Skip to main content

Charlie Miller to Demonstrate iPhone SMS Hack at Black Hat Conference Today

UPDATE: Some folks are telling is that this is an iPhone 2.2.1 exploit already patched in

Almost a month ago we linked to an Engadget report on Charlie Miller and his SMS exploit for the iPhone. Well, today is the day he intends to show it off at the Black Hat conference.

Thanks to some last minute media attention, however, the general iPhone user base seems to be getting a tad nervous. And rightly so. We've said it before and we'll say it again, in an ideal world, NSA expert come iHacker Charlie, who's claim to current fame is using Mac exploits to win Pwn2own contests and free laptops, would work with companies like Apple and Microsoft (yes, it looks like Windows Mobile has an exploit as well), and those companies would patch the exploits as immediately as possible, before any "research" was publicly disclosed and any bad guys decided to use them as attack vectors.

TiPb will update post-Miller's Black Hack disclosure, and hopefully Apple will roll the security fix into a quick 3.0.2 firmware release, or hurry 3.1 out of the gate.

Rene Ritchie

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

  • "in an ideal world, NSA expert come iHacker Charlie, who’s claim to current fame is using Mac exploits to win Pwn2own contests and free laptops, would work with companies like Apple and Microsoft"
    No doubt if these individuals had credibility, they would. Ever wonder why none of these 'security experts' ever have any actual corporate experience on their resumes?
  • "Ever wonder why none of these ’security experts’ ever have any actual corporate experience on their resumes?"
    no. because if they had a corporate mindset they wouldn't have the kind of perspective that makes them good at finding these particular exploits.
    not that corporate IT people are useless or anything - they find and solve plenty of problems on their own - just that to find the full range of possible exploits you need people looking for problems based on the full range of possible expertise.
    anyway, since apple apparently doesn't need to be in any way altruistic toward its customers, and have carte blanche to do whatever they want with their platform so long as it advances their perceived business interests, why not this guy?
    he's milking the attention because it is in his perceived best interest to do so, so he gets a free pass too, right?
  • oh, and the hilarious aspect of it is that the reason apple gave initially for having a "closed" app store and locked down SDK was to prevent this kind of network compromising hack...
    just to have it be apple's own messaging app exhibiting the problem, while perfectly safe apps are rejected from the app store for threatening appl's 'business interests'.
  • Love the Picture Rene... HAHAHAH
  • So finding exploits and vulnerabilities doesn't give a security expert credibility? Hmmmm.
    Anyway when will be able to hack each others iPhones? Come on dev team release the hack on Cydia!
  • Engadget gets the credit for the picture. All their genius!
  • Why 3.0.2 update, did I miss 3.0.1?
  • 3.0.1 is rumored to be what the iPhone 3GS shipped with.
  • Again, you make the (security) fatal mistake of assuming am exploit is only discovered by a single person. Anybody who relies upon this a fool. If Miller can discover this exploit, so can a real BadGuyX, who would remain silent about the hole and simply exploit it for fun or profit, or sold the technique to somebody who would.
    If Miller had bad intentions, that is what he would have done, but he did not. Instead, he gave Apple notice through the only external channel that seems to motivate Cupertino - bad PR - and, when Apple does nothing, you still toss around snide comments implying Miller is an actual bad guy here.
    If the flaw exists, it is Apple's obligation to fix it as soon as possible. Anything less is a disservice to their customers (us). They have not. Blaming Miller for disclosing this flaw after giving a month's warning is saying it is better to remain ignorant of dangers and pretend one is safe than it is to actually be safe.
  • @ Dev:
    I also think that Charlie Miller (I like his work, by the way) is showing it a month later due to timing with the Black Hat conference.
    (The thing I hate about these things I have to defend the iPhone to the BB people that I have to support, not that I have any delusions. I figure I will be supporting my bastard offspring BES server for quite a long time from now.)
  • Fear, fear, FEAR! The feeling is as American as Apple pie! ;P
    Seriously, you will most likely NEVER run into a hacker who specifically targers YOUR iPhone! RELAX!
  • Yes, he showing it a month later due to the conference. A month is far longer than researchers typically give a company for such an exploit, because the dangers of leaving it unpatched are too great. Lest you think the conference has it in for Apple, a similar flaw was discovered in WinMo last week, and, while the researcher notified MS immediately, they are still presenting it only days later. Far from being targeted, Apple has gotten appropriate if not exceptionally lax treatment here.
    The conference timing is irrelevant - a month should be long enough to fix what appears to be a buffer overflow. A month is too long for any company who gives more than lip service to security to leave such a hole open, once they know about it.
  • I am finding no evidence that this is or isn't fixed in 3.0, either. In an Ars article from July 3rd ("Apple patching critical SMS vulnerability") quotes: "Miller told Ars last month that he didn't know if the vulnerability still existed in iPhone OS 3.0, though the fact that Apple is working on a patch—and already has iPhone OS 3.1 in beta—suggests it still exists in the latest version..."
    It could be a mad race to the gate--Charlie got there first, Apple is merely trying to get there ahead of possibility of exploits in the wild? How long will it take from tonight's hack demonstration before it is turned into a real attack vector in the wild?
    I don't want to know, but wish Apple would be more resposive (if not at least vocal) on the issue.
  • Oh no!!! You mean hackers can get to my picture of my cat?? Dammit Apple, you suck!
  • @Steve
    No, if it's a working exploit, it means that hackers can get your phone to connect to premium rate services (at the very least).
  • I have a 3GS and it's version is only 3.0, not 3.0.1. But when will we know the details of this hack? All OS versions affected?
  • @Robert
    They found multiple flaws in different phones, not just the iPhone. The researchers specifically told InformationWorld that Android 1.0-1.5 and iPhone 2.2.x was vulnerable. For iPhone examples, they crashed Springboard, and they also were able to knock out the CommCenter, while not crashing the phone, effectively blocking it from sending or receiving calls. It is not a stretch to think refined payloads could make an iPhone do more.
    Google responded in the article that the hole has been patched for Android devices. Apple did not respond to a request for comment, so it may or may not be an issue in the 3.x series.
  • Not worried at all. I find these types of exploits a little rediculous even though they're valid. Any malicious person would have to have my number first in order to send an SMS to me in the first place and the chances of that are... Well damn near impossible. Yes, Apple should close the hole but I'm not losing any sleep over it.
  • I have a question. There is ALL sorts of security demonstrations happening it seems (Leopard/Safari, iPhone and other SMS, SSL and others).
    They keep talking about the 'demonstrations'--excuse my naiveté, but they just demonstrate that the exploit exists. They don't actually divulge the coding or how they did it or how to use it, no?
    I'm tired from the FUD. FUDFUDFUD.
  • So, is this something we are all privy to experiencing and IF hacked, how do you know and what cn be doe to STOP it? I saw a news report that simply said "Dont open the text message and shut your phone off and then turn it back on". Is it that simple?
  • @Wyatt
    SMS spam is easier than email spam, 10000 addresses for every prefix the telecom owns, you don't need a list if you can count. no harm in sending the code to every AT&T phone number, most will just get a garbled txt but iphones will be 'infected'.
  • After searching the internet for all the info I could find on Miller's most recent iphone virus scare seminar held today in Las Vegas, I have to contemplate if Apple has acted irresponsibly on behalf of all iphone owners or Miller has simply reeled us in to a bogus publicity stunt....unfortunately, after all I've read on this issue I am more inclined to turn off my iphone for the short term until this bug has been resolved. Until my confidence is restored in the product that basically stores much of the most sensitive and personal information in my life, I will carry a few extra quarters for now and find solace in a public phone booth when out of the office
  • This should be easily blocked by AT&T. A simple SMS filter should do it.
  • Kevin Burney, I was thinking the same thing. But good luck getting ATT to help out. Our rates would need to go up for that to happen. Hahaha.
  • This has already been patched. Do you think they'd wait a month to find out how he did it? He's already told them and it has been fixed. You don't publicize how a hack is done without already telling the company and letting them fix it before thousands or millions of people watching see it and attempt to perform it before it gets patched.
    @Wyatt - ridiculous. not rediculous. + they could get your # from your friends/family's phones if they are able to hack those. nothing is 100% secure.
    that being said...i'll be using my blackberry until this is fixed.
  • Oh but you all don't need to worry about this. Given the fact that AT&T's network blows so bad you likely won't even get the malicious text message anyway. It will just get dropped somewhere in AT&T's network like millions of other texts that never seem to reach their destination. I'd be more worried if this were happening on Verizon since I would probably have reception and receive the message unlike AT&T where you won't have any reception.
  • Every one having the same problem regarding hiding or locking text messages on iPhones. Recently I downloaded a program from and it hides the iPhone SMS button and replaces it with a fake one that you can edit. Basically it doesn’t show all the girls I am talking to.