Update: Apple says it has patched the vulnerability described below. The full story is here Researchers have uncovered a bevy of vulnerabilities in smart phones made by multiple vendors, including one in Apple's iPhone that could allow an attacker to execute malicious code without requiring the victim to take any action at all …
Apple going after jailbreakers as possible terrorists.
Lets hope the jailbreaking terrorists never find about this flaw and end up crashing high ranking officials daughters iPhones, we all need those drunken facebook photos to start the day..
Paris coz she's been a jailbird crashing high ranking facebook coffee time saviour.
Standard 'proof in a lab' vuln
but most SMSC's would bounce/just kill malformed SMS. Remember the telco is interested in sending real SMS so they can make money. Faulty messages cost them time not make them money.
As for queuing up multiple messages for a long lasting DoS, most SMSC (in Europe certainly) will queue up 10 messages before bouncing them back to the sender. Yes, they can be changed at the SMSC but that would require work from tradionally work-shy people.
What is it with businesses that don't bother to respond to people?
How bad can Apple be if they can't be arsed closing a security flaw when it is so easy to exploit?
Apple are so stupid.
Mr Jobs are you listening? That note you ignored from Mr Miller has made it to the front page of a well know free newspaper across the UK this morning. The the non-techy peeps will read it and may well be banging on your door asking for answers later today!
CommCenter running as root
"The bug resides in CommCenter, [...]. By default, it runs as root"
iPhones: "The attack is carried out by dropping the last byte or two from UDH, or user data header, contained in the message, something that's fairly trivial to do."
That's not trivial at all. For starters, as far as I can tell, you're going to need custom equipment from a teleco.
You could try cracking your own phone open so that it will do it but then your messages are going to be malformed and rejected by your own teleco, if not by the recipients.
Even if you do manage to send the message, dropping the last byte or two from the UDH isn't going to let you have control over someone's iPhone now, is it?
It's like saying "Swimming the Pacific is trivial because anyone who can tread water could theoretically do it"...
Is there a link to the report anywhere?
I came across a link to the June 25 report from Mulliner and Miller which reported this vulnerability in iPhone OS 2.2 and 2.2.1. The report mentions crashing vulnerabilities in the iPhone OS and Android. There's no mention of OS 3.0 in it, probably as they hadn't had a chance to test it.
I'd be interested to see what else they've found in the past few weeks and what the full details of it are.
Report is here for anyone interested:
Are blackberries vulnerable? I know they work in there own odd way, but I have heard nothing about them. Are they immune to this kind of attack?
It was only a matter of time...
If you make these traditionally dumb devices into fully functional portable computers then naturally they'll have the same vulnerabilities to exploit. This sounds worse than the traditional email trojan which you can preview without risk before deciding to mark it as spam though...
Google claim Android is patched.
No info on when / if the patch has been deployed, though.
Did they not try the most common OS platform in the world? Or did they find that it was not vulnerable and so left it out?
Seconded, and no Anti-BB Boys if you please. Just the facts, Maam
@ Anonymous Coward
I got an unexpected update a few days ago for my G1. No functionality appears to have changed and it was just listed as a security update. Possible this was a fix for the bugs in the article.
"Miller's discovery is the result of an aggressive fuzzing endeavor he and fellow researcher Collin Mulliner carried out over the past few months and laid out during a talk at the Black Hat security conference in Las Vegas."
You have to admire their stamina if nowt else. My own fuzzing endeavours usually only last until closing time and are rarely aggressive. This session sounds curiously reminiscent of Fear and Loathing. Hats off, gentlemen, hats off.
Full control over an iPhone?
Does that give you enough control to let you break the o2 lock on it?
Regardless of how easy or otherwise this bug is to exploit, it should not have existed in the first place. Apple have a long history of producing insecure software (e.g. QuickTime - especially on Windows - used to have more holes than a warehouse full of Swiss-cheese; Safari has had its fair share of flaws too; and OS X is only just getting things like address-layout randomisation).
Now, before I'm accused of trolling, let me explain this viewpoint. Apple - in my view - actually believe the "security through obscurity" argument that many of its users tout. They seem to be so enamoured by their own software that they assume it can't be hacked. This assumption then leads to making stupid decisions like running the iPhone's SMS client with root privileges outside of a sandbox.
Of course, I realise that network operators often send out SIM updates via SMS, so there are certainly instances when received messages may have to update parts of the overall system, but the bits the network operator can change should be separate from the underlying OS. But then it's not like the OS is based on a multi-user operating system that was designed to enforce such boundaries - oh, wait a minute....
Symbian is always ignored in the media these days!
What is it about nokia and symbian that they ate being ignored I'm the tech media? The US tech media in particular is fixated on the iPhone, which I can understand but also on blackberry and palm which are really tiny players compared to symbian!
It's like nokia is suddenly that boring, frumpy Finnish company...
I know symbian might not light the room on fire, but I've been using a nokia 5800 which uses S60 with a touch interface and I have to say in many respects it's well able to hold it's own againsty iPhone.
Not quite as slick, but massively more functional!
The phone is also much lighter and seems to hold a charge fir much longer too.
I just wish nokia would sort out their GUI and get going on some serious pr!
They have good products and sucky marketing!!!
"That's not trivial at all. For starters, as far as I can tell, you're going to need custom equipment from a teleco."
Err; no you don't need specialist equipment. An SMS message is after all just a hex encoded string with said header and a body. All you need is access to an SMSC so, hmm, any aggregator! And then a bit of string manipulation using one of several freely available packages (or do it "the hard way" yourself) and the SMS format specs (again not exactly hard to locate).
Hell part of my last job was pre-encoding WAP pushes and OMA rights data to UDH/UDB - and I was doing that in PHP!
"Regardless of how easy or otherwise this bug is to exploit, it should not have existed in the first place. Apple have a long history of producing insecure software (e.g. QuickTime - especially on Windows - used to have more holes than a warehouse full of Swiss-cheese; Safari has had its fair share of flaws too; and OS X is only just getting things like address-layout randomisation)."
You do realise the same vuln exists in Windows Mobile? Perhaps because Microsoft also "have a long history of producing insecure software."
As for the article, by all accounts you have to send a *sequence* of loaded SMSs, not one, in order to break the phone.
To demonstrate the flaw, the researcher plans to send 512 SMS messages; only one message is actually seen by the recipient, and that message is limited to a single character. Hence the FUD headlines like "iPhones hijacked by a single character SMS message". Since it uses malformed messages, there is presumably no mechanism to spread the exploit via ordinary handsets and the cell network.
@Doc Spock: "security through obscurity" is Microsoft's argument that Windows is more secure than open source OS's because the bad guys have no access to the source so they can't find the flaws. They're pretty quiet about that these days because the opposite is true; flaws are indeed found more often, but they get fixed more often too. The core of OSX (Darwin) is of course open source. Perhaps you are thinking of the argument that there are no exploits for OS X because there are so few machines around that no-one bothers to target them. I don't know any Mac users who think that's the main explanation for the lack of OSX exploits in the wild.
The argument that everything should be built from the outset like a fortress isn't valid in the real world. It's much more likely to result in a flaw going unnoticed until there is a real catastrophe. If there are no vulnerabilities, running as root doesn't matter; it's only protection against undiscovered flaws. Of course running as root is Apple's explicit choice for now to encourage more exploits to be published, so they can fix them. Not running as root is a change that can be made any time.
lock 'em up!
Terrorists, the lot of 'em. Send them to gitmo, i say. That'll teach them a lesson or two for proving that telco security is trash.
iphone fix on saturday
O2 promise an iPhone fix on Saturday......but what happens to the other potentially affected phones???
No, I was not aware that the same vulnerability exists in Windows Mobile. I am, however, aware that other software products - including those from Microsoft - can also have security flaws.
I gather from the tone of your comment, and specifically the mention of Microsoft, that you think I am some kind of MS fanboi. I assure you that this is not the case. My comments stem from the fact that I have an iPhone and two Macs and I really don't like the idea that there may be easily exploitable vulnerabilities in the software I use on a daily basis. After all, that was what drove me to OS X in the first place.
You are correct in that I was thinking about the low market share of OS X. As a consequence of my mini-rant at Apple, I may have come across as sounding like an MS shill, but I stand by my view that, when it comes to security, Apple can be too complacent at times.
sleepy: "The argument that everything should be built from the outset like a fortress isn't valid in the real world. It's much more likely to result in a flaw going unnoticed until there is a real catastrophe."
It's ONLY valid in the real world. And yes, it means that any flaws which do exist are less likely to have catastrophic consequences and therefore be less critical. Why is that a bad thing? You sound like you are saying that lots of little security exploits are good because it prevents there being a couple of very big ones. I would argue that the opposite is true: the existence of lots of little exploits increase the liklihood of there being a couple of very big ones too.
sleepy: "Of course running as root is Apple's explicit choice for now to encourage more exploits to be published, so they can fix them."
I'll assume this was a joke.
sleepy: "Not running as root is a change that can be made any time."
Maybe so, but it's taking Apple longer than two weeks to do it. Maybe that suggests the fix isn't that simple.
And gmail requires SMS?
I'm glad I already have my Gmail account. I read yesterday that Gmail is now requiring an SMS number when you apply for a new account.
This piece really discourages those of us who do not already have or use SMS from doing so. And that means no Gmail.
Iphone update 3.0.1 is available in iTunes now, according to the email from Apple Product Security that as just arrived.
Pity I don't have an Iphone to install it on!
Not on the iPhone anymore
Apple just released the 3.0.1 update to fix it. Assuming it does fix it, of course.
Symbian Pre-existing condition
I suspect machines running Symbian may be immune to this particular problem. There was a similar problem to this one for the Symbian S60 system back in December last year, the so called S60 Curse of Silence. A specially crafted SMS would be sent to the phone and would occupy space in the mail box while not presenting itself in the message list. It soaked up space until the phone could no-longer receive SMS messages. I suspect Symbian was patched to handle that and this new 'sploit uses a similar technique.
"I got an unexpected update a few days ago for my G1. No functionality appears to have changed and it was just listed as a security update. Possible this was a fix for the bugs in the article."
Hm... did it come through the phone? Might have been the hackers sending it to you. No wonder the "new functionality" is not apparent...
It only takes one SMS and doesnt affect winmo yet
It only takes one SMS message and flaw only works on iphone and android at moment.
now how quickly can you scam money from a premium service these days. If its a complete compromise of the phone.... Setup a premium number and see how much you can rake in before people really notice... For once all involved parties would have an appropriate amount of egg on their faces... How long before the Anti Virus Vultures circle in....
Security Programming 101
"By default, it runs as root and isn't limited by an application sandbox." -- Dont do that.
Sending your own formed SMS is possible. There are hardware GSM modules that just connect over serial that you can buy.
@ By David 34
"They have good products and sucky marketing!!!"
I beg to differ. My Nokia E61i's software is only half written. I can make the browser crash on pretty much any web page with more than a couple of Java scripts running on it, the SyncML based calendar and task system cannot be set to schedule synchronisations, and the menu to do so manually on one of them is so buried it takes about 10 button pushes. The IMAP client is so bad it isn't worth using (the Funabol client is much faster and cleverer), and the camera takes so long to take a picture you will miss anything moving faster than walking pace.
As far as I am concerned Nokia software engineers could not write their way out of a paper bag. As a direct comparison get hold of a Nokia N800/N810 Internet Tablet, and then compare their email client to the Maemo version of Claws Email. Not only is Claws about twice as fast, but you have access to the entire IMAP folder list.
Nokia software coders - That will be your coat waiting for you.