Print 82 comment(s) - last by callmeroy.. on Jul 7 at 8:48 AM

  (Source: Attack of the Show)

A gaping hole in the iPhone 3G S's beefed up security, allows a packet of code to be fired into it via SMS and compromise the entire system. Apple says that it will fix the major flaw by the end of July.  (Source: AppleIPhoneReview)
IPhone SMS vulnerability could allow malicious users to install and execute malware

Recently, Apple has struggled with the security ramifications of a higher commercial profile, and seeing an increasing number of OS X malware.  Now another security flaw has been found, this time in the iPhone OS.  The flaw allows attackers to gain root access to the iPhone's underlying OS, allowing them to install and execute malicious programs at will.

The iPhone apparently automatically executes binary code sent in SMS messages.  Messages are limited to 140 bytes, but this is little deterrence as longer programs can be broken up into several messages, which the phone automatically reassembles.  While other applications such as the Safari browser on the phone only enjoy access to their sandbox, the SMS system is automatically granted root access, and SMS commands execute as root.

Charlie Miller, during a presentation at the SyScan conference in Singapore on Thursday introduced the vulnerability to the public.  He declined to go into specific details or offer his proof-of-concept code to the public, as he has entered under an agreement with Apple.  Mr. Miller did state, "SMS is a great vector to attack the iPhone."

He went on to describe several examples of how such an attack could prove beneficial to malicious parties.  Among his ideas were to use the phone's GPS technology to track people, to turn on the phone's microphone to snoop on meetings or conversations, and to use groups of the infected phones to form a botnet and launch distributed denial-of-service attacks.

Apple will have a fix ready by the end July, it says.  Mr. Miller says he will hold off on releasing details of his attack until then.  He will present the attack in its full glory at the Black Hat USA 2009 conference in Las Vegas.  Mr. Miller is the author of The Mac Hacker's Handbook, one of the leading resources for prospective Apple hackers.

He praises Apple's efforts with the iPhone saying that the stripped down version of OS X provides less attack opportunities.  He says that lack of support for Adobe Flash and Java while an annoyance to users actually aid security, as these are traditional attack vectors.  He also notes the phone's provisions to only run Apple-signed code and to provide hardware encryption as other promising features.  

Many of these features were added in the new iPhone 3G S, but were not present in the iPhone 3G leading the iPhone 3G to receive failing marks in a recent security study.  Mr. Miller concludes, "The iPhone is more secure than OS X, but SMS could be a critical vulnerability."

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: fsardis and his iDick debacle
By fsardis on 7/2/2009 7:34:05 PM , Rating: 2
awww look at poor pirks being all butt hurt.

you still do not understand what a native app is, do you, you chimp?

RE: fsardis and his iDick debacle
By Pirks on 7/2/2009 8:54:42 PM , Rating: 2
answer this first:

coward :))) you think you escaped from answering this one last time? haha, what an idiot :)))

By dark matter on 7/3/2009 3:04:51 AM , Rating: 2
Oh Pirks, you do make me laugh you know. You're such a tool. It's great, as I sit here eating my breakfast prior to setting off to work I imagine you to be some really fat guy sat in his underpants surrounded by discarded pizza and cola bottles in a basement somewhere. A film of persperation covering your top lip as you furiously type away. But hey, we are all individuals and personally I am glad the world has people like you for it makes the place a far more colourful and interesting place. Some people may think you're a prick, but I love you.

RE: fsardis and his iDick debacle
By themaster08 on 7/3/2009 3:40:23 AM , Rating: 3
coward :))) you think you escaped from answering this one last time? haha, what an idiot :)))

Says the person who avoids answering peoples' questions, and instead replies with further questions based on car analogies?

RE: fsardis and his iDick debacle
By Pirks on 7/3/2009 10:13:26 AM , Rating: 1
Well, Master08, the guy seriously claims that you can't publish native Mac apps without Apple's approval.

Think about it for a sec.

Now, would you consider seriously answering all silly questions of a guy who claims that Earth is flat?

No? Then why should I?

fsardis here is just for lulz, he's not worth a serious discussion ans you know it ;) Look at his "native Mac apps" lunacy again. Got it now? :)

RE: fsardis and his iDick debacle
By fsardis on 7/3/2009 10:26:34 AM , Rating: 2
i got an off topic question for you.

do you enjoy getting humiliated here? there is not a single person here supporting you. even other fanboys do not come to your rescue. does that not hint you that you have made a total idiot out of you? maybe you placed a bet on how long it will take you to get banned for trolling here?

RE: fsardis and his iDick debacle
By Pirks on 7/3/2009 10:40:45 AM , Rating: 2
I enjoy sharing good laughs with my office buddies, reading your funny posts about native Mac apps. Are you satisfied now, clown? ;)

RE: fsardis and his iDick debacle
By fsardis on 7/3/2009 12:33:10 PM , Rating: 2
however you have already admitted you work in a pc repair shop, therefore you just lied.
not only are you a clueless blind sheep, you are a liar too.

RE: fsardis and his iDick debacle
By Pirks on 7/3/2009 2:09:27 PM , Rating: 1
and you have admitted that you clean toilet bowls for a living, therefore you lied about your PhD too :)))

RE: fsardis and his iDick debacle
By fsardis on 7/3/2009 8:14:02 AM , Rating: 2
no, i replied to it and you are still an idiot who does not understand what a native up is and what a non-native app is. post whatever links you like, you just make us laugh more.

go back to your screw driver. go replace some dead sound card or something, you are out of your league here.

RE: fsardis and his iDick debacle
By fsardis on 7/3/2009 8:33:06 AM , Rating: 2
sorry for the "up" typo. been going for a day without sleep here.

by the way, my understanding of your first post is that you endorse cutting off java and flash in the name of security. am i correct? please say yes so we can get some laughs.

RE: fsardis and his iDick debacle
By Pirks on 7/3/2009 9:55:49 AM , Rating: 2
I wonder where did you get that "native Mac apps require sucking iDick before publishing" lunacy? Can I read your source? I know it exists solely in your imagination, but it may got started after reading a post of similarly ill person ot something? So, will you provide a link or any other kind of proof? Anything?

RE: fsardis and his iDick debacle
By fsardis on 7/3/2009 10:22:32 AM , Rating: 2
learn about native apps and then argue. native apps on osx go through the same process that iphone apps go through. this does not prevent malware in any way and it just gives monopolistic control on the platform.

so for instance, open office runs on the mac just fine and it does not require approval because it is java based and it is not a native app. similarly anyone who can write malware takes a similar route, whether that be scripts or trojan apps or anything else.

sorry i cannot come up with a car analogy for you.

RE: fsardis and his iDick debacle
By Pirks on 7/3/2009 10:35:00 AM , Rating: 2
So if I make you a native Mac app in XCode that displays window with a sign saying "Jobs sucks my balls and fsardis too" - will you shut up then? ;-) You do know that Apple would never approve such an app, so there must be a contradiction, right?

RE: fsardis and his iDick debacle
By fsardis on 7/3/2009 12:42:25 PM , Rating: 2
so then, can you explain to me how the content restrictions aid in malware prevention?
this is what you claimed before and now you are claiming something else.
if you can indeed do such an app, you have proven that you are wrong and content restrictions do not prevent malware. you will also prove that i am wrong about the authorisation. knock your self out champ.

RE: fsardis and his iDick debacle
By Pirks on 7/3/2009 2:04:54 PM , Rating: 2
There are no content restrictions for a Mac, stop smoking crack :)

"I'd be pissed too, but you didn't have to go all Minority Report on his ass!" -- Jon Stewart on police raiding Gizmodo editor Jason Chen's home

Latest Headlines
Inspiron Laptops & 2-in-1 PCs
September 25, 2016, 9:00 AM
The Samsung Galaxy S7
September 14, 2016, 6:00 AM
Apple Watch 2 – Coming September 7th
September 3, 2016, 6:30 AM
Apple says “See you on the 7th.”
September 1, 2016, 6:30 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki