Skip to main content

Black Hat: SMS Attacks Not Just for iPhones

Technologizer is reporting on the developing story on SMS attacks coming out of today's Black Hat Conference sessions. Seems like while the iPhone is grabbing a lot of attention, almost all GSM phones are said to be vulnerable. Basically, they get around the anti-spoofing security and send data designed to get access and take control of the phone.

On the iPhone specific side, however:

In a final coup for the conference, Lackey and Miras demonstrated an iPhone app they call TAFT which can, at the click of a few buttons, transmit various types of attacks against specific, vulnerable phone models, including iPhones, and phones running the Windows Mobile 5 and pre-”cupcake” Android operating systems.

Vendors, including Apple are working on patching the exploit, though there is still no word which specific models or firmware versions are vulnerable.

More as the story continues to develop.

Rene Ritchie
Rene Ritchie

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

32 Comments
  • Other coverage indicates that its ALL versions of the iPhone firmware that are at risk.
    Further, the damage that can be done to the phone and the damage that can be done with a compromised phone seem to be much more serious for the iPhone.
    In the more recent research, Android-based phones were found to be similarly susceptible to an SMS attack. However, while an attacker could temporarily knock the phone off the cell network, they could not take control, according to Mulliner...
    The HTC just loses some on screen buttons till rebooted.
    http://news.zdnet.com/2100-9595_22-326501.html
    This security flaw is common to some degree in all GSM phones as Rene points out.
    It was a late addition to the GSM standard to allow Over The Air (OTA) updates that carriers can send to your phone to fix some minor problems in network settings, etc.
    However, smart phones open this hole wide, because the phone OSs will allow execution of un-authenticated code, because they allow sending replacements for key files or (in the case of the iPhone) replacement executables.
    This is a pretty egregious security flaw on Apple's part, they should have built better authentication into this process, especially if they are going to allow re-writing portions of the OS.
    If the carriers block this mechanism entirely, OTA updates are no longer available.
    This was a roadside bomb waiting to go off. It just so happens that when the target is a smart phone with weak security, the damage can be much greater.
  • Until the patch is released, this is a great reason to jailbreak and change the root password.
  • I asked this in the other comments section, but this one still has its new car smell.
    There are ALL sorts of security demonstrations happening at Black Hat. They keep talking about the ‘demonstrations’.
    Excuse my naiveté, but I am unclear: Do they just demonstrate that the exploit exists? They don’t actually divulge how to code for it or how to use it, no?
    The reactionary response is that it is all over tonight ;-)
  • Dryland: That won't help according to several reports.
  • @Sheik:
    They do not generally make all details known.http://www.informationweek.com/blog/main/archives/2009/07/blackhat_bombs...
    They did advise Apple of this exploit 6 weeks ago, including telling them how to protect against it, but Apple did nothing. The also told Apple that they were going to demo this, but Apple did nothing.
    The carriers have some significant responsibility here too, its not ALL Apple's fault.
    So far, this has not reached the New York Times, so Steve Jobs may not even be paying attention yet.
  • So basically this is the downside to the jailbreaking community. While still possible, it would have been far less likely - faaaaaar less likely - had the jailbreak community not existed, and plasted root passwords all over the Internet.
    Thanks guys!
  • @frog
    Umm...no, this has nothing whatsoever to do with jailbreaking. This has to do with a flaw in over the air provisioning of GSM phones.
  • frog you are an ignorant tard who doesn't know what he is talking about...
  • Yeah I don't know who said this had anything to do with jailbreaking or the jailbreaking community. It absolutly has nothing to do with it or ssh. Which is the root password thing. It has nothing to do with either. Nothing at all. What it has to do with is the smatphone community and the fact that apple and other smartphone makers were notified of this vulnerability and have dine nothing about this. Leaving everyone vulnerable, not just jailbreakers and not just people with ssh enabled... EVERYONE. Apple, Microsoft and google should have fixed this by now in fact it never should have been an issue. If this is because of an issue with the openess over the air ota updating then why was this included in the iPhone? Apple has never updated anything ota so why not just eliminate the ability and in turn eliminate the problem. Why would we need to update ota if apple never uses it we can't either. Just a thought of a way to eliminate the problem with my limited knowledge of the subject.
  • @icebike, I seriously doubt Apple has done 'nothing', just because they haven't said anything is not the same as them doing nothing.
  • @Ice: Exactly what I thought. Although in the Ars article from July 3rd ("Apple patching critical SMS vulnerability...") they seem to have revealed to Charlie that [that Apple is working on a patch].
    Apple is indeed the fouling player here, but I don't think that they are sitting on their hands so much as just not turning around the fix fast enough. They DEFINITELY need to step up their security priorities AND be a little more transparent. In the meantime, alarmist headlines will continue to gain traction. It is Apple's fumble.
  • @caballera have you recieved a firmware update? No... So they have done nothing. If they had done something they probably would have let everyone know they were not vulnerable so everyone wouldn't be freaking out while at the same time letting the public know that winmo and android had nit fixed it yet. Has anyone heard anything about the pre being vulnerable.
  • You would think given six weeks to fix this they could have updated already. Maybe it is a little tougher than I am thinking. They are assuredly working on it. I just meant that they have not released any fix yet or statement or anything.
  • @Mattshall
    I am pretty sure that the Pre will resist the GSM-specific hijacking, but might also be prone to the SMS issue to some degree. I also haven't heard about the vulnerability of RIM devices--maybe the RIM network isolates users?
  • The Cnet article above says that google fixed the problem withen a couple of days of being notified.
  • @Matshall:
    while at the same time letting the public know that winmo and android had nit fixed it yet.
    My understanding is that Android has fixed it.
  • So it is because of allowing OTA updates for GSM phones? I don't recall any of my phones ever getting any kind of update before the iPhone.
  • Yes, the quote above indicates pre-Cupcake versions of Android are affected, which means versions 1.0 and 1.1. "Cupcake," version 1.5, came out in late May. Whether Google fixed it after talking to Miller et al, or whether they found and fixed the hole on their own during 1.5 development, I do not know.
    Google maintained in an article yesterday for Information Week that the issue had been patched. Apple did not respond for a request for comment, and it did not appear Information Week attempted to contact either MS or RIM.
  • @icebike, It's hit MSNBC, Reuters, and the AP wire. Gotta get around soon. ;)
  • nice try apple
  • Well there probably waiting until 3.1 to come out to release the patch...
  • haha stupid iphone... hmmm wonder why the pre doesnt have this problem... oh yeah now i remember cause its not some iCrap
  • That cnet article
    http://news.cnet.com/8301-27080_3-10299378-245.html?tag=mncol;txt
    also confirms that the attack works against unjailbroken iphones running 3.0. (As others noted, the article indicates Google patched Android a day or two after being notified.)
  • Details: http://www.blackhat.com/presentations/bh-europe-09/Gassira_Piccirillo/Bl...
  • Good summerization on the Registerhttp://www.theregister.co.uk/2009/07/31/smartphonehijacking/
    http://tinyurl.com/myxp4y
  • I'm surprised none of the phone makers/carriers saw this coming. This stupid hole allows root access without authentication. I think this is careless on everyones part.
    Apple will most likely release 3.1 as a fix for this. However, 3.0.1 would suffice and calm some nerves. Now that it's out, and being widely covered, Apple will need to save face.
  • Day 2 and my iPhone still has not been hacked rolls eyes.
  • Apparently, O2 are releasing a fix... i guess just by updating their carrier bundle: http://news.bbc.co.uk/1/hi/technology/8177755.stm
  • Edit: No they're not, Apple are! So i guess 3.0.1
  • Yes, plug phone into Itunes and you will be notified about 3.0.1. Jailbreakers may want to hold off as usual.
    This story must have finally hit the New York Times. ;-)
  • Lol get a blackberry lmao. Get a real phone lolol. This just doesn't happen to berries. Hehe
  • Just wish to say your article is as surprising. The clearness in your post is simply spectacular and i can assume you are an expert on this subject. Fine with your permission let me to grab your RSS feed to keep updated with forthcoming post. Thanks a million and please keep up the gratifying work.