The iPhone’s SMS Security Loophole

Editor’s Note: Apple issued a 3.0.1 iPhone update for this security flaw less than 24 hours after it was demonstrated. Kudos to Apple for their swift response.

Do you have the privilege of owning one of the world’s most well known smartphones… the iPhone? If you do, then this article applies to you. As from Thursday 30th July 2009, two researchers showed the world the flaw that they have found in the SMS system set up by Apple on the iPhone.

If you receive a text message after the 30th July and you own an iPhone then be aware, as if once you open the message it should contain a single square character of some sort, then you are strongly advised by researcher Charlie Miller to turn off your device as quickly as humanly possible.

This plain and simple symbol is a warning to you, to tell you that it is highly likely that someone is trying to or has already tried to use this new bug, created by Miller and his partner cybersecurity researcher Mulliner, on your mobile phone. This new finding was made public at the Black Hat cyber security conference which was held in Las Vegas.

It is said that this bug could quite possible virally infect iPhones through the SMS facilities found on mobile phones.

This project that the pair has been working has resulted in them demonstrating on how to hack into the smartphone by taking advantage of a flaw that they have discovered in the iPhone’s message handling systems.

According to the duo, it is possible to send numerous messages at one time, a large number of which would be invisible to the receiver and would allow a hacker to gain complete power of the smartphone’s features – disastrous if there is extremely sensitive information stored on the phone (and with applications such as PayPal and mobile banking available, this is possible.)

Some of the things that the hacker can achieve includes controlling the phone numbers that have been dialled, opening up web pages, controlling when pictures are taken, and the most important of all, it can send on further texts to your contacts all of whom will receive the exact same bug that you may have just found yourself infected with.

Abused correctly and if in the wrong hands, this could quite possibly lead to a mass infection of iPhones across the globe.

Miller has been recently been quoted saying just how serious this all is and provided the users with a little guidance on what you should do if you find your phone with such a message, saying: “This is serious. The only thing you can do to prevent it is turn off your phone”, he continued to say. “Someone could pretty quickly take over every iPhone in the world with this.”

Apparently, although Miller and Mulliner both say that they have been in contact with Apple itself and told them in great detail of this discovery over a month ago, they are yet to hear a reply to their notification, and Apple have yet to respond to this unfortunate mishap.

Not only have the researchers found flaws in the messaging teams’ work over at Apple, but the Windows Mobile also has conditions suitable to host a bug of a similar demeanor that is activated through text messaging. This particular type of hacking allows complete control of Microsoft-based gadgets.

However, these new breed of bugs aren’t the first problem found in the iPhone’s genetics, as in 2007 Miller found another way to hijack the iPhone, allowing him little control over its functions. He was able to do this as he came across another flaw in the machinery of the browser.

This did not prove to be as effective as the new bug currently around, as this was only allowed to be activated if you could trick the user of the iPhone into visiting a web site that had already been infected. From there, the user needed to be persuaded into downloading a piece of software from the web site which was malicious. It was here that the infection of the device would take place.

After the discovery was further investigated, Miller then forewarned Apple in the July of that year. This problem was then amended by the company to ensure the prevention of such a thing happening again.

Despite Miller’s numerous attempts to gain communications and the repair of the newest flaw in the iPhone, Apple have still made zero amendments despite a hack that could ruin them. Miller says that he has “given them more time to patch this than I’ve ever given a company to patch a bug”.

He then continued to say that the other bug in Windows Mobile that himself and Mulliner plan to exploit hasn’t been patched up either. Nevertheless, he is still to alert Windows of this discovery, as it is still new to them too.

It has been said that the attack of mobile phones via SMS is going to be a popular topic at both the Black Hat and Defcon conferences.

Obviously, the decision to expose such terrible flaws in the system is that of a difficult one. This is due to the possibility of it leading to other things of which could be that of a cyber criminal’s heaven. However, Miller says that it is very important to ensure that the public and manufacturers of these devices are aware of the troubles that could happen if they were left for the cyber criminals of the world to uncover on their own. At least with this way, the smart phone manufacturers have a chance to mend the problem in the technology.

As Miller says, it is unfortunate for the researchers as it is only in their job description to find and seek information on such major problems. “As a researcher, I can only show [Apple] the bugs. It’s up to them to fix them.”

Quite basically, the moral of the story is that if you own an iPhone or a smart phone in general, then be aware of the dangers that you could possibly and rapidly become susceptible to – and if you get a text message with a square, turn your phone off: quick!