owner. This was also the case for Steve's liver. JOKE FAIL.
<\memekiller>

Re:

[machine321]

The battery in the iPhone and laptop are replaceable, just not by the owner. This was also the case for Steve's liver. JOKE FAIL.

A sufficiently experienced user can replace his liver; I'll bet Steve Wozniak could do it.

Re:

[Anonymous Coward]

The battery in the iPhone and laptop are replaceable, just not by the owner. This was also the case for Steve's liver. JOKE FAIL.

A sufficiently experienced user can replace his liver; I'll bet Steve Wozniak could do it.

Yeah, but it would void his warranty

Re:

[pegdhcp]

Maybe they should invite (=forcibly drag into the office) Woz for an overall engineering supervisory position.

Re:

[chord.wav]

Aside of the stupid joke about a man's health. I agree with everything.

Lots can be done...

[John Whitley]

So little can be done, except power off your iPhone to avoid being hacked

Little can be done... except block such messages entirely at the provider level. When the attack vector is clearly defined, it's easy to scan for it.

Re:Lots can be done...

[Anonymous Coward]

Little can be done... except block such messages entirely at the provider level. When the attack vector is clearly defined, it's easy to scan for it.

Or, maybe the iphone SHOULDN'T EXECUTE UNTRUSTED UNSIGNED UNAUTHENTICATED CODE THAT ARRIVES BY SMS.

Or maybe google will use this flaw to deploy google voice onto iphones now that apple banned them.

Isn't it sad that EVERYONE ELSE has more control over the iphone than fanboi who bought it.

Re:

[Fnord666]

Little can be done... except block such messages entirely at the provider level. When the attack vector is clearly defined, it's easy to scan for it.

Except that since the carrier gets $0.15 per msg here in the good old US, they have no incentive to block these messages. In fact, many of them have insisted that they have no ability at all to identify and block individual messages.

Re:

[Talennor]

In fact, many of them have insisted that they have no ability at all to identify and block individual messages.

They may be telling the truth that they don't have that kind of capabilities. However, that's just an obvious implementation oversight. For something as much an embedded system as a cell phone (lacking firewalling capabilities on its own) and tied so closely to the cellular networks, they should have designed something akin to snort rules for anything in packet based communications so they could filter attacks at the network level. It's not rocket science. It's just how you protect networked systems tha

Re:Lots can be done...

[FelxH]

According to the previous article [blackhat.com], they have found a way to send sms messages without any provider: "This method does not use the carrier and so is free (and invisible to the carrier)". So blocking at the provider level won't work unfortunately

Re:

[rsmith-mac]

That makes absolutely no damned sense. At some point it has to hit the carrier's network, otherwise the phone can't receive it in the first place.

Re:Lots can be done...

[TheRaven64]

Not necessarily, it just has to come over the (wireless) network. There's nothing stopping you simulating a cell tower and sending an SMS (which is just a GSM control packet) to any phone within range.

Re:Lots can be done...

[TheRaven64]

Uh, people doing this would be sending radio signals intended to illegally take control of someone else's phone. I doubt that breaking FCC rules is going to matter to them.

Right-click, wha?

[johnthorensen]

Apparently Apple was going to require *two* unusual text characters for the iPwn hack, but Steve Jobs insisted that this would be too complicated for their users.

Re:Right-click, wha?

[johnthorensen]

Well the jerk store called, and they're running out of...[iPhone Restarting]

In other news...

[6Yankee]

...sex offenders start a mass SMS-sending campaign...

Re:In other news...

[jmahler]

i see what you did there. Awesome. :)

Mod funny please.

Re:In other news...

[Yvan256]

Mods: I think he was referring to the parent above him for the "mod funny" comment.

Re:

[Anonymous Coward]

Mod parent funny!

Re:In other news...

[Yvan256]

Mods are on crack today!

Mod parent funny!

Re:

[sammyF70]

mod me and my wife funny!

Re:In other news...

[Anonymous Coward]

I modded your wife alright.

Re:

[Archangel Michael]

The parent wasn't trying to be funny, please mod Insightful.

That's okay.

[FlyingSquidStudios]

No one ever sends me SMS messages, so I'd be flattered they noticed me if I was hacked. So lonely...

Re:

[josh61980]

Does someone need a hug?

The series of invisible characters

[blind biker]

It is here:

Re:

[jimthehorsegod]

Yeah sure: hunter2

Well...

[dburkland]

Being an iPhone owner it makes me feel all warm and fuzzy inside knowing my $300 phone that is so much better than the rest can be brought to its knees by an SMS message. GG Apple.

Re:

[Kral_Blbec]

a, 2, d? WTF? Back in my day we used 1, 2, 3; a, b, c; or I, II, III... Seems a person can just grab any random 3 characters to make an ordered list nowdays. Now get off my lawn.

Won't someone think of the cell phone towers?

[transporter_ii]

If this hack lets unapproved apps run, then what's going to keep the cell towers from being shut down on a massive scale? Doesn't this make Apple guilty of harming national security?

Re:

[Sandbags]

Doesn't this make AT&T guilty for allowing texts in the system that could not be possibly sent by human beings? SMS is by policy not to be used by automated systems without AT&Ts express authority. Why is this Apple's fault (Or google's, since it also effects Android, and I'm sure shortly will be ANOTHER hack effecting symbian via SMS).

Why worry?

[PPH]

I, for on am not concrnd. It's simply a mattr of not snding that charactr. Crtainly, a company lik Appl can hav it xcludd from th alphabt. And thn w can just gt on with our livs, njoying our iPhons.

Re:

[Midgarn]

I, for on am not concrnd. It's simply a mattr of not snding that charactr. Crtainly, a company lik Appl can hav it xcludd from th alphabt. And thn w can just gt on with our livs, njoying our iPhons.

What happns whn th hackrs dcid to switch to a diffrnt charactr? How will Appl rspond thn?

I, fr n am nt cncrnd. It's simply a mattr f nt snding that charactr. Crtainly, a cmpany lik Appl can hav it xcludd frm th alphabt. And thn w can just gt n with ur livs, njying ur iPhns.

What happns whn th hackrs dcid t switch t a diffrnt charactr? Hw will Appl rspnd thn?

h.

Re:

[PPH]

What happns whn th hackrs dcid to switch to a diffrnt charactr? How will Appl rspond thn?

'' guss Appl wll rally b fuckd f ts th '' n ''Phon.

Re:

[D Ninja]

What happns whn th hackrs dcid to switch to a diffrnt charactr? How will Appl rspond thn?

ppl will kp rmving chrctrs frm th lphbt. Thy r ppl. Thy cn d whtvr thy wnt.

Re:

[MrNemesis]

Your sig mad my iPhon cordump. Stv Jobs nds to snd you in for rducation in th ways of Appl.

Re:

[Ragzouken]

makng

The Secret string is:

[spydum]

+++ATH0

Here's what to do

[yellowstone]

If you survive the initial peril (the next thirty hours or so), then there are obvious procedures that can give relative safety: Do not accept High Beyond protocol packets. At the very least, route all communications through Middle Beyond sites, with translation down to, and then up from, local trade languages.

Re:

[Medieval_Gnome]

I get the reference, and I can't praise that book highly enough.

Re:

[rossjudson]

Damn. I'm gonna go re-read that. Thanks for reminding me!!!

Proverbial wisdom strikes again

[GMFTatsujin]

So, one rotten character is spoiling the bunch, then?

As Per

[His Shadow]

The SMS hack affects many phones and many systems. Nothing in the wild, no plague of users infected or crashed or harmed. But let's run it as if the iPhone is the only one infected, and Apple somehow is a laggard for not releasing a patch. Then later, we'll talk about whether the problem is universal.

So, is the iPhone the only phone that matters, or is it just too hard for submitter NOT to use Apple and the iPhone to get attention?

Re:

[TheRaven64]

Note that Symbian, which owns over 70% of the market, was conspicuously absent from the list of affected mobile phone operating systems.

Threat to cell phone towers

[future assassin]

Soo the iPhone is a threat to cell phone towers?

what the godd*mn hell

[hesaigo999ca]

Whether you are a carrier of cellular service, or a provider of phones, seeing as you want to totally take control away from your clients, then you best make sure YOU'RE up to date with security, else face a multi-faceted lawsuit.

Being that TELUS closes off access to such things as phone configuration where you could just disable your SMS service if you wanted to, then the onus falls on them to incorporate better security.

As well having an iPhone means you are bound to the terms laid down by Apple, which me

Perhaps the more ridiculous thing

[vitaflo]

Is you can't turn off SMS on the iPhone. At least I haven't found out how. I don't particularly like SMS, it costs me money to receive texts, and I have an flippin iPhone, why would I need it when I can email, IM, tweet, etc? Yet here we have an SMS back door and the only solution is to shut down the entire phone because there's no way to disable SMS by itself.

Re:

[westyvw]

Agreed, paying for texts in principal is wrong, but off the charts of stupid if you have internet. I want the damn thing off. Send me an email, open a chat, or *gasp* call me.

But please let me turn this off!

Re:

[joNDoty]

You can turn off SMS: contact AT&T and tell them to disable SMS for your phone number. This is exactly what I've done and I highly recommend it. I save $5/month in texting charges, and I can still send and receive texts for free. Here's how:

1. Sign up for Google Voice.
2. Tell people your new Google Voice "texting" number (and use it for voice if you want).
3. Buy Prowl at the App Store for $2.99
4. Push your Google Voice SMS messages to your iPhone via Prowl. You can do it with Fluid and a script [morouxshi.com] on a Mac

Re:

[psychokitten]

Funny how you mention that since just the other day at work we were noticing how my Edge connection on T-Mobile is faster than a co-worker's 3G AT&T connection was.

Re:

[paimin]

Let me guess, San Francisco?

Re:

[pegdhcp]

Is there a T-Mobile service in SF land???

Re:

[sexconker]

No.
The T(ranny) Mobile sued them away for stealing their name.
Same reason there's no Oscar Meyer Wiener Mobile in SF.

Re:

[Darkness404]

This post highlights all that is wrong with cell networks, the entire point of AT&T should be to put up more towers and give you faster speed. However, that is not the case.

Re:

[Itninja]

So by "the country" do you mean Ireland? Because they have great reception in Western Ireland....

Re:

[mini me]

I'm pretty sure he means Canada, and he is just upset that Rogers new 20Mbps 3G network isn't supported by his iPhone.

Re:Weird article.

[Anonymous Coward]

This is remote code execution and extremely serious. The headline is understated for the possible severity of the impact. In other words: if Microsoft had the dominant smartphone on the market with the image the iPhone has, you know this crowd would be screaming bloody murder and piecing together fallacy-ridden freshman-level rants on monopolies.

Re:

[nxtw]

is far more threatening than an iPhone attack, given that around 50% of cellphones use Symbian

Symbian's marketshare is much lower in the United States. Also, Symbian's almost-50% marketshare is in the smartphone market, not in the overall cellphone market.

Re:

[Tony Hoyle]

It's much higher in the cellphone market. Can't remember when I last saw a non-smartphone that wasn't some brand of Nokia.

Re:

[nxtw]

It's much higher in the cellphone market. Can't remember when I last saw a non-smartphone that wasn't some brand of Nokia.

Not all Nokia phones run Symbian. Nokia's worldwide marketshare last quarter was 38%, down from 40% a year ago. Meanwhile, Samsung and LG are growing in marketshare.

And Nokia isn't very successful in the USA.

Re:

[Homburg]

Non-smartphone Nokias don't run Symbian (also, you haven't seen any Ericsson or Motorola or Samsung or LG non-smartphones recently? Really?).

Re:

[Sandbags]

Why should Apple fix it?

Can't AT&T realize it should not be possible to deliver 500 texts to a device in such a short period, and stagger them say at not more than 1 text per 2-3 seconds? Can't they also filter "malformed" text messages that pass in their own system? TFA also states this effects Android too, not just iPhone, and it;s in their own interest, considdering this could cause a text storm and cause network bottlenecks and disruption to the whole system, to prevent such types of attacks from

Re:

[cayenne8]

I prefer rock, paper, scissors, lizard, Spock [youtube.com].