Cybersecurity researchers Charlie Miller and Collin Mulliner have found a bug that enables hackers to take control of an iPhone via SMS, Andy Greenberg reports at Forbes.com.
If you receive a text message on your iPhone any time after Thursday afternoon containing only a single square character, Charlie Miller would suggest you turn the device off. Quickly.
That small cipher will likely be your only warning that someone has taken advantage of a bug that Miller and his fellow cybersecurity researcher Collin Mulliner plan to publicize Thursday at the Black Hat cybersecurity conference in Las Vegas. Using a flaw they’ve found in the iPhone’s handling of text messages, the researchers say they’ll demonstrate how to send a series of mostly invisible SMS bursts that can give a hacker complete power over any of the smart phone’s functions. That includes dialing the phone, visiting Web sites, turning on the device’s camera and microphone and, most importantly, sending more text messages to further propagate a mass-gadget hijacking.
“This is serious. The only thing you can do to prevent it is turn off your phone,” Miller told Forbes. “Someone could pretty quickly take over every iPhone in the world with this.”
Though Miller and Mulliner say they notified Apple about the vulnerability more than a month ago, the company hasn’t released a patch, and it didn’t respond to Forbes’ repeated calls seeking comment.
CNET InSecurity Compleex blogger Elinor Mills let Miller and Mulliner demonstrate the hack on her iPhone at Black Hat yesterday:
Here’s what happened: While I was talking on the phone to Charlie Miller, his partner, Collin Mulliner, sent me a text message from his phone. One minute I’m talking to Miller and the next minute my phone is dead, and this time it’s not AT&T’s fault. After a few seconds it came back to life, but I was not able to make or receive calls until I rebooted.
The attack is enabled by a serious memory corruption bug in the way the iPhone handles SMS messages, said Miller, a senior security researcher at Independent Security Evaluators.
Previous iPhone attacks required an attacker to lure the iPhone user to visit a malicious Web site or open a malicious file, but this attack requires no effort on the part of the user and requires only that an attacker have the victim’s phone number, Miller said.
Once inside a victim’s phone, the attacker could then send an SMS to anyone in the victim’s address book and spread the attack from phone to phone, he said.
Previously, Miller discovered a hole in the mobile version of Safari shortly after the iPhone was launched in 2007 and earlier this year he won a contest at CanSecWest by exploiting a hole in Safari.
Asked what an iPhone user can do when attacked, Miller replied: “Rebooting wouldn’t be a bad idea. It would stop all but the most sophisticated attacker. However, it doesn’t take but a second to grab all your personal info from the device, and as soon as you turn it back on, the bad guy could attack you again. That’s why I think this is so serious.”
On Friday, Apple released iPhone OS 3.0.1 to fix the SMS vulnerability.