Apple has fixed a vulnerability in the iPhone that could have enabled hackers to send malicious text messages to either knock the device offline or execute remote code.
The patch arrived Friday, one day after researcher Charlie Miller and German Ph.D. student Collin Mulliner presented details on the flaw at the Black Hat conference in Las Vegas — in one of the most attended talks of the show.
Miller described the memory corruption issue as a bug that could enable an attacker to launch a denial-of-service attack against a victim phone, preventing users from making phone calls, sending texts or accessing the internet and effectively downgrading their “iPhone into an iPod Touch.” All a hacker would need to do is send a single, specially crafted SMS message, which would appear invisible to the user.
The vulnerability also could be exploited to do much more harm, Miller said. A barrage of malicious messages could enable an attacker to take complete control of the device. In his and Mulliner’s test run, they sent 519 texts to a phone and were able to obtain control.
Miller did not reveal the complete exploit code at his talk but estimated that hackers will use the partial information he provided to develop working attack code within a couple of weeks.
Apple was notified of the flaw on June 18, and Miller said he expected a fix before the show.
The delay prompted some security observers to question whether Apple is as committed to security as it should be.
“Unfortunately, it looks like the security problems with [the] iPhone will continue to grow until Apple makes security a higher priority,” said Andrew Storms, director of security operations at vulnerability management firm nCircle. “If there is a silver lining for iPhone users, it’s that all of the security research attention it is getting could eventually turn the iPhone into one of the most secure mobile platforms.”
An informal poll conducted at Black Hat by nCircle, in which 94 people voted on which mobile device would be most vulnerable to attack for the remainder of 2009, 56 percent of respondents chose the iPhone. An Apple spokesman could not be reached for comment.
Miller and Mulliner presented similar vulnerabilities affecting Google’s Android, which has been patched, and Windows Mobile, which has not.
Apple, in a security advisory, said the patch is available for iPhone versions 1.0 through 3.0.