Drea Knufken
Security expert Charlie Miller is sharing the details iPhone hack today at the annual Black Hat security conference. The iPhone virus takes control of the device through SMS messages. All an attacker needs is a person’s phone number. Once they’re in, they can send the viral SMS to everyone in the person’s address book. Miller and his colleagues claim to have told Apple about the iPhone virus about a month ago, according to Engadget, but Apple hasn’t reacted yet. CNET has more:
Here’s what happened: While I was talking on the phone to Charlie Miller, his partner, Collin Mulliner, sent me a text message from his phone. One minute I’m talking to Miller and the next minute my phone is dead, and this time it’s not AT&T’s fault. After a few seconds it came back to life, but I was not able to make or receive calls until I rebooted.
Although an attacker could exploit the hole to make calls, steal data, send text messages, and do basically anything that I can do with my iPhone, the researchers were kind and merely rendered it temporarily inoperable.
The attack is enabled by a serious memory corruption bug in the way the iPhone handles SMS messages, said Miller, a senior security researcher at Independent Security Evaluators. There is no patch, despite the fact that Apple was notified of the problem about six weeks ago, he said.
In the more recent research, Android-based phones were found to be similarly susceptible to an SMS attack, only an attacker could temporarily knock the phone off the cell network but not take control, according to Mulliner, who’s getting his PhD at the Technical University of Berlin. Google patched the hole last week within a day or two of being notified of the problem, he said.
Apple might want to think about patching at this point.
