The Truth About The iPhone Virus / Vulnerability Thing : It's Fixed
Posted by: Arik Hesseldahl on July 30, 2009
Charlie Miller is waiting for a phone call from AT&T. Today he disclosed to the world a security vulnerability that affects Apple’s iPhone, and in fact phones running Google’s Android and Microsoft’s Windows Mobile as well, though it is the iPhone that is getting his information most of the attention.
A quick phone call from technicians at AT&T would give the carrier all the information needed to correct the vulnerability, but Miller hasn’t heard from them yet. “It would take only a few minutes for them to get the information they need,” he told me today.
Miller is a principal analyst at Independent Security Evaluators, and he has disclosed what he says is a significant weakness in the iPhone, and in other phones at the Black Hat security conference in Las Vegas.
It works like this: Carriers use text messages to send control messages to our phones, and the phones work in such a way that they have to accept all text messages sent to them while they’re turned on and connected to the network.
Through research into the iPhone, Miller discovered that if there’s an SMS message that is malformed in a way that for lack of a better word, it confuses the phone. When it’s in this confused state, it handles the data that’s contained in the message differently than it normally does, and so it becomes vulnerable to being remotely hijacked. The data on it is also vulnerable, Miller says. “You might go to the Web site for your bank on the iPhone browser and I could theoretically see you enter your user name and password,” Miller says. “I could see the data in your applications. I could have complete control of the phone.”
“The problem here is a systemic one,” Miller told me. “It has to do with the fact that phones have to accept text messages and that they always have to process the data that comes with them.”
Put in the hands of a person skilled in the practice of programming for smart phones, millions of iPhones, Android phones and phones running Windows Mobile are conceivably at risk. This vulnerability could be combined with a command to insert a piece of malware on the phone, or to cause the camera to come on, or to cause the phone to start recording sound, and act like a bugging device.
And sadly there is nothing, at present, that you can do about it, except urge Apple and AT&T to get on the ball and fix the vulnerability.
The solution Miller says can come from one of two places. Apple (or for that matter, Google and its Android partners, as well as Microsoft) can fix the software code involved where the vulnerability is found, essentially closing up the chink in the armor. Or AT&T, or any other carrier that handles the iPhone or any of the affected phones, can filter the kind of text messages that can take advantage of this vulnerability.
Miller has disclosed the weakness to the proper people at Apple, and says he suspects they’re working on a fix that could come in a future upgrade to the iPhone software. But he’s still waiting to hear from AT&T. “The see all the messages, and once I tell them what to look for they can filter out the bad ones and prevent them from ever reaching the phone. They can call me and I will tell them what to do.”
The good news if you have an iPhone or any of these affected phones: Even the most skilled person who has seen Miller’s talk and would know what to do with the information would need several weeks to write the code necessary to do anything sinister with the knowledge. “It’s extremely hard,” he says. “It took me two-and-a-half weeks to write the code for this. If there were a bad guy who wanted to attach something like a virus to this exploit, it would realistically take a few weeks if not longer for them to carry it out.”
I have calls in to Apple, Microsoft and Google about this and will update with any comments they have.
Update: I’ve gotten email comments from Google and Microsoft since this post first published, though no comment from Apple as yet.
A Google spokeswoman says: “I can confirm that the Android vulnerability that Charlie Miller discussed at Black Hat today is fixed.”
A Microsoft spokesman says: “Microsoft is investigating a possible vulnerability in Windows Mobile presented at Black Hat. Once we’re done investigating, we will take appropriate action to help protect customers.
“Anyone believed to have been affected can visit:
http://www.microsoft.com/protect/support/default.mspx
and should contact the national law enforcement agency in their country. Those in the United States can contact Customer Service and Support at no charge using the PC Safety hotline at 1-866-PCSAFETY. Additionally, customers in the United States should contact their local FBI office or report their situation at: www.ic3.gov.”
Another update:I just got an email and a call from an Apple spokesman relaying the following:
“We appreciate the information provided to us about SMS vulnerabilities which affect several mobile phone platforms. This morning, less than 24 hours after a demonstration of this exploit, we’ve issued a free software update that eliminates the vulnerability from the iPhone. Contrary to what’s been reported, no one has been able to take control of the iPhone to gain access to personal information using this exploit.”
And now AT&T has its say:
“AT&T began work with device makers, industry organizations and independent security experts to develop and implement protections against the potential SMS vulnerabilities before the announcement this week at the Black Hat security conference in Las Vegas. AT&T has talked with analysts from Independent Security Evaluators, and has reviewed background materials produced by them.
While mitigation of potential vulnerability is primarily a matter of
updating devices and software, AT&T is also working to implement methods to identify and remove malicious traffic within the carrier network. We will continue to work to develop and deploy these network-based protections, even as we directly support device manufacturers in implementing longer-term device-based solutions.”
