BusinessWeek Logo

The Truth About The iPhone Virus / Vulnerability Thing : It's Fixed

Posted by: Arik Hesseldahl on July 30, 2009

Charlie Miller is waiting for a phone call from AT&T. Today he disclosed to the world a security vulnerability that affects Apple’s iPhone, and in fact phones running Google’s Android and Microsoft’s Windows Mobile as well, though it is the iPhone that is getting his information most of the attention.

A quick phone call from technicians at AT&T would give the carrier all the information needed to correct the vulnerability, but Miller hasn’t heard from them yet. “It would take only a few minutes for them to get the information they need,” he told me today.

Miller is a principal analyst at Independent Security Evaluators, and he has disclosed what he says is a significant weakness in the iPhone, and in other phones at the Black Hat security conference in Las Vegas.

It works like this: Carriers use text messages to send control messages to our phones, and the phones work in such a way that they have to accept all text messages sent to them while they’re turned on and connected to the network.

Through research into the iPhone, Miller discovered that if there’s an SMS message that is malformed in a way that for lack of a better word, it confuses the phone. When it’s in this confused state, it handles the data that’s contained in the message differently than it normally does, and so it becomes vulnerable to being remotely hijacked. The data on it is also vulnerable, Miller says. “You might go to the Web site for your bank on the iPhone browser and I could theoretically see you enter your user name and password,” Miller says. “I could see the data in your applications. I could have complete control of the phone.”
“The problem here is a systemic one,” Miller told me. “It has to do with the fact that phones have to accept text messages and that they always have to process the data that comes with them.”

Put in the hands of a person skilled in the practice of programming for smart phones, millions of iPhones, Android phones and phones running Windows Mobile are conceivably at risk. This vulnerability could be combined with a command to insert a piece of malware on the phone, or to cause the camera to come on, or to cause the phone to start recording sound, and act like a bugging device.

And sadly there is nothing, at present, that you can do about it, except urge Apple and AT&T to get on the ball and fix the vulnerability.

The solution Miller says can come from one of two places. Apple (or for that matter, Google and its Android partners, as well as Microsoft) can fix the software code involved where the vulnerability is found, essentially closing up the chink in the armor. Or AT&T, or any other carrier that handles the iPhone or any of the affected phones, can filter the kind of text messages that can take advantage of this vulnerability.

Miller has disclosed the weakness to the proper people at Apple, and says he suspects they’re working on a fix that could come in a future upgrade to the iPhone software. But he’s still waiting to hear from AT&T. “The see all the messages, and once I tell them what to look for they can filter out the bad ones and prevent them from ever reaching the phone. They can call me and I will tell them what to do.”

The good news if you have an iPhone or any of these affected phones: Even the most skilled person who has seen Miller’s talk and would know what to do with the information would need several weeks to write the code necessary to do anything sinister with the knowledge. “It’s extremely hard,” he says. “It took me two-and-a-half weeks to write the code for this. If there were a bad guy who wanted to attach something like a virus to this exploit, it would realistically take a few weeks if not longer for them to carry it out.”

I have calls in to Apple, Microsoft and Google about this and will update with any comments they have.

Update: I’ve gotten email comments from Google and Microsoft since this post first published, though no comment from Apple as yet.

A Google spokeswoman says: “I can confirm that the Android vulnerability that Charlie Miller discussed at Black Hat today is fixed.”

A Microsoft spokesman says: “Microsoft is investigating a possible vulnerability in Windows Mobile presented at Black Hat. Once we’re done investigating, we will take appropriate action to help protect customers.

“Anyone believed to have been affected can visit:
http://www.microsoft.com/protect/support/default.mspx

and should contact the national law enforcement agency in their country. Those in the United States can contact Customer Service and Support at no charge using the PC Safety hotline at 1-866-PCSAFETY. Additionally, customers in the United States should contact their local FBI office or report their situation at: www.ic3.gov.”

Another update:I just got an email and a call from an Apple spokesman relaying the following:

“We appreciate the information provided to us about SMS vulnerabilities which affect several mobile phone platforms. This morning, less than 24 hours after a demonstration of this exploit, we’ve issued a free software update that eliminates the vulnerability from the iPhone. Contrary to what’s been reported, no one has been able to take control of the iPhone to gain access to personal information using this exploit.”

And now AT&T has its say:

“AT&T began work with device makers, industry organizations and independent security experts to develop and implement protections against the potential SMS vulnerabilities before the announcement this week at the Black Hat security conference in Las Vegas. AT&T has talked with analysts from Independent Security Evaluators, and has reviewed background materials produced by them.

While mitigation of potential vulnerability is primarily a matter of
updating devices and software, AT&T is also working to implement methods to identify and remove malicious traffic within the carrier network. We will continue to work to develop and deploy these network-based protections, even as we directly support device manufacturers in implementing longer-term device-based solutions.”

TrackBack URL for this entry: http://blogs.businessweek.com/mt/mt-tb.cgi/

Reader Comments

Perry Clease

July 30, 2009 09:15 PM

From what I am reading here a person can't compose a SMS on a phone and send the "virus" to a phone. That the virus must be programmed and then sent from a server is that correct?

DanTe

July 30, 2009 10:46 PM

Sorry, Perry Clease. Would be nice if that were the case. But no. A jail broken iPhone can send SMS messages with data in it just like those sent from a carrier's network. This hack only works from iPhones because the other phone operating systems has the decency to deny such lunacy from happening. (For those of you fixated on DanTe: Yes, I know hacking too.)

Scott Herbert

July 31, 2009 02:55 AM

@Perry, yes your right, that however doesn't stop someone doing it, just makes it a little harder.

@DanTe, 1) this hack works with all GSM phones, however Google and HTC have patched their phones, Apple hasn't (all where informed about the bug a month ago)

The advice is, if you get a sms that looks just like a square, or is completely blank, turn your phone off. When can you turn it back on... well that depends, turning it off will brake the connection, but the person trying to attack your phone could try again straight away.

Scott Herbert

July 31, 2009 02:58 AM

@Perry, yes your right, that however doesn't stop someone doing it, just makes it a little harder.

@DanTe, 1) this hack works with all GSM phones, however Google and HTC have patched their phones, Apple hasn't (all where informed about the bug a month ago)

The advice is, if you get a sms that looks just like a square, or is completely blank, turn your phone off. When can you turn it back on... well that depends, turning it off will brake the connection, but the person trying to attack your phone could try again straight away.

DanTe

July 31, 2009 09:34 AM

You've mis-read my post Scott Herbert. I'm saying how to TRANSMIT the hack. Not how to BE hacked. A jail broken iPhone will allow the hacker to transmit SMS messages with data in it to every phone out there with SMS capability.

DanTe

July 31, 2009 10:05 AM

Oh, and turning off your phone when you notice a weird SMS text doesn't help. You've already got it. As a note: "Peary Clease" has a much better understanding of networking than most here - based on his intelligent and awared comment.

Chris

July 31, 2009 10:46 AM

What many articles fail to mention and what a lot of people don't realize is that regardless of the phone you have actually getting this virus is difficult. It is not a case of someone simply sending a single SMS message to your phone. For example, on the iPhone you would have to receive a minimum of 512 rapid SMS messages as part of the attack, and if you deleted any one of them before you received them all, the attack would fail. It is NOT an easy attack to accomplish. Also, demonstrating an exploit is not the same as showing someone how to write the code to exploit it. Mr. Miller who assumedly knows what he is doing admits he had to spent weeks writing the code to exploit the vulnerability. He didn't just release a program, he demonstrated a vulnerability, and someone who knew what they were doing would have to spend time writing code to exploit it.

DanTe

July 31, 2009 02:08 PM

Correct me if I'm wrong, Chris. But from what was demonstrated, I thought the SMS system was pwn'd by an SMS burst through a GSM system. The way GSM handles SMS, your phone can easily be hacked while it is silently receiving SMS over night. The methodology shown appears not to effect CDMS systems.

Perry Clease

July 31, 2009 03:10 PM

Thanks for the compliment DanTe. I have a question for you. Last year I started to receive a lot of SMS spam on my iPhone. I went to "my messages" at AT&T and changed my preferences to block SMS sent from a computer; I can still receive SMS sent from a phone. The spam stopped coming in, but that may or may not be circumstance. Of course the downside is that no one can send me an SMS from their computer, but if they are at computer then they can still send me an email.

Anyway do you think that the blocking would stop this type of attack?

It might be moot tomorrow as I have read on other blogs that Apple is going to issue a fix tomorrow. That may or may not be rumor, but I bet that they are working on a fix. Also I would think that AT&T is watching for this behavior and doing some sort of blocking.

For those of you interested in blocking SMS coming from a computer. As public service I will give you the URL, AT&T has a horrid website and I did a lot of drilling to find this page. http://mymessages.wireless.att.com/

You all have a great weekend

Perry Clease

July 31, 2009 03:20 PM

Stop the presses!

Breaking News!

Apple has released an iPhone OS update to fix this vulnerability. I am downloading it, via iTunes, right now.

yl

December 28, 2009 04:17 AM

Are you looking for Model Toys? Do you know where to buy Model Kits and Model Aircraft? Here we recommend you a good online store to buy Model Ships & Model Boats, Model Military as well, it is a good chance to buy because Model Tank and Model Cars For Sale! This store has all the toys including Model Motorcycle and Scale Model Toys. What's more in there you can find Christmas Gifts even Model Transformers! a Cosplay Shop too, it sells Cosplay Costumes Naruto and Cosplay Mantle, as well as Cosplay T-shirts.

suprajack

January 21, 2010 03:28 AM

paul smith

January 25, 2010 04:02 AM

Paul Smith is your best choice. As the world-famous brand of British fashion, Paul Smith is welcomed by people all over the world, including celebrities.

M.

April 3, 2010 12:16 AM

Cap Barbell Set Cap Barbell Set
Gustbuster Metro Umbrella Gustbuster Metro Umbrella
Insanity Cardio DVD Insanity Cardio DVD
Iron Gym Upper Iron Gym Upper
Schwinn 420 Elliptical Schwinn 420 Elliptical
Schwinn Helmet Thrasher Schwinn Helmet Thrasher
Shake Dumbbell Shake Dumbbell
Sklz BasketBall Hoop Sklz BasketBall Hoop
Valeo Dual Wheel Valeo Dual Wheel
Stamina Cycle XL Stamina Cycle XL
Stamina Folding Cycle Stamina Folding Cycle
Lifespan Lubricant Lifespan Lubricant
Merit 725T Merit 725T
Stamina 1050 Stamina 1050
Stamina 1205 Stamina 1205
Horizon Ex-57 Horizon Ex-57
TRX Pro Pack TRX Pro Pack
Concept2 D Rower Concept2 D Rower
Stamina Recumbent Bike Stamina Recumbent Bike
Body Champ 3671 Body Champ 3671
Stamina 1305 Stamina 1305

LinlingLinling

April 13, 2010 04:07 AM

Tansee iPhone Transfer Contact is a the first software in the world that can backup contacts and contact photos in iPhone memory to computer. It can help you backup your iPhone contacts along with contact photos to computer as a file (either txt or antc). For the antc file, you protect the file with a password to keep your privacy. Before the transfer, you are free to select all contacts or a single contact.

Tansee iPhone Transfer SMS is useful SMS backup software that iPhone fans must own one.It is a one-click solution when your iPhone text box is full and keeps rejecting receiving any texts.
It can help you transfer your texts to computer in Txt file format or ANTS file format, so that you can view and manage SMS in your computer freely.For the texts stored in ANTS file, you can even protect it with a password to keep your privacy.
It supports transfering SMS of a single contact or all the contacts.

Two of them supports iPhone, iPhone 3G, iPhone 3GS.


http://www.92download.com/wiki/Tansee_iPhone_Transfer_Contact

http://www.92download.com/wiki/Tansee_iPhone_Transfer_SMS

LinlingLinling

April 13, 2010 04:08 AM

Tansee iPhone Transfer Contact is a the first software in the world that can backup contacts and contact photos in iPhone memory to computer. It can help you backup your iPhone contacts along with contact photos to computer as a file (either txt or antc). For the antc file, you protect the file with a password to keep your privacy. Before the transfer, you are free to select all contacts or a single contact.

Tansee iPhone Transfer SMS is useful SMS backup software that iPhone fans must own one.It is a one-click solution when your iPhone text box is full and keeps rejecting receiving any texts.
It can help you transfer your texts to computer in Txt file format or ANTS file format, so that you can view and manage SMS in your computer freely.For the texts stored in ANTS file, you can even protect it with a password to keep your privacy.
It supports transfering SMS of a single contact or all the contacts.

Two of them supports iPhone, iPhone 3G, iPhone 3GS.

Post a comment

 

About

A blog on the daily doings of Apple and the many companies in its orbit, with insight and analysis by two longtime Apple-watchers BusinessWeek Senior Writer Peter Burrows and BusinessWeek.com Senior Technology Writer Arik Hesseldahl.

RSS Feed: Byte of the Apple

Leave us a voice message. Learn more.

BW Mall - Sponsored Links

Buy a link now!