iPhone 3GS from AT&T. Free Shipping
UPDATE: iPhone security threat via SMS could be catastrophic if not patched
Written by Joe Aimonetti
A potentially catastrophic security flaw in the SMS function of iPhones is being reported across the Internet. Thursday afternoon, researchers are planning to reveal the currently unpatched bug in the iPhone's handling of SMS text messages that could allow for hackers to completely hijack any iPhone in the world.Note: Due to some recent commenting on MacFixIt, I feel compelled to assure you that this is not a sensationalist story. This is a real security threat for users of Apple's iPhone and should be taken with a great deal of seriousness.
The Story
Forbes reports that researchers Charlie Miller and Collin Mulliner will reveal the iPhone SMS exploit at tomorrow's Black Hat conference, being held in Las Vegas.
"If you receive a text message on your iPhone any time after Thursday afternoon containing only a single square character, Charlie Miller would suggest you turn the device off. Quickly."The article goes on to explain the threat, stating the the exploit can send mostly invisible text messages resulting in hackers gaining access to near complete control of the iPhone's functionality which, "includes dialing the phone, visiting Web sites, turning on the device's camera and microphone and, most importantly, sending more text messages to further propagate a mass-gadget hijacking."
Apple has reportedly been aware of this exploit for about six weeks, though no patch has been released. This attack is unique in that the hacker would not need the user to do anything to enable the malicious code. All the hacker needs is the phone number of an iPhone user--everything else is done via SMS.
PC World also has an insightful report on this story.
Again, please take this seriously. If you receive the suspect text message, turn off your iPhone immediately. Of course, we will keep you posted on this story and let you know if any patches are released.
UPDATE: After yesterday's Black Hat conference unearthed the SMS security flaw in iPhones, the BBC is reporting that Apple will be releasing a patch via iTunes on Saturday. Be sure to check iTunes throughout your weekend for the update.
Experiencing problems? Have an issue you need help with? Contact Us!
Follow MacFixIt on Twitter!
If Apple delays, this would seem to be a huge opportunity for the iPhone Dev Team to patch this vulnerability before Apple does, thereby completely validating all the work that has been done to open the device.
I personally challenge the team to make it so!
No, but it may affect them
Perhaps, but our main concern on MacFixIt is Apple-made products. And yes, while many users probably use the other phones in conjunction with their Macs, I felt as though there omission did not distract from the message of the threat.
I read today (Friday) that Google had already patched the flaw, so kudos to them. The patch this weekend from Apple should be quick enough to disallow any hackers from implementing the hack.
1) The theoretical hack does not change your firmware, so if you were hacked, you could simply reboot your phone.
2) If in fact this is a global SMS issue, Apple doesn't necessarily need to patch it if AT&T filters the offending messages at their end. Neater and problem solved for all phones. The researchers investigated all this using a hacked iPhone and simulated SMS messages.
3) Think, for a moment, what would be required to "hack all iPhones." Yep, the message in question would need to be sent to all phones on AT&T's network because there's no database of which AT&T cells are iPhones and which are not. Further, since number portability exists, there's also no good database outside AT&T of which phone are even AT&T's cell phones. So what, SMS all phone numbers?
4) Worst case, if your microphone or camera were enabled, so what? Sending out mass SMSs? Then you get to spend time on the phone with AT&T customer service. But is it the end of the world? Hardly.
Now MacFixit is correct in bringing this to our attention, but really, it's of little concern to the average user at present.
Or were you crying wolf again to get more clicks?
The article stated, as many security articles will state, that the attack has "potential" to do harm. Miller was not suggesting that he would be hacking iPhones across the world on Friday. He was saying that he would be presenting the knowledge of how to do it.
Several dubiously-minded hacker types wait for these types of situations to learn from the best and implement these hacks before they are patched. The threat is very real, very serious, and probably will not happen.
Would you be more, or less, upset if your iPhone was hacked and we didn't say anything? I'm guessing more. (Personally, I don't care about the clicks, I care about people knowing the information they should know.)
Patched applied. Everything looks fine
Good deal, thank you for the update!
- by macdad614 August 3, 2009 6:46 AM PDT
- This is the same info that was in my newsletter dated Friday, July 31. Surely more info should be available by now in the 'Update' from what was first mentioned July 31. I find nothing new in this article since it was announced that more info would be provided after the conference. The 'Update' comment is not dated but refers to the conference as being 'yesterday' when the Friday article states that the conference is 'tomorrow' - Saturday?
- Like this Reply to this comment
-
(12 Comments)