AAPL Stock: 117.26 ( -1.05 )

Printed from

SMS, other hacks for iPhone shown at Black Hat

updated 11:45 pm EDT, Thu July 30, 2009

iPhone vulnerable to hacks

True to their word, security experts on Thursday demoed a flaw in the iPhone's operating software that enables attackers to control any iPhone by sending special SMS messages to the phone was revealed on Thursday. The software hole was demonstrated by researchers Charlie Miller and Colin Mulliner at the Black Hat conference in Las Vegas. The flaw could be used by a hacker to make calls, steal data, send text messages, power-down the device and operate any application on the iPhone. Miller contacted Apple about the problem six weeks ago. Although the company said it would release a patch to resolve the issue by the end of the month, no iPhone OS updates have been released.

The researched additionally revealed a similar texting bug in Windows Mobile that allows control of Microsoft-based devices and a pair of SMS bugs that affect both the iPhone and Google's Android phones. The bugs allow hackers to knock the phones off its wireless network for about 10 seconds. Google has patched the bug since being contacted by the pair, but the second iPhone bug still remains.

Miller also exposed problems in the iPhone software in 2007, using a website to remotely hijack an iPhone using a flaw in its browser. When Miller alerted Apple in July of that year, the company patched the vulnerability before Miller publicized the bug at the Black Hat conference the following month.

Other SMS message attacks were showcased at the conference, including one that attacks virtually all GSM phones and GSM wireless operators. Security researchers Zane Lackey and Luis Miras revealed an iPhone application they call TAFT which can transmit various digital attacks against vulnerable phone models such as the iPhone and devices running Windows Mobile 5.

by MacNN Staff




  1. ajhoughton

    Joined: Dec 1969



    Explain to me again why a security researcher should be able to tell everyone else what to do, under threat of releasing sensitive information (in this case a bug that could be exploited for malicious purposes).

    While I appreciate that it's good for security holes to be fixed, it strikes me that there is a strong similarity between this "patch before date X or we'll publish so malicious people can hack your customers" attitude that some security researchers seem to have adopted and a good old-fashioned protection racket. The only difference is that with the old-style protection racket, it's the people making the threat who directly hurt you, whereas in this case they're relying on an unrelated third party doing the hurting.

  1. dogzilla

    Joined: Dec 1969


    re: hmmmm

    Are you insane?

    The reason why researchers go public with security flaws by a deadline is because, when they don't, the relevant corporations never patch the holes. This has been shown time and again to be the case.

    You seem to be think that a corporation is like your good buddy, that he'll do the right thing if you just cut him some slack. You are living in some disney world. Corporations have no personality, no loyalty and no responsibility to anyone save the one to maximize profits in every way shape and form possible. They must be forced to do even the minimally right thing, in some cases by forcing them into action with the public release of potentially harmful information.

  1. NapMan

    Joined: Dec 1969


    re: hmmmm

    I believe their thinking is that if they can figure out the hack surely someone else can figure it out too. And that person would likely not go to Apple but still might distribute it.
    It's not like they are going to make money on it but they are pressuring Apple to fix it.

  1. testudo

    Joined: Dec 1969


    Information is power

    That's an old phrase, but it is true. In a perfect world, one would hope to get this information public as soon as possible, so people know what threats they face.

    By wanting them to keep quiet is like wanting the government to not tell you that they know there's a serial murderer on the loose in your town, who kills anyone wearing red and whistles 'Dixie', because, well, they haven't had a chance to stop the guy yet, and if no one else knows about it, maybe no one else will get hurt.

  1. Donevan

    Joined: Dec 1969


    Update coming Saturday

    Apple has told its telecom partners that a patch will be available through iTunes tomorrow (Saturday 1 August).

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Ultimate Ears Megaboom Bluetooth Speaker

Ultimate Ears (now owned by Logitech) has found great success in the marketplace with its "Boom" series of Bluetooth speakers, a mod ...

Kinivo URBN Premium Bluetooth Headphones

We love music, and we're willing to bet that you do, too. If you're like us, you probably spend a good portion of your time wearing ...

Jamstik+ MIDI Controller

For a long time the MIDI world has been dominated by keyboard-inspired controllers. Times are changing however, and we are slowly star ...


Most Commented