On 07.31.09, In Software
Apple has released a minor software update for iPhone, patching a security flaw revealed just yesterday.
Security researchers Charlie Miller and Collin Mulliner on Thursday revealed a memory corruption bug that could be easily exploited by crashing an iPhone with a series of invisible text messages, which would then enable a hacker to hijack the device. From thereon, a hacker could control all the functions on the iPhone — most alarmingly, he could send more text messages to hijack even more iPhones.
The researchers demonstrated the SMS security hole at the Black Hat cybersecurity conference in Las Vegas. They also demonstrated the flaw by sending an attack to crash a CNET reporter’s iPhone.
On Friday morning, Apple released iPhone OS 3.0.1. Available through iTunes, the update “Fixes SMS vulnerability,” according to its description.
Apple moved even faster than necessary to fix the problem: Miller told Wired.com it took him two and a half weeks to discover the exploit. A hacker “really smart and lucky” could take a few days to replicate the attack, but that’s unlikely because “not many people in the whole world” have these skills, he said.
“Still, it just takes one bad guy a couple of weeks, and every iPhone could be attacked,” he told Wired.com in a phone interview.
Nonetheless, Jonathan Zdziarski, another iPhone security researcher, said he felt Miller sensationalized the problem with this stunt. He noted that many devices have vulnerabilities “in the wild” that nobody has exploited, and it’s unlikely a hacker would’ve devoted much energy to replicating Miller’s SMS attack, because there isn’t much to gain beyond annoying iPhone users.
“Every time we find a bug it’s been there for a year or more,” Zdziarski said. “At the very least it’s been six months, maybe longer.”
Miller acknowledged that the iPhone’s SMS weakness has probably existed for years; he first discovered the flaw in iPhone OS 2.0, which launched in 2008.
“The problem has been in the phone for year, but no one’s known about it,” he said in a phone interview Thursday. “Now that it’s out in the open, [Apple] can fix it.”
Apple did not respond to requests for comment on this story.
See Also:
- Text-Message Exploit Can Hijack Every iPhone, Researchers Say …
- Apple’s iPhone Security Gets Better, But Still Not BlackBerry …
- Hacker Says iPhone 3GS Encryption Is ‘Useless’ for Businesses …
- IPhone Can Take Screenshots of Anything You Do
- Massive iPhone Security Flaw Exposes Your Private Data – Here’s …
- iPhone Jailbreaking Could Crash Cellphone Towers, Apple Claims …
Photo: Jon Snyder/Wired.com
Originally by Brian X. Chen from Gadget Lab on July 31, 2009, 11:26am
Leave Your Response