backtop


Print 82 comment(s) - last by callmeroy.. on Jul 7 at 8:48 AM


  (Source: Attack of the Show)

A gaping hole in the iPhone 3G S's beefed up security, allows a packet of code to be fired into it via SMS and compromise the entire system. Apple says that it will fix the major flaw by the end of July.  (Source: AppleIPhoneReview)
IPhone SMS vulnerability could allow malicious users to install and execute malware

Recently, Apple has struggled with the security ramifications of a higher commercial profile, and seeing an increasing number of OS X malware.  Now another security flaw has been found, this time in the iPhone OS.  The flaw allows attackers to gain root access to the iPhone's underlying OS, allowing them to install and execute malicious programs at will.

The iPhone apparently automatically executes binary code sent in SMS messages.  Messages are limited to 140 bytes, but this is little deterrence as longer programs can be broken up into several messages, which the phone automatically reassembles.  While other applications such as the Safari browser on the phone only enjoy access to their sandbox, the SMS system is automatically granted root access, and SMS commands execute as root.

Charlie Miller, during a presentation at the SyScan conference in Singapore on Thursday introduced the vulnerability to the public.  He declined to go into specific details or offer his proof-of-concept code to the public, as he has entered under an agreement with Apple.  Mr. Miller did state, "SMS is a great vector to attack the iPhone."

He went on to describe several examples of how such an attack could prove beneficial to malicious parties.  Among his ideas were to use the phone's GPS technology to track people, to turn on the phone's microphone to snoop on meetings or conversations, and to use groups of the infected phones to form a botnet and launch distributed denial-of-service attacks.

Apple will have a fix ready by the end July, it says.  Mr. Miller says he will hold off on releasing details of his attack until then.  He will present the attack in its full glory at the Black Hat USA 2009 conference in Las Vegas.  Mr. Miller is the author of The Mac Hacker's Handbook, one of the leading resources for prospective Apple hackers.

He praises Apple's efforts with the iPhone saying that the stripped down version of OS X provides less attack opportunities.  He says that lack of support for Adobe Flash and Java while an annoyance to users actually aid security, as these are traditional attack vectors.  He also notes the phone's provisions to only run Apple-signed code and to provide hardware encryption as other promising features.  

Many of these features were added in the new iPhone 3G S, but were not present in the iPhone 3G leading the iPhone 3G to receive failing marks in a recent security study.  Mr. Miller concludes, "The iPhone is more secure than OS X, but SMS could be a critical vulnerability."



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: fsardis and his iDick debacle
By fsardis on 7/2/2009 7:28:08 PM , Rating: 0
yes lexus also lacks an apple badge. your car analogies suck and only serve to show what an idiot you are. lexus has had semi auto option for many years now, apple on the other hand cannot even get a lock on their door for security and a cut/paste for ease of use. take any person in the world and they will tell you a lexus is far more desirable than a mac. they will also tell you that a lexus gives much fewer major annoyances to its driver than a mac does to its user. you failed at life yet again. tell me how the -1 is a blessing again so i can laugh some more. your posts have become a mailing list across loads of people. i got two companies laughing at your idiocy. maybe we should stick wheels on computers to make your analogies fit better. should the mac have 20" alloys but with an engine that lacks radiator, no locks on the doors, no transmission at all, it just selects for you whether you wanna go forward or back at random, it has razor sharp edges on the seats and the engine is limited to 40bhp because it gives better mpg but at the same time it is a waste for the sports exhaust they offer as an upgrade for it.
that sums up apple as a lexus.

yes battery life is excellent, i never complained about that.
we don't care if it is at&t or apple. the product has issues and that is what the custom experience. the details are irrelevant and it is the result that matters. iphone failed.

for yet another time, hopefully it will go through the thick scull of yours: approval from apple is MANDATORY if you have created software that runs on the mac NATIVELY. if you do not get that, your software is never published and even if it was, it would never install successfully on a mac. malware authors don't give a shit about this and can still screw you without any approvals. there are viruses and trojans for mac out there and even a botnet. going by your logic, you implied that apple approved those apps. or are you implying that opera browser is a malware? or do you support double standards so for MS it is unfair to install their browser but for apple it is fair to block everyone else out?
not only are you an absolute retard, you are also a hypocritical queer too.


RE: fsardis and his iDick debacle
By Pirks on 7/2/2009 8:15:57 PM , Rating: 2
quote:
approval from apple is MANDATORY if you have created software that runs on the mac NATIVELY. if you do not get that, your software is never published and even if it was, it would never install successfully on a mac
After reading this fsardis's nonsense, does anyone really believe he's trying to make a PhD in security? Maybe he meant mall security though ;o)


RE: fsardis and his iDick debacle
By fsardis on 7/3/2009 5:56:02 AM , Rating: 1
i am doing PhD in network protocols not network security you fuckwit. even so, it is unrelated to software programming for mac. i am not trying to make pretty interfaces for utterly useless software that does not even allow you to switch between windows of the same application if they are hidden behind others. such ease of use. i have to drag the focus window out of the way to reveal the window i want. there is no representation of how many windows i have open from a single app unless i use expose. i would say it is far worse than the simplicity and functionality of the windows task bar. at least with the task bar i an click to any windows i want from any application whether it is visible or not.

go back to your screwdrivers, you called a 9600 high end, and you said the code makes the cpu overheat. how could anyone be dumber than you? by the way, the office here would like more insight on how the code from one company can make the cpu overheat but code from the other makes it stay cool (which it does not)

oh you still don't know what native apps are eh? don't worry, for the job you have, you will never need to know. all your feeble mind need to know is how to use a screwdriver and change out parts. come argue again when you are a computer scientist and not a computer tech. and since you like car analogies, come back when you are a mechanical engineer and not a grease monkey changing oil and cleaning oil filters.


RE: fsardis and his iDick debacle
By Pirks on 7/3/2009 10:25:04 AM , Rating: 2
quote:
does not even allow you to switch between windows of the same application if they are hidden behind others
Ever tried to use alt-` shortcut, clown? :))))) hehehe
quote:
at least with the task bar i an click to any windows i want from any application whether it is visible or not
Same with the OS X dock, idiot :))
quote:
the office here would like more insight on how the code from one company can make the cpu overheat but code from the other makes it stay cool
Does "the office here" also would like more insight on how the code from one company can make battery work 5 hours but code from the other makes it work only 2.5 hours? ;)

BTW your "native Mac apps" drivel is the best part of your posts, that's what I call High Quality Lulz, keep it flowing man.


RE: fsardis and his iDick debacle
By fsardis on 7/3/2009 12:48:18 PM , Rating: 2
i dont want to use the keyboard dickwash
no the dock only lists the application but not the individual windows of an application. if you call up safari from example and it has 5 windows hidden behind the focus window, you will have to either use a gesture to enter expose, or click on the expose button, or press the expose key, or move the top window around to reveal the hidden ones. all of these actions take much longer than clicking directly on the windows button on the task bar.
even a monkey can understand that. are you still having trouble?


RE: fsardis and his iDick debacle
By Pirks on 7/3/2009 1:50:48 PM , Rating: 1
quote:
no the dock only lists the application but not the individual windows of an application
Ever tried to right click on an application's icon in a dock, stupid PhD clown? :)))


RE: fsardis and his iDick debacle
By fsardis on 7/3/2009 5:56:03 AM , Rating: 1
i am doing PhD in network protocols not network security you fuckwit. even so, it is unrelated to software programming for mac. i am not trying to make pretty interfaces for utterly useless software that does not even allow you to switch between windows of the same application if they are hidden behind others. such ease of use. i have to drag the focus window out of the way to reveal the window i want. there is no representation of how many windows i have open from a single app unless i use expose. i would say it is far worse than the simplicity and functionality of the windows task bar. at least with the task bar i an click to any windows i want from any application whether it is visible or not.

go back to your screwdrivers, you called a 9600 high end, and you said the code makes the cpu overheat. how could anyone be dumber than you? by the way, the office here would like more insight on how the code from one company can make the cpu overheat but code from the other makes it stay cool (which it does not)

oh you still don't know what native apps are eh? don't worry, for the job you have, you will never need to know. all your feeble mind need to know is how to use a screwdriver and change out parts. come argue again when you are a computer scientist and not a computer tech. and since you like car analogies, come back when you are a mechanical engineer and not a grease monkey changing oil and cleaning oil filters.


"You can bet that Sony built a long-term business plan about being successful in Japan and that business plan is crumbling." -- Peter Moore, 24 hours before his Microsoft resignation














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki