Apple Seals iPhone's SMS Security Leak
Jul 31, 2009 1:04 PM PT
Could something as simple as an SMS text message turn your own smartphone against you, allowing a hacker to listen in on your private conversations or direct you to a malicious Web site?
It can be done, according to security experts presenting their findings Thursday at the Black Hat security conference in Las Vegas.
News of the now exposed flaw generated quite a buzz, especially because the researchers said they had notified Apple about the iPhone's susceptibility to the attack, but the vendor had not released a fix at the time it was revealed at the conference.
However, the iPhone maker on Friday rushed out with an iPhone OS update that it says addresses the flaw.
Google's Android operating system is also affected by an SMS flaw, but the Internet search giant has fixed it.
The danger of SMS flaws is that they let attacks spread widely very fast and have the potential to take phishing and cyberfraud to new heights.
News of the iPhone SMS Flaw
At Black Hat, Charlie Miller, a researcher from Independent Security Evaluators, and University of Berlin Ph.D. candidate Collin Mulliner demonstrated that hackers can break into an iPhone through the SMS protocol to launch a denial of service (DoS) attack or take control of a user's device.
They showed that hackers can launch malware attacks through a victim's iPhone or implement other types of attacks common in the PC world, such as installing information-stealing Trojans.
That's because smartphones, with their flash memory, operating systems and other capabilities, are essentially very small computers. iPhone hackers and crackers have been able to turn the phone into what could arguably be called a desktop. The Java-based Open Office suite can be ported to the iPhone and, because the iPhone has a connector on its base for video output, it can be hooked up to a large screen. Add a keyboard, and you have a computer with at least 16 GB of disk space, 128 MB of RAM and a 600 MHz processor that can run any Linux application.
Miller, who formerly worked at the National Security Agency, released the first remote exploit for the iPhone back in 2007 and has made a career out of breaking Apple's security. He made it to Popular Mechanics' Top 10 Hackers list in 2008.
Apple Issues Update
The duo publicized the flaw at Black Hat because Apple did not initially respond to their requests to fix it, they said.
On Friday, after news of the attack had been widely reported, Apple introduced iPhone OS 3.0.1, which it claims patches the SMS flaw.
Apple's exclusive carrier in the U.S., AT&T, said it's working hard to maintain security. "AT&T takes all security threats seriously, and we have controls and mitigation capabilities in place that block and identify attempts to breach the security of our network," spokesperson Jeannie Hornung told TechNewsWorld.
iPhone Users Upset
News of the flaw sparked the creation of a topic on how to disable SMS on Apple's iPhone forum.
"In light of the recently announced hack of iPhone's SMS, I'd like to turn the feature completely," dan-the-red wrote on the forum. "Once there's a permanent solution ... well, I'd like to leave it off. Frankly, I can't stand it. How can I kill it, short of turning off the iPhone?"
What Is SMS and Why Is It Flawed?
SMS, part of the GSM series of standards, uses standardized communication protocols to let mobile phone users send and receive messages of up to 160 characters.
GSM has several vulnerabilities, some of which carry over into SMS. However, SMS has additional vulnerabilities because of its store-and-forward feature and because it can be conducted over the Internet.
Back in 2005, researchers at Pennsylvania State University presented a paper on SMS' vulnerabilities at the 12th ACM Conference on Computer and Communications Security.
Titled "Exploiting Open Functionality in SMS-Capable Cellular Networks," this paper said that connections between mobile phones and the Internet through SMS could let hackers kill voice service to large metropolitan areas with a cable modem. The hackers could target the entire United States with a medium-sized zombie network.
SMS traffic can be used to create a denial-of-service (DoS) attack by simply sending enough of them to flood control channels. "It would be theoretically possible to knock out cellular service for the continent with a data rate of approximately 370 Mbps," the paper stated.
The Danger of Thinking Big
Hackers have not launched wide-scale attacks through SMS so far perhaps because they would first have to collect data on the phones available in a given area. However, that can be done over the Internet.
"Evidently, the bad guys haven't been able to figure out how to do it effectively yet," Randy Abrams, director of technical education at security vendor ESET, told TechNewsWorld.
However, when the hackers do figure it out -- if they manage to work around the patch Apple delivered -- it could be big trouble. "The iPod touch and iPhone share the same operating system, so if I can infect your iPhone and use it to infect all other iPhones in your address book, that could spread like wildfire," Carl Howe, director, anywhere consumer research at the Yankee Group, told TechNewsWorld.
The iPod touch would be a good vector to help spread the infection because it uses WiFi and can drop off the network after pulling or sending malware. Yankee's research shows there are more than 40 million iPhones and iPod touches worldwide.
"This could parallel the swine flue pandemic with the rapidity of its spread," Howe said.
Google Plugs the Leak
The Android operating system also suffered from an SMS flaw, but it's different from the Apple flaw, according to Android security engineer Rich Cannings.
The Android flaw would let attackers temporarily knock mobile phones off the cell network but would not let them gain control of the devices, Cannings told TechNewsWorld.
Miller and Mulliner had notified Google about the flaw at the end of June, and Google fixed it within days, Cannings said. "We made the fix available to carriers and OEMs for use in updating their customers, and have updated open source Android," he added.
Android users who update their systems will see that the update includes a security fix.
Taking CyberFraud to the Max
Security fixes are essential because SMS spoofing could take cyberfraud to new heights, ESET's Abrams warned.
"I just got an e-mail from a stranger claiming she's stranded in London and has lost her wallet and passport and asking me to send her money," he said. Such messages are a common tactic for scammers who break into a victim's email account and then steal money from that person's friends.
"That sort of fraud will be even more effective on cellphones than it is on e-mail when it appears to come from your friend, because people trust their cellphone messages even more than they trust e-mail," he said.