Black Hat: SMS bug can disable iPhone usage
In one of the Black Hat conference's most popular talks, Charlie Miller, a well-known Mac hacker, and Collin Mulliner, a German Ph.D student, revealed the bug, which can enable someone to deliver a single invisible text message to a victim that would cause the phone to be knocked offline.
The victim would not be able to make phone calls, send text messages, and any Wi-Fi or Bluetooth capability would disabled.
"You basically change your iPhone into an iPod Touch," Miller joked. "It can be in their pocket or on the charger. It just nails them...It's a dangerous attack surface."
The researchers also were able to send a barrage of text messages -- 519 to be exact -- that enabled them to take complete control of a target phone by taking advantage of a memory issue. Only one message, in that case, is visible to the user.
Miller and Mulliner said they notified Apple of the flaw on June 18, but it has yet to be fixed. An Apple spokesman did not respond to a request for comment. According to reports, the researchers expect hackers to use the information they presented in their talk to develop an active exploit within two weeks.
To perform the attack, the duo utilized a fuzzing framework known as Sulley and a small tool to "man-in-the-middle" the phone's application processor and modem, enabling them to generate a massive number of fuzzed text messages quickly, for free and without anyone knowing it. The two men never had to use the mobile operator's network.
In the end, the pair sent hundreds of thousands of fuzzed SMS messages and then studied logs of which messages caused the phone to crash, which led them to the vulnerability.
"The idea is, I want to put on the fuzzer, got to bed and find zero-days," Miller said.
Similar vulnerabilities affect Google's Android, which has been patched, and Windows Mobile, which has not, the researchers said.
In another presentation Wednesday, researchers Zane Lackey and Luis Miras unveiled a way to spoof numbers in telephone networks that run GSM, the world's most popular mobile phone standard.
In a demo, they showed a simulated attack on an iPhone – faking a message that looked like it was coming directly from the carrier. In the demo, a text message recipient got a message that said it came from a trusted source. It said that to claim a refund, the user only had to log into their account.
They were able to send a message from a fake source – and were able to do it whether the source was numeric or text, so that it appeared to come from a person that may be known to the victim.
The researchers did not disclose how they were able to do it, nor the name of the carrier they tested their code on, but said that they were not aware of any exploits in the wild, and that they had notified the carrier. The carrier is aware of the problem, and it working on a solution, hey said.
The attack only works on GSM networks and uses an MMS protocol, not SMS.