Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
iPhone SMS Security Vulnerability to Be Disclosed Today
- Thread starter MacRumors
- Start date
- Sort by reaction score
Poor Apple? You are talking about a multinational corporation, not a 2 year old toddler that bumped its head. I say poor consumer for having this security risk present in their phone, when Apple have had time to fix it. If they wanted to, they could have had a fix ready in days most likely.
As fast as AT&T seems to be able to move, ... they'd have it figured out by December.
Good point.
Good. As an IT professional one of my biggest headaches is dealing with users that don't keep their systems up to date. Perhaps a looming threat to their precious iPhones will get them to realize that you need to update software and devices frequently and quickly.
I'm going to be even more blunt than the comment below. Are you an idiot? You have NO understand on what it takes to find the bug, code a fixand test the fix. Then if the fix works do regression testing, QA the fix and finally release it. You don't want to make things worse by releasing a fix that could do more hard that good. And what version do you fix? Do you patch the current version and release it when the next version is coming shortly?
amen.
Charlie Miller is nothing but a rouge hacker with no concerns for the public. All he wants is notoriety no matter who it hurts. He knows that 30 days is not enough to properly code and test a fix.
If he was concerned for the public he would not publish the details until after the 3.1 software release and then ONLY if the release did not have the fix. To release the details now is TOTALLY irresponsible and Charlie should be held financially responsible for all damages done.
If cybersecurity researchers are the only ones that know how to do this, why would anyone on this forum know the answer to your question?
Apple has been too busy working on the SMS messages going to wrong people to have time to work on this one.... LOL
Just to note... this is stand practice in the security sectors. First you notify the vender. Then you notify the vender again a few times. If they refuse to respond and/or do anything about it after a certain amount of time, you go public with it. Apple really just needed to have someone from the correct department speak with them and tell them whats going on, (ie, it will be patched 3.1,) they would not go public with the attack.
Also, the Black Hat conference is a conference where all the best minds in security experts meet and talk about stuff most people in the world can't understand.
Also, the Black Hat conference is a conference where all the best minds in security experts meet and talk about stuff most people in the world can't understand.
If Mr. Miller releases this info today, and our iPhones start getting hijacked, could Mr. Miller and Mr. Mulliner be sued for damages in a Class Action lawsuit by Apple, and all users affected.
Are there any Real Lawyers in this Forum that could answer this?
Are there any Real Lawyers in this Forum that could answer this?
Interesting question. But I suspect if there is some sort of mass attack that affects lots of random users (after all, the attacker needs your phone number), the lawyers will circle and sue ... everyone who might have money.
Clearly, Apple (and by extension, their partner ATT) was warned; but Mr. Miller may be yelling "Fire" in a theater.
It's not that hard for this type of exploit to propagate widely. Get access to one iPhone and get the contact list. Exploit all of those; do forever. Eventually, you may have close to 100% of iphone numbers.
WRT: how long does it take to fix a critical bug: I was in the industry as an actually working programmer for over 40 years (even fairly recently with software LOTS more complicated than in iPhone OS), and if the desire is there, you can fix, test, and prepare a distribution in a week or so, unless the problem turns out to be endemic (that is, affects LOTS of different parts of the software). I'm guessing here, that this problem is yet another unchecked buffer length issue. Doesn't anyone edit their inputs anymore? I mean, taking the SMS text stream and turning it into code clearly violates some rule or another ;-)
For historians out there: clearly the old B700 and IBM AS400 had it right: code and data were tagged as such and data could not be executed or easily retagged as code. Oh, and the hardware checked data and code boundaries.
Geez: rule #1: never trust outside input, period. Edit it before using it.
Eddie O
I don't think a month (or so) is really enough time to patch and test an OS at this level. Given the level of control the intrusion implies, I would suspect that it's a fairly low-level OS issue. Even at warp speed, it's hard to ensure that:
- A solution can be developed (just because a vulnerability is found does not mean there's an automatic answer to what causes it).
- Implement the change and regression-test it to make sure it doesn't break anything else of import.
If I were Apple (and do I wish I had their cash), I would quietly notify all the carriers of the exploit, assuming that they can block specific strings, and then work like mad to fix it in the OS.
It's never as easy as it sounds.
There would need to be proof that any hack was as a result of his disclosure. Clearly anyone skilled enough, asking the same questions that he asked, will find the same flaw.
QFT.
To the people defending Apple, get a grip. They have a responsibility to ensure that their device works as advertised and to harden it against attacks that could be extremely costly to their customers. If I were an iPhone owner and I found myself having to fight ATT's customer service department to have hundreds of SMS messages removed from my bill, I'd be very angry indeed.
The guys that test this stuff are entitled to discuss what they've uncovered, and they are certainly entitled to take credit for uncovering it.
The truth is that Apple have not yet learnt the lesson that MS had to learn so bluntly 10 years ago: you can't release patches when it is convenient to you. Security fixes need to be pushed with as much urgency is as humanly possible.
No it doesn't. It just means that some service that comprises some stupid code runs at an admin level.
I know a lot of people who don't upgrade their iPhone for weeks after an update, much less on the day-of. If this hack really is released today it will create huge problems for thousands (more?) of people when hundreds of greedy little nothing-better-to-do-with-my-life hackers lay their filthy paws on it.
I wouldn't be THAT surprised if Apple released some kind of "force" update simultaneously and quietly to every iPhone... don't they probably have this ability? We have seen them control some aspects of the interface remotely and have heard of remote kill and app kill capabilities, so it seems like they might be able to push out an update in a similar way. This would seem to be the only way to effectively prevent huge headaches with this issue.
I wouldn't be THAT surprised if Apple released some kind of "force" update simultaneously and quietly to every iPhone... don't they probably have this ability? We have seen them control some aspects of the interface remotely and have heard of remote kill and app kill capabilities, so it seems like they might be able to push out an update in a similar way. This would seem to be the only way to effectively prevent huge headaches with this issue.
On the one hand - It should be fixed. On the other - The Media sensationalize everything. Blah. Don't worry, be happy.
The only truth to that statement is that it's your opinion, unless you're basing it on some facts that nobody else here is aware of (in regards to the SMS issue).
So, if I understand this correctly ... they are going to show the world how to take advantage of this security flaw and hack into people's iPhones? So, beginning tomorrow morning we should begin seeing reports of celebrities' phones being hacked into, right?
Hurry Up, Apple !!! Release the 3.1 Update and Fix This !!!
Hurry Up, Apple !!! Release the 3.1 Update and Fix This !!!
I just had a really funny idea. Imagine for a minute that a month ago, Apple quietly told all the iPhone carriers of the vulnerability and the bug was patched at the carrier level. Now, when they show the hole at the Black Hat thing, and it doesn't work... hahahaha! That would be AWESOME! This would ask fix all iPhones running earlier software too.
Another idea would have iTunes patch in an update through iTunes that doesn't require a full update (like the AT&T Carrier Settings patch). Imagine for a minute that you go to plug in your iPhone tonight and there's a security patch to install. It installs in a few seconds and then your 1.0, 2.0 or 3.0 software is patched and then we can wait to have it hard-coded into 3.1 when that is ready to come out.
Another idea would have iTunes patch in an update through iTunes that doesn't require a full update (like the AT&T Carrier Settings patch). Imagine for a minute that you go to plug in your iPhone tonight and there's a security patch to install. It installs in a few seconds and then your 1.0, 2.0 or 3.0 software is patched and then we can wait to have it hard-coded into 3.1 when that is ready to come out.
I'm pretty sure that I read on another post, a little while back, that some kind of authentication key was generated by Apples servers when an SMS message was sent. To make sure that it was legit. So, if that is the case, can't Apple fix this with filters on thier end?
I wonder how easy it is for hackers to send a SMS message over a network and not be detected.If this hack really is released today it will create huge problems for thousands (more?) of people when hundreds of greedy little nothing-better-to-do-with-my-life hackers lay their filthy paws on it.
On every text message I've received with AT&T, it's always shown the phone number that sent it, so it's not as simple as just randomly sending a text message to every phone number in the world, hoping you get an iPhone on the other end?
I know a lot of people who don't upgrade their iPhone for weeks after an update, much less on the day-of. If this hack really is released today it will create huge problems for thousands (more?) of people when hundreds of greedy little nothing-better-to-do-with-my-life hackers lay their filthy paws on it.
Are you expecting a step by step tutorial on how to implement this attack?
But, don't some of your SMS messages (like the ones from AT&T) just have a Code instead of a Phone Number? Like when you send a message to 543542, etc...