It seemed perfectly ordinary when the distinctive Apple chime bounced off the walls in a small Adelaide office as an iPhone downloaded an SMS.
But the calm soon broke as the staffer read a strange message splashed over the top of the iPhone that read “exploit. Downloading PIM [personal information management] data 40%.”
She recognised it as a hack that was siphoning her personal information. Panicking, she killed Bluetooth, wi-fi and 3G, and restarted the phone.
It was a flash or class-zero SMS: a type of message officially used to distribute emergency services notices which rendered in full text on the home screen of almost all mobile phones on the market.
Savvy BlackBerry, Nokia and Symbian users have used flash SMS for years.
All iPhone users could receive flash SMS messages, but they could only be sent by users of jailbroken devices via a string of command lines through terminal.
However, unlike when sent from other devices, iPhone flash SMS messages do not contain information capable of identifying the sender.
Flash SMS sent to Windows devices displays only as a “network message”.
Twenty minutes later and another iPhone beeped in the office. It was a flash SMS containing what appeared to be the same hack.
A third staffer received a flash SMS on his personal iPhone reading that the downloading of PIM data was at 90 percent.
IT consultant Michael Jenkin called Telstra Business Support. “They didn’t know anything about it,” said Jenkin, the director of Business Technology Partners.
“I sent data from the iPhone to Telstra and Apple but nothing came of it.”
Telstra did not maintain logs of sent and received flash SMSs.
Two more flash messages hit staff iPhones. They read: "** ?ex_”-=t?e ** 30% downloaded. ios401"
The end of the message, “ios401”, corresponded to the firmware running on the factory set iPhone 3Gs devices. Messages also included information on the name of the iPhone operating system.
The beeps continued the following day, and corporate and personal email account data was downloaded to the company’s iPhones.
iTunes account details including a username and password were displayed on one phone. On another, information on .local, the company’s internal network domain, was downloaded.
“We cut Exchange from the phones, ActiveSync too from servers. We changed all passwords,” Jenkin said.
A lady in Florida emailed an employee with news that a screen capture of his iPhone along with iTunes account details was sent to her screen.
The employee also found his Gmail account hacked and the password changed.
Two days after the first message was received in August last year, Jenkin contacted security companies. He sent extensive server logs to Trend Micro which declared the systems absent of malware.
Microsoft forensics professionals found no evidence during what Jenkin called exhaustive tests for network intrusion.
The South Australian Police eCrimes division was asked to investigate. It escalated the case to the Australian Federal Police which cloned the affected phones, but found no sign of exploit.
Apple deemed it a new issue blamed likely on a malware infection, before going quiet, Jenkin said.
Even veteran Apple hacker and Accuvant researcher Charlie Miller told SC he was unfamiliar with flash SMS and could not identify the issue.
Earlier this year, similar flash SMSes began hitting staff phones again.
South Australia’s e-crime head Paul Featherstone said the messages were identified as flash SMS but could not be distinguished further.
The state police had sent flash SMS to factory-set iPhones from a MobileMe installation operating on a remote machine to demonstrate the attacks.
He noted that these types of attacks could be a result of malicious insiders, or pranksters.
Jenkin asserted that company information did not appear compromised and that staff had sworn innocence.
Edited at on 24 October at 3pm: This article originally stated that only jailbroken iPhones were affected by the attack. Non-jailbroken iPhones were also affected.
Copyright © SC Magazine, Australia
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @itnews.com.au to your white-listed senders.