toggle

AAPL Stock: 102.25 ( + 0.12 )

Printed from http://www.macnn.com

iPhone SMS vulnerability nears public exposure

updated 03:25 pm EDT, Wed July 29, 2009

iPhone SMS vulnerability

Apple has yet to fix a key iPhone vulnerability the day before it is publicly exposed, notes security researcher Charlie Miller. At the beginning of July, Miller announced the preliminary details of an SMS exploit which could theoretically be used to assume control over a remote iPhone. That exploit has now been brought to fruition, the researcher says, and will be detailed in full -- as planned -- at this Thursday's Black Hat conference in Las Vegas.

Although Apple has been made aware of the problem, and promised a fix by the end of the month, it has yet to release updated iPhone firmware with just days remaining until August. The iPhone may not be unique in its vulnerability; another Black Hat presentation by Zane Lackey and Luis Miras is set to show a similar exploit possible on a wider basis. Apple has not commented publicly on the matter since Miller's initial announcement.




by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

    Comment buried. Show
  1. testudo

    Joined: Dec 1969

    -20

    well...

    I'm sure when this gets exposed before Apple patches the iPhone we'll be told:
    - The guy should wait before releasing the info, to give Apple time to develop a fix (regardless of the time already given, plus that others apparently know of the issue)
    - Oh, he didn't actually take control of the iPhone, so it isn't an issue
    - It isn't Apple's problem, but ATTs. There's nothing Apple can do to fix it.
    - This is why Apple feels they need to keep control of the apps people put on the device, and why jailbreaking is bad.

  1. c4rlob

    Joined: Dec 1969

    +2

    just in time for

    Then Apple's release of a MobileMe app for the iPhone which has access to users' online documents/folders seems unfortunately timed for such a vulnerability to be exploited?

  1. nat

    Joined: Dec 1969

    +10

    for crying out loud

    now, testudo, you KNOW you're supposed to at least wait for someone to post so you can do that thing you do (over and over and over and...)

    come on!

  1. zimbardo

    Joined: Dec 1969

    +2

    Lovely...

    Is Charlie a security expert or a security threat?

    He like a firefighter who sets fire a home and then tries to resuscitate the burn victims.

    I suggest we all get swine flu vaccinations before August as well. Charlie Miller will probably taint the metropolitan water system just to make a point.

  1. b9robot

    Joined: Dec 1969

    0

    I don't think it's real.

    I really don't think this is real, or as bad as this guy makes it out to be. That's why Apple hasn't patched it yet. If they know about a REAL security threat, Apple will patch it.

  1. G4_Kessel

    Joined: Dec 1969

    0

    Have you ever noticed?

    Have you ever noticed... that every time someone points out these "vulnerabilities" that allow one to "theoretically assume control" of an OSX devise, nothing ever comes of it? Even prior to security patches, you don't hear "Joe Blow from Idaho just had data stolen from his < fill in Apple product here > due to a hacker taking control!" I'm not saying the patches are pointless. I'm just saying these articles are usually just making mountains out of mole hills.

  1. ERG

    Joined: Dec 1969

    +1

    As I've previously said..

    The claimed assertions by Mr. Miller (derived by a look at a crashlog!) are bullshits (looking for popularity?)

    Technically would be possible to send someone a "binary SMS" and here's detailed how (including how-to instructions):
    http://mobiforge.com/developing/story/binary-sms-sending-rich-content-devices-using-sms

    Try by yourself to do that to an iPhone and you'll find that:
    1) iPhone OS doesn't support J2ME (Java 2 Micro Edition), one of the requisites
    2) you should've been able to send that SMS to a particular port and that's not possible on almost any country: you hand the SMS to the carrier and they take care of delivering it through their architecture...

    More details here:
    http://download.oracle.com/docs/cd/E1414801/wlcp/ocsg41otn/appdev/ews-binsms.html

  1. lkrupp

    Joined: Dec 1969

    +1

    Testudo the Blind one

    The point is, testudo, that this security "researcher" has set himself up as the arbiter of what is sufficient time to issue a patch. By his own words he admitted he cannot fix the problem, he only found it. Who is he to determine how long it takes to fix the problem? He gave Apple six weeks. HE gave Apple six weeks to issue a patch. Woopty-do. Aside from the argument about how bad this issue is, and remember that guys like him predict apocalypses on a daily basis that never occur (conficker worm, anyone?), this sort of arrogance only proves what their true motives are. They are egomaniacs who crave attention.

    My prediction? Nothing major will come of this exploit, Apple will release a patch (on THEIR time schedule, not his) and this will fade from the news just like all the other catastrophes Mr. Miller has predicted in the past. Anyone remember the notorious "vulnerability-a-day" marathon that released a so-called major Mac security issue every day for thirty days? That was a couple of years ago. Any guesses as to how many Mac users were devastated by those "issues"? Hmmmm.

    I put Miller right up there with testudo. Both are narcissistic egomaniacs who think much too highly of themselves.

  1. PHoynak

    Joined: Dec 1969

    +3

    Testudo???

    I have to ask what do you do when you are not here? You should do that more and maybe you will be happier. I know we would.

  1. ibugv4

    Joined: Dec 1969

    -3

    his track record

    is impressive, Apple asked him to hold off on publicly announcing the last exploit he found in 2007 with Mobile Safari, or did we forget that?: http://www.iphonic.tv/2007/08/charliemillerhacker_explains.html

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Epson PowerLite Home Cinema 2030 projector

With high-definition televisions now the standard, 4K televisions becoming the next big thing, and plasma TVs going the way of the din ...

Life n Soul 8 Driver Bluetooth headphones

When it comes to music on the go, consumers generally have some options to consider when looking for the best experience. While Blueto ...

Pure Jongo T2 wireless speaker

Multi-room audio compatibility is a key metric for wireless sound systems these days. The entry cost into a house-spanning system can ...

toggle

Most Commented