Apple Patches iPhone SMS Security Hole With Software Update
Posted in: Hacks, iPhone, Phones, security, Today's Chili
Apple has released a minor software update for iPhone, patching a security flaw revealed just yesterday.
Security researchers Charlie Miller and Collin Mulliner on Thursday revealed a memory corruption bug that could be easily exploited by crashing an iPhone with a series of invisible text messages, which would then enable a hacker to hijack the device. From thereon, a hacker could control all the functions on the iPhone — most alarmingly, he could send more text messages to hijack even more iPhones.
The researchers demonstrated the SMS security hole at the Black Hat cybersecurity conference in Las Vegas. They also demonstrated the flaw by sending an attack to crash a CNET reporter’s iPhone.
On Friday morning, Apple released iPhone OS 3.0.1. Available through iTunes, the update “Fixes SMS vulnerability,” according to its description.
“We appreciate the information provided to us about SMS vulnerabilities which affect several mobile phone platforms,” an Apple spokeswoman said in a phone interview with Wired.com. “This morning, less than 24 hours after a demonstration of this exploit, we’ve issued a free software update that eliminates the vulnerability from the iPhone. Contrary to what’s been reported, no one has been able to take control of the iPhone to gain access to personal information using this exploit.”
Apple moved even faster than necessary to fix the problem: Miller told Wired.com it took him two and a half weeks to discover the exploit. A hacker “really smart and lucky” could take a few days to replicate the attack, but that’s unlikely because “not many people in the whole world” have these skills, he said.
“Still, it just takes one bad guy a couple of weeks, and every iPhone could be attacked,” Miller told Wired.com in a phone interview.
Nonetheless, Jonathan Zdziarski, another iPhone security researcher, said he felt Miller sensationalized the problem with this stunt. He noted that many devices have vulnerabilities “in the wild” that nobody has exploited, and it’s unlikely a hacker would’ve devoted much energy to replicating Miller’s SMS attack, because there isn’t much to gain beyond annoying iPhone users.
“Every time we find a bug it’s been there for a year or more,” Zdziarski said. “At the very least it’s been six months, maybe longer.”
Miller acknowledged that the iPhone’s SMS weakness has probably existed for years; he first discovered the flaw in iPhone OS 2.0, which launched in 2008.
“The problem has been in the phone for year, but no one’s known about it,” he said in a phone interview Thursday. “Now that it’s out in the open, [Apple] can fix it.”
Updated 12:45 p.m. PDT with a comment from Apple.
See Also:
- Text-Message Exploit Can Hijack Every iPhone, Researchers Say …
- Apple’s iPhone Security Gets Better, But Still Not BlackBerry …
- Hacker Says iPhone 3GS Encryption Is ‘Useless’ for Businesses …
- IPhone Can Take Screenshots of Anything You Do
- Massive iPhone Security Flaw Exposes Your Private Data – Here’s …
- iPhone Jailbreaking Could Crash Cellphone Towers, Apple Claims …
Photo: Jon Snyder/Wired.com
Post a Comment