SMS Hack Could Make iPhones Vulnerable

mhx writes "A single character sent by text message could allegedly compromise every iPhone released to date. The technique involves sending only one unusual text character or else a series of 'invisible' messages that confuse the phone and open the door to attack. Apple has not released any updates yet, so little can be done, except to power off your iPhone to avoid being hacked."

Re:Binary Encoded Messages

[clang_jangle]

Apparently it's not just the iPhone affected. FTFA:

The iPhone SMS bug is just one of a series that the researchers plan to reveal in their talk. They say they've also found a similar texting bug in Windows Mobile that allows complete remote control of Microsoft-based devices. Another pair of SMS bugs in the iPhone and Google's Android phones would purportedly allow a hacker to knock a phone off its wireless network for about 10 seconds with a series of text messages. The trick could be repeated again and again to keep the user offline, Miller says. Though Google has patched the Android flaw, this second iPhone bug also remains unpatched, he adds.

Read about this yesterday

[DigitalSorceress]

FYI: It's not that one character can break your iPhone, it's about 512 text messages sent at your phone, causing certain buffer overflows. The proof on concept ended up where the slew of messages (apparently arrived at originally by fuzzing) winds up only showing one visible character (appears as a box).

The author said that it could probably be refined so that it wouldn't send anything that would show up.

500 or so un-seen text messages, and you're iPwned.

Gotta love the Black Hat Briefings.

Re:Binary Encoded Messages

[Algorithmn]

http://www.blackhat.com/presentations/bh-europe-09/Gassira_Piccirillo/BlackHat-Europe-2009-Gassira-Piccirillo-Hijacking-Mobile-Data-Connections-whitepaper.pdf [blackhat.com] The weakest link is always exploited first. Trust nothing.

Re:Lots can be done...

[rsmith-mac]

That makes absolutely no damned sense. At some point it has to hit the carrier's network, otherwise the phone can't receive it in the first place.

Re:Lots can be done...

[TheRaven64]

Not necessarily, it just has to come over the (wireless) network. There's nothing stopping you simulating a cell tower and sending an SMS (which is just a GSM control packet) to any phone within range.

Re:Perhaps the more ridiculous thing

[joNDoty]

You can turn off SMS: contact AT&T and tell them to disable SMS for your phone number. This is exactly what I've done and I highly recommend it. I save $5/month in texting charges, and I can still send and receive texts for free. Here's how:

1. Sign up for Google Voice.
2. Tell people your new Google Voice "texting" number (and use it for voice if you want).
3. Buy Prowl at the App Store for $2.99
4. Push your Google Voice SMS messages to your iPhone via Prowl. You can do it with Fluid and a script [morouxshi.com] on a Mac.
5. ???
6. PROFIT!!! (free texting)