SMS bug can disable iPhone usage: Black Hat

By on
SMS bug can disable iPhone usage: Black Hat

One single malicious text message can knock an iPhone offline, a pair of researchers disclosed at Black Hat.

In one of the Black Hat conference's most popular talks, Charlie Miller, a well-known Mac hacker, and Collin Mulliner, a German Ph.D student, revealed a bug which can enable someone to deliver a single invisible text message to a victim that would cause the phone to be knocked offline.

The victim would not be able to make phone calls, send text messages, and any Wi-Fi or Bluetooth capability would be disabled.

"You basically change your iPhone into an iPod Touch," Miller joked. "It can be in their pocket or on the charger. It just nails them...It's a dangerous attack surface."

The researchers also were able to send a barrage of text messages -- 519 to be exact -- that enabled them to take complete control of a target phone by taking advantage of a memory issue. Only one message, in that case, is visible to the user.

Miller and Mulliner said they notified Apple of the flaw on June 18, but it has yet to be fixed. An Apple spokesman did not respond to a request for comment. According to reports, the researchers expect hackers to use the information they presented in their talk to develop an active exploit within two weeks.

To perform the attack, the duo utilised a fuzzing framework known as Sulley and a small tool to "man-in-the-middle" the phone's application processor and modem, enabling them to generate a massive number of fuzzed text messages quickly, for free and without anyone knowing it. The two men never had to use the mobile operator's network.

In the end, the pair sent hundreds of thousands of fuzzed SMS messages and then studied logs of which messages caused the phone to crash, which led them to the vulnerability.

"The idea is, I want to put on the fuzzer, got to bed and find zero-days," Miller said.

Similar vulnerabilities affect Google's Android, which has been patched, and Windows Mobile, which has not, the researchers said.

In another presentation this week, researchers Zane Lackey and Luis Miras unveiled a way to spoof numbers in telephone networks that run GSM, the world's most popular mobile phone standard.

In a demo, they showed a simulated attack on an iPhone – faking a message that looked like it was coming directly from the carrier. In the demo, a text message recipient got a message that said it came from a trusted source. It said that to claim a refund, the user only had to log into their account.

They were able to send a message from a fake source – and were able to do it whether the source was numeric or text, so that it appeared to come from a person that may be known to the victim.

The researchers did not disclose how they were able to do it, nor the name of the carrier they tested their code on, but said that they were not aware of any exploits in the wild, and that they had notified the carrier. The carrier is aware of the problem and is working on a solution, they said.

The attack only works on GSM networks and uses an MMS protocol, not SMS.

See original article on

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition

Most Read Articles

Log In

Username / Email:
  |  Forgot your password?