Hijacking All iPhones via SMS

[Tramain]

Found this out via Twitter from Jamesus.

Quote:

Cybersecurity researchers Charlie Miller and Collin Mulliner discovered how to completely hijack any iPhone via SMS. Tomorrow (Thursday) they plan on publicize and reveal the vulnerability at the Black Hat cybersecurity conference in Las Vegas. They will be demonstrating how to send a series of SMS burst to the iPhone which will allow them to take complete control of EVERYTHNIG on the device and then propagate the attack by sending more SMS messages via the hijacked iPhone. According to Miller

Quote:

This is serious. The only thing you can do to prevent it is turn off your phone . . . Someone could pretty quickly take over every iPhone in the world with this.

Quote:

Since Apple has yet to address this iPhone vulnerability even though Miller and Mulliner notified Apple over a month ago. Miller suggests that if you receive a text message on your iPhone any time after Thursday afternoon containing only a single square character you should turn the device off immediately.

This vulnerability should be heeded and patched by Apple asap (3.1 firmware anyone?). Miller knows his stuff, he was the first one to remotely hjack the iPhone in 2007 via the former bug in iPhone Safari -- old skool, as in jailbreakme.com old skool

All information came from Hijacking All iPhones via SMS .

[xultar]

I've seen that on Gizmodo too. Cracks me up because Apple is so concerned about Jailbreaking and unlocking.

[Ipheuria]

Good read so far. If you got the text message instead of turning off the phone what happens if you just delete the message? Also I know if the person takes over one iphone they would have all of that person's contacts but really are they going to text all of those contacts to find another Iphone? How long would it take someone using that method to get to me lets say? I'm just wondering how big of a threat this could be?

Also why do people put credit card numbers and other secure info on their iphone? or any other electronic device? If it's in digital form it can be stolen or accessed unless you encrypt the hell out of it. I just would NEVER put my credit card numbers in any digital form. I have "1 Password" on my Iphone but the only passwords I put in there are passwords to simple things that would lead to forums. I also never put both my username and my password I put only one, whichever I can never remember, since one is useless without the other.

[canadu]

Quote:

Originally Posted by Ipheuria

Good read so far. If you got the text message instead of turning off the phone what happens if you just delete the message? Also I know if the person takes over one iphone they would have all of that person's contacts but really are they going to text all of those contacts to find another Iphone? How long would it take someone using that method to get to me lets say? I'm just wondering how big of a threat this could be?

Also why do people put credit card numbers and other secure info on their iphone? or any other electronic device? If it's in digital form it can be stolen or accessed unless you encrypt the hell out of it. I just would NEVER put my credit card numbers in any digital form. I have "1 Password" on my Iphone but the only passwords I put in there are passwords to simple things that would lead to forums. I also never put both my username and my password I put only one, whichever I can never remember, since one is useless without the other.

I agree completely with your first paragraph but I gotta say that I am one of those people that push technology because I want to one day just walk out of my house only with my mobile and it serve as my i.d. and money transaction conduit like my debit card. I know we're not there yet but last summer I used my mobile in Tokyo to purchase lunch while I was there for work.
We're not there here in the US but I know Nokia is working on Nokia Money. People will put secure information on their devices and I'm one of those because I trust my device(Iphone has hardware encryption), can remote wipe data with mobileme in seconds, and even if someone would gain access, my bank will not hold me liable for fraudulent charges.
The bigger picture is that Apple needs to get its sh!t together and should have a patch before the how-to is broadcasted to the world.

[idave]

I too would like to know what would happen if you just delete the message instead of turning your phone off?
If you do turn off the phone,doe's it delete the message?When would it be safe to turn it back on?
I hope apple will fix this asap.
Dave

[Tramain]

Quote:

Originally Posted by idave

I too would like to know what would happen if you just delete the message instead of turning your phone off?
If you do turn off the phone,doe's it delete the message?When would it be safe to turn it back on?
I hope apple will fix this asap.
Dave

I read on another forums that if you turn off your iPhone it will cut off there connection.

[idave]

Quote:

Originally Posted by Tramain

I read on another forums that if you turn off your iPhone it will cut off there connection.

Thank you Tramain'
Dave

[supermanfos]

I agree with everyone here, Apple needs to patch this security issue sooner rather than later. Maybe this will speed things up for an earlier release of 3.1???

[Tramain]

Quote:

Originally Posted by supermanfos

I agree with everyone here, Apple needs to patch this security issue sooner rather than later. Maybe this will speed things up for an earlier release of 3.1???

Yea but I don't want Apple to rush 3.1 because then all the bugs will not be fixed.

[supermanfos]

I agree with you Tramain, I also don't want a crappy upgrade. It's worth the wait but Apple should not wait too long.