Katie MarsalTalking at the Black Hat security conference in Las Vegas, experts Charlie Miller and Collin Mulliner say they've discovered a bug in the iPhone's approach to SMS that exposes it completely to remote control through a subsequent hack, including the camera, dialer, messaging and Safari. It occurs regardless of hardware revision or which version of the iPhone OS is running.
The technique involves sending only one unusual text character or else a series of "invisible" messages that confuse the phone and open the door to attack. Because users won't know whose messages to block in advance, there's little iPhone owners can do but to shut off the phone immediately if they suspect they're at risk — a real problem as the trick could also be used to make an iPhone send more messages of its own.
"Someone could pretty quickly take over every iPhone in the world with this," Miller claimed to Forbes on Wednesday.
An extra vulnerability would simply be used to frustrate individual owners and would use a series of SMS messages to keep the iPhone offline for 10 seconds at a time, creating the mobile equivalent of a denial of service attack for as long as the malicious programmer saw fit.
Both of the experts reiterated that they notified Apple of the flaws roughly a month ago. In its typically silent approach to security, however, the company hasn't issued an update to patch either of the security breaches and hasn't provided an update on whether or not it can release a patch before the end of the month.
Regardless of the Cupertino firm's response, the new exploits underscore a small but noteworthy history of security risks that, among others, have included a since-fixed Safari flaw that would compromise an iPhone just by visiting a website with hidden but hostile code.
Apple is all the same not isolated from these sorts of issues. Google's Android in its current form is vulnerable to the same 10-second knockout as the iPhone, and Windows Mobile can also be controlled through a burst of text messages.
AppleInsider Staff
Malcolm Owen
Oliver Haslam
Andrew O'Hara
Wesley Hilliard
William Gallagher
Christine McKee
88 Comments
I hope this isn't true. As it is, I already resent the fact that I have to accept SMS messages as part of the service (for $0.20 a pop) and have no control that I've seen to block or only accept messages from certain people. I can choose not to accept a phone call, not so with SMS that I've found. I get the message and I'm automatically charged for it.
I don't think it's the money that's a problem for me, it's just the total lack of control and it just seems like a potential way to rack up my bill without my permission and I can't do much of anything about it without spending even more time and money.
I hope this isn't true. As it is, I already resent the fact that I have to accept SMS messages as part of the service (for $0.20 a pop) and have no control that I've seen to block or only accept messages from certain people. I can choose not to accept a phone call, not so with SMS that I've found. I get the message and I'm automatically charged for it.
I don't think it's the money that's a problem for me, it's just the total lack of control and it just seems like a potential way to rack up my bill without my permission and I can't do much of anything about it without spending even more time and money.
You can choose to block all texts -- just tell your wireless carrier to block all text messages, and they will be blocked.
I agree that this sounds a wee bit hokey -- invisible texts or strange characters? I'm not sure that makes much of any sense, but I'm no expert -- I can only hope.
I hope this isn't true. As it is, I already resent the fact that I have to accept SMS messages as part of the service (for $0.20 a pop) and have no control that I've seen to block or only accept messages from certain people. I can choose not to accept a phone call, not so with SMS that I've found. I get the message and I'm automatically charged for it.
I don't think it's the money that's a problem for me, it's just the total lack of control and it just seems like a potential way to rack up my bill without my permission and I can't do much of anything about it without spending even more time and money.
Agreed. I think it's only us here in the States that are forced into this pay as you receive garbage. I'm not sure, but maybe anyone in other countries can verify you are pay for outgoing only by law? It should be a requirement by law, imo. Paying for incoming is dumb.
I hope this isn't true. As it is, I already resent the fact that I have to accept SMS messages as part of the service (for $0.20 a pop) and have no control that I've seen to block or only accept messages from certain people. I can choose not to accept a phone call, not so with SMS that I've found. I get the message and I'm automatically charged for it.
I don't think it's the money that's a problem for me, it's just the total lack of control and it just seems like a potential way to rack up my bill without my permission and I can't do much of anything about it without spending even more time and money.
Precisely why I'm waiting for the T-Mobile iPhone... at least on the plan I have, T-Mobile gives a courtesy 50 SMS and that covers those all important text messages I receive from unknown senders who like to send messages like the following...
"Just because! lol"
If AT&T thinks I'm paying them .20¢ for that, they have a whole other thing coming!
I was shocked when I found out you guys have to pay to receive text messages. And on top of that, that it's an astronomical $0.20 per message! I'm on a pay-as-you-go tariff (no monthly fee), and it costs me nothing to receive and only 4p (less than $0.07) to send a text.