iPhone SMS Security Vulnerability to Be Disclosed Today

[argoth]

Nuclear Option

This is clearly grandstanding with a lesser motive of getting Apple to provide a fix.

They could clearly motivate Apple to fix this without sharing the "how" of the exploit with the public.

Step 1. Discover exploit
Step 2. Inform Apple
Step 3. Wait requisite time (30 days was pretty arbitrary. I've worked with companies that can barely scratch their backside in 30 days, let alone deploy a software patch for multiple versions of an O/S across multiple devices)

Now, you can
A. Jump to the nuclear option share the "how" of the exploit, allowing others to replicate this and cause issues/pain/hardship for others.

or

B. Oh, I don't know, simply release video demonstrating the hack in action (to convince viewers that the threat is real), but not actually provide the information to allow viewers to replicate it. Users would be in an uproar for a fix all the same.

To use someone else's analogy, it is one thing to know how to break into my neighbor's house. By me broadcasting that fact to my neighbors/public and proving that I can do it would be pretty motivating for the neighbor to better secure their home. It is a completely separate thing for me to instruct public on how to break into my neighbors home.

 

[cerote]

You guys are being really unfair towards Apple.

Listen to me for a minute here:

1. I read that this security hole has existed on EVERY version of the iPhone software to date.

2. Nothing has happened since then... why should Apple have to rush the iPhone development to fix this?

3. If this one dude had just told Apple about it and shut up, Apple would have fixed it with 3.1 and nobody else would have known.

4. Now, everyone at this Black Hat thing is going to know how to execute this hack and Apple will probably be FORCED to release an unfinished update. Why would you want that?

I just think it's very crappy to only give Apple a month to fix something that has been there for 2 years already. What a jerk.

@#3 He actually informed them over a month ago. There was small info about a possible hijack possibility in a few articles on tech sites last month. Security people disclose the holes to the company first to see if they fix them but if they don't they go public with it to warn people and also light the fire for it to be fixed.

 

[RazHyena]

Just out of curiosity, does this vulnerability affect iPod Touch?

 

[*LTD*]

Notice how all these Apple vulnerabilities are never really exploited? Whether for the OS X, the iPhone . . . users were never affected.

Either Apple is fast enough with fix, or something else is going on.

 

[aristobrat]

Google already patched Android, so both of your arguments for Apple's lack of attention to the matter fails.

The impression I got from skimming thru Charlie Miller's white paper is that Google, Microsoft and Microsoft architected their phone OSs in vastly different ways. How can you look at what Google did and say "See, it's just as easy for Apple with the iPhone?"

3.3.1 iPhone
On the iPhone, the telephony stack mainly consists of one application binary called CommCenter. CommCenter communicates directly with the modem using a number of serial lines of which two are used for AT commands related to SMS transfers. It handles incoming SMS messages by itself without invoking any other process, besides when the device notifies the user about a newly arrived message after storing it in the SMS database. The user SMS application is only used for reading SMS messages stored in the database and for composing new messages and does not itself directly communicate with the modem.

3.3.2 Android
On the Android platform the telephony stack consists of the radio interface layer (RIL) that takes the role of the multiplexing layer described above. The RIL is a single daemon running on the device and communicates with the modem through a single serial line. On top of the RIL daemon, the Android phone application (com.android.phone) handles the communication with the mobile phone network. The phone application receives incoming SMS messages and forwards them to the SMS and MMS application (com.android.mms).

3.3.3 Windows Mobile
In Windows Mobile, the telephony stack is quite a bit larger and more distributed compared with the iPhone and the Android telephony stacks. The parts relevant to SMS are:the SmsRouterlibrary (SmsProviders.dll) and the tmail.exe binary. The tmail.exe binary is the SMS and MMS applica-tion that provides a user interface for reading and composing SMS messages. Other components such as the WAP Push Router sit on top of the SmsRouter.

http://mashable.com/2009/07/30/iphone-hack/

At least Apple and Google have a good method of distributing the patch. Microsoft doesn't (for Windows Mobile).

 

[Diaresi]

Notice how all these Apple vulnerabilities are never really exploited? Whether for the OS X, the iPhone . . . users were never affected.

Either Apple is fast enough with fix, or something else is going on.

Security through obscurity...

 

[spillproof]

Untill they can use my phone as a zombie, I'm not worried.

 

[inkswamp]

Whenever I see a story like this, I always wonder why Apple (or other companies, for that matter) don't hire guys like this to test product security in-house. Not only would you make your product more secure, but you would also avoid potentially embarrassing public unveilings like this.

 

[aristobrat]

Whenever I see a story like this, I always wonder why Apple (or other companies, for that matter) don't hire guys like this to test product security in-house. Not only would you make your product more secure, but you would also avoid potentially embarrassing public unveilings like this.

My guess is that he stands to make a lot more money as an independent consultant that as an Apple employee?

I also guess that he'd get tired of working on just Apple stuff? The few guys like this that I've met have an insatiable urge to rip into EVERYTHING.

 

[jgbhardy]

It was actually 6 weeks ago, but who's really counting... certainly not Apple.


The hole they found in Windows Mobile was only discovered a few days ago and they have yet to notify Microsoft of the details. I expect Microsoft will have a patch out pretty quick. They've already proven they can code, test and deploy patches pretty quickly.

You still not getting the point, Apple could well be working on this within Apple walls but just haven't released it yet. Just because something isn't released doesn't mean its not being worked on. Again you are still making assumptions there, you're expecting microsoft to release it quickly, which is still an assumption. I know this is a rumour site but when you start making claims like this its going a bit far. I dunno there is one massive bug that took a while to patch and isn't really fully patched. Vista to 7.

 

[brisbaneguy29]

We are all going to get pwned!

 

[rjohnstone]

You still not getting the point, Apple could well be working on this within Apple walls but just haven't released it yet. Just because something isn't released doesn't mean its not being worked on. Again you are still making assumptions there, you're expecting microsoft to release it quickly, which is still an assumption. I know this is a rumour site but when you start making claims like this its going a bit far. I dunno there is one massive bug that took a while to patch and isn't really fully patched. Vista to 7.

If Apple is working on it, why not respond with a simple "We're working on it". Apple's silence is not very comforting for us iPhone owners right now.

Microsoft's abilities are not an assumption, they have a proven track record that they can and do, release fixes very quickly.

And please... spare the Vista comments... it was a flop and we all know it.
Apple has had more than a few of them too.

 

[Compile 'em all]

http://smsgothaxd.ytmnd.com/

 

[*LTD*]

So why all the panic?

Relax. Apple will issue a fix, and life will go on.

 

[NAG]

Just out of curiosity, does this vulnerability affect iPod Touch?

iPod touches have no SMS ability therefore are not vulnerable.

Given Miller's past record and the fact that they can crash the phone I'm going to bet they can also insert the worm. We'll see later but this is uncomfortable reading.

Never trust anything implied by Cnet. They love exaggerating things to get page hits.

Apple does need to get on the ball here but that doesn't mean Cnet isn't being their usual selves.

 

[Scooterman1]

Whenever I see a story like this, I always wonder why Apple (or other companies, for that matter) don't hire guys like this to test product security in-house. Not only would you make your product more secure, but you would also avoid potentially embarrassing public unveilings like this.

I believe they DO hire people like this. But one hacker, no matter how good, don't know what every other hacker out there is working on. How do you suppose they figure out how to fix it. Just because you put the finishing coat of Paint on a Mercedes, don't mean that you know how to repair a busted open underground sewage pipe.

 

[martijn.s]

I don't believe this

I have a very very hard time believing those claims.

i just can't see how it would be possible to have the messaging app open a browser window as the result of an SMS.

the code isn't even there to be called, this sounds like complete ******** to me.

(i have been programming for 30+ years)

 

[diamond.g]

I have a very very hard time believing those claims.

i just can't see how it would be possible to have the messaging app open a browser window as the result of an SMS.

the code isn't even there to be called, this sounds like complete ******** to me.

(i have been programming for 30+ years)

It seemed to be described as a buffer overflow.

 

[soup4you2]

I have a very very hard time believing those claims.

i just can't see how it would be possible to have the messaging app open a browser window as the result of an SMS.

the code isn't even there to be called, this sounds like complete ******** to me.

(i have been programming for 30+ years)

It's a buffer overflow, if you can reach the EIP memory address, you can do pretty much whatever you want. basically once you can figure out howto overwrite the EIP, you can them JMP to a memory address containing your shellcode.

And apple having 30 days to patch this is most likely more than enough time. The guy who discovered this did the right thing, apple slacked and now it's time for them to pay. Apple has never had a fast response to security updates.

If I had discovered this flaw I would be doing the same thing.

 

[tabasco70]

sometimes it feels like Apple is becoming more and more like Microsoft. but at least Microsoft would have patched it already

strange because microsoft always seems to have more things to patch. maybe theyre used to it.

 

[aristobrat]

Microsoft's abilities are not an assumption, they have a proven track record that they can and do, release fixes very quickly.

You're mixing different Microsoft groups together. While Microsoft's Windows OS group has become good with quick updates over the last few years, their Windows Mobile group has never responded quickly with updates.

Here's a good commentary on Windows Mobile's update management, and how it's basically broken, because Microsoft has to release the update to the carriers and the OEM, who then decide if the update even get offered to the customers.

http://www.pocketpcfaq.com/faqs/wm-security-patch.htm

And apple having 30 days to patch this is most likely more than enough time. The guy who discovered this did the right thing, apple slacked and now it's time for them to pay. Apple has never had a fast response to security updates.

They seem to have a mixed track record. Obviously the SMS vuln hasn't been fixed after 6 weeks, but a Safari vuln was apparently fixed within 30 days of being reported (with the update being released the day before the discoverer was going to announce it).

http://www.iphonehacks.com/2008/11/securityexploit.html

 

[Skuman]

Technologizer has a different spin on it:

http://technologizer.com/2009/07/30/your-phone-is-probably-vulnerable-to-malicious-text-messages/



So exactly how large is the scope of this vulnerability? Virtually all GSM phones?!?

Almost certainly wrong. I doubt my 6 year old Alcatel is likely to be hacked by this vulnerability, given that it uses a different processor, let alone the fact that it doesn't have any file system or even a GUI.

 

[Skuman]

Whenever I see a story like this, I always wonder why Apple (or other companies, for that matter) don't hire guys like this to test product security in-house. Not only would you make your product more secure, but you would also avoid potentially embarrassing public unveilings like this.

Me too. When Apple released the first Safari beta for Windows, didn't someone find about 4 vulnerabilities in the first day?

 

[dgon]

help I got an SMS with just a square in it and now all my friends are asking me why I'm sending them SMSes with just a square in it.. what do I do? .. I turned my phone off but I need to use my phone!

 

[TheSpaz]

help I got an SMS with just a square in it and now all my friends are asking me why I'm sending them SMSes with just a square in it.. what do I do? .. I turned my phone off but I need to use my phone!

Nice! Screenshot?