Black Hat: SMS bug can disable iPhone usage

Share this article:
Two security researchers on Thursday unveiled an iPhone vulnerability that can freeze up the popular smart phone without the user taking any action.

In one of the Black Hat conference's most popular talks, Charlie Miller, a well-known Mac hacker, and Collin Mulliner, a German Ph.D student, revealed the bug, which can enable someone to deliver a single invisible text message to a victim that would cause the phone to be knocked offline.

The victim would not be able to make phone calls, send text messages, and any Wi-Fi or Bluetooth capability would disabled.

"You basically change your iPhone into an iPod Touch," Miller joked. "It can be in their pocket or on the charger. It just nails them...It's a dangerous attack surface."

The researchers also were able to send a barrage of text messages -- 519 to be exact -- that enabled them to take complete control of a target phone by taking advantage of a memory issue. Only one message, in that case, is visible to the user.

Miller and Mulliner said they notified Apple of the flaw on June 18, but it has yet to be fixed. An Apple spokesman did not respond to a request for comment. According to reports, the researchers expect hackers to use the information they presented in their talk to develop an active exploit within two weeks.

To perform the attack, the duo utilized a fuzzing framework known as Sulley and a small tool to "man-in-the-middle" the phone's application processor and modem, enabling them to generate a massive number of fuzzed text messages quickly, for free and without anyone knowing it. The two men never had to use the mobile operator's network.

In the end, the pair sent hundreds of thousands of fuzzed SMS messages and then studied logs of which messages caused the phone to crash, which led them to the vulnerability.

"The idea is, I want to put on the fuzzer, got to bed and find zero-days," Miller said.

Similar vulnerabilities affect Google's Android, which has been patched, and Windows Mobile, which has not, the researchers said.

In another presentation Wednesday, researchers Zane Lackey and Luis Miras unveiled a way to spoof numbers in telephone networks that run GSM, the world's most popular mobile phone standard.

In a demo, they showed a simulated attack on an iPhone – faking a message that looked like it was coming directly from the carrier. In the demo, a text message recipient got a message that said it came from a trusted source. It said that to claim a refund, the user only had to log into their account.

They were able to send a message from a fake source – and were able to do it whether the source was numeric or text, so that it appeared to come from a person that may be known to the victim.

The researchers did not disclose how they were able to do it, nor the name of the carrier they tested their code on, but said that they were not aware of any exploits in the wild, and that they had notified the carrier. The carrier is aware of the problem, and it working on a solution, hey said.

The attack only works on GSM networks and uses an MMS protocol, not SMS.

Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in News

Sign up to our newsletters

More in News

Ground system for weather satellites contains thousands of 'high-risk' bugs

Ground system for weather satellites contains thousands of ...

An audit of the Joint Polar Satellite System ground system revealed thousands of vulnerabilities, most of which will be addressed in two years when the next version of the system ...

Threat report on Swedish firms shows 93 percent were breached

The study by KPMG and FireEye also found that 49 percent of detected malware was unknown.

Former acting HHS cyber director convicted on child porn charges

Former acting HHS cyber director convicted on child ...

Timothy DeFoggi, who was nabbed by the FBI last year in its Operation Torpedo investigation was convicted by federal jury in Nebraska.