Security researchers have figured out how to disable or take over the iPhone and other smart phones using simple text messages.
Charlie Miller made his name hacking cool stuff like the first Apple iPhone, the T-Mobile HTC G1 phone with Google Android software, Second Life, and the Mac operating system. He does it all not for a criminal purpose, but for the sake of improving security. But he’s always a thorn in the side of big companies.
He’s at it again, having figured out how to take over your iPhone with this new trick. He and partner Collin Mulliner, a German security researcher getting his doctorate at the Technical University in Berlin, did so by constructing the message with data and programming that causes your iPhone to crash. They then take it over and can run any code they want on it.
If they wanted, they could spread the message by sending it to friends in your address book. The scary thing is that the user doesn’t need to do anything, as in past hacks, where users had to go to a compromised web site to trigger a vulnerability.
The researchers showed a live attack on a demo iPhone. They can use the trick to instigate a “denial of service” attack, where they send the crash messages every 10 seconds and essentially keep the targeted phone off the network. Miller notified Apple of the bug about six weeks ago, but there is no patch yet. Apple has yet to make a comment.
They could, for instance, tell the phone to send all of its data to a third-party location and to continue to do so with each new message or email that arrives. The hackers said they can use the same methods to take over most smart phones. They showed how they also used the same attack to take over a Google Android phone as well as a Windows Mobile Phone.
“We could probably port this to a Palm Pre in an hour,” Miller said.
Other security firms have also demonstrated bugs in SMS messages that can make users vulnerable. Miller, a security analyst at Independent Security Evaluators, said he was surprised that the Short Message System, or SMS text messages, have no real serious protection such as a firewall. That made the job much easier. They figured out what the various text codes mean or control in SMS messages as they are sent to a Short Message Control Center, a processing center at the phone carrier which reviews the messages and routes them to the right phone number.
Once the text message causes the phone to crash, Miller said, he can take over the phone because it’s functioning like a computer. He can pollute the phone’s memory and then run his own program on the phone. Miller and Mulliner did their research by conducting a “man in the middle” attack, sending bogus messages between the applications processor on the phone and its modem, or cell phone radio processor. They found they could send hundreds of thousands of test messages to decipher the various vulnerabilities they could trigger with different codes.