Black Hat: SMS Attacks Not Just for iPhones
Technologizer is reporting on the developing story on SMS attacks coming out of today’s Black Hat Conference sessions. Seems like while the iPhone is grabbing a lot of attention, almost all GSM phones are said to be vulnerable. Basically, they get around the anti-spoofing security and send data designed to get access and take control of the phone.
On the iPhone specific side, however:
In a final coup for the conference, Lackey and Miras demonstrated an iPhone app they call TAFT which can, at the click of a few buttons, transmit various types of attacks against specific, vulnerable phone models, including iPhones, and phones running the Windows Mobile 5 and pre-”cupcake” Android operating systems.
Vendors, including Apple are working on patching the exploit, though there is still no word which specific models or firmware versions are vulnerable.
More as the story continues to develop.
July 30th, 2009 at 4:43 pm
Other coverage indicates that its ALL versions of the iPhone firmware that are at risk.
Further, the damage that can be done to the phone and the damage that can be done with a compromised phone seem to be much more serious for the iPhone.
http://news.zdnet.com/2100-9595_22-326501.html
This security flaw is common to some degree in all GSM phones as Rene points out.
It was a late addition to the GSM standard to allow Over The Air (OTA) updates that carriers can send to your phone to fix some minor problems in network settings, etc.
However, smart phones open this hole wide, because the phone OSs will allow execution of un-authenticated code, because they allow sending replacements for key files or (in the case of the iPhone) replacement executables.
This is a pretty egregious security flaw on Apple’s part, they should have built better authentication into this process, especially if they are going to allow re-writing portions of the OS.
If the carriers block this mechanism entirely, OTA updates are no longer available.
This was a roadside bomb waiting to go off. It just so happens that when the target is a smart phone with weak security, the damage can be much greater.
July 30th, 2009 at 4:44 pm
Until the patch is released, this is a great reason to jailbreak and change the root password.
July 30th, 2009 at 4:57 pm
I asked this in the other comments section, but this one still has its new car smell.
There are ALL sorts of security demonstrations happening at Black Hat. They keep talking about the ‘demonstrations’.
Excuse my naiveté, but I am unclear: Do they just demonstrate that the exploit exists? They don’t actually divulge how to code for it or how to use it, no?
The reactionary response is that it is all over tonight
July 30th, 2009 at 5:09 pm
Dryland: That won’t help according to several reports.
July 30th, 2009 at 5:16 pm
@Sheik:
They do not generally make all details known. http://www.informationweek.com/blog/main/archives/2009/07/blackhat_bombsh.html;jsessionid=TYYVZJFYWS3VYQSNDLPCKH0CJUNN2JVN
They did advise Apple of this exploit 6 weeks ago, including telling them how to protect against it, but Apple did nothing. The also told Apple that they were going to demo this, but Apple did nothing.
The carriers have some significant responsibility here too, its not ALL Apple’s fault.
So far, this has not reached the New York Times, so Steve Jobs may not even be paying attention yet.
July 30th, 2009 at 5:17 pm
So basically this is the downside to the jailbreaking community. While still possible, it would have been far less likely – faaaaaar less likely – had the jailbreak community not existed, and plasted root passwords all over the Internet.
Thanks guys!
July 30th, 2009 at 5:28 pm
@frog
Umm…no, this has nothing whatsoever to do with jailbreaking. This has to do with a flaw in over the air provisioning of GSM phones.
July 30th, 2009 at 5:36 pm
frog you are an ignorant tard who doesn’t know what he is talking about…
July 30th, 2009 at 5:43 pm
Yeah I don’t know who said this had anything to do with jailbreaking or the jailbreaking community. It absolutly has nothing to do with it or ssh. Which is the root password thing. It has nothing to do with either. Nothing at all. What it has to do with is the smatphone community and the fact that apple and other smartphone makers were notified of this vulnerability and have dine nothing about this. Leaving everyone vulnerable, not just jailbreakers and not just people with ssh enabled… EVERYONE. Apple, Microsoft and google should have fixed this by now in fact it never should have been an issue. If this is because of an issue with the openess over the air ota updating then why was this included in the iPhone? Apple has never updated anything ota so why not just eliminate the ability and in turn eliminate the problem. Why would we need to update ota if apple never uses it we can’t either. Just a thought of a way to eliminate the problem with my limited knowledge of the subject.
July 30th, 2009 at 5:45 pm
@icebike, I seriously doubt Apple has done ‘nothing’, just because they haven’t said anything is not the same as them doing nothing.
July 30th, 2009 at 5:48 pm
@Ice: Exactly what I thought. Although in the Ars article from July 3rd (”Apple patching critical SMS vulnerability…”) they seem to have revealed to Charlie that [that Apple is working on a patch].
Apple is indeed the fouling player here, but I don’t think that they are sitting on their hands so much as just not turning around the fix fast enough. They DEFINITELY need to step up their security priorities AND be a little more transparent. In the meantime, alarmist headlines will continue to gain traction. It is Apple’s fumble.
July 30th, 2009 at 5:51 pm
@caballera have you recieved a firmware update? No… So they have done nothing. If they had done something they probably would have let everyone know they were not vulnerable so everyone wouldn’t be freaking out while at the same time letting the public know that winmo and android had nit fixed it yet. Has anyone heard anything about the pre being vulnerable.
July 30th, 2009 at 5:55 pm
You would think given six weeks to fix this they could have updated already. Maybe it is a little tougher than I am thinking. They are assuredly working on it. I just meant that they have not released any fix yet or statement or anything.
July 30th, 2009 at 5:56 pm
@Mattshall I am pretty sure that the Pre will resist the GSM-specific hijacking, but might also be prone to the SMS issue to some degree. I also haven’t heard about the vulnerability of RIM devices–maybe the RIM network isolates users?
July 30th, 2009 at 6:05 pm
The Cnet article above says that google fixed the problem withen a couple of days of being notified.
July 30th, 2009 at 6:05 pm
@Matshall:
My understanding is that Android has fixed it.
July 30th, 2009 at 6:15 pm
So it is because of allowing OTA updates for GSM phones? I don’t recall any of my phones ever getting any kind of update before the iPhone.
July 30th, 2009 at 6:18 pm
Yes, the quote above indicates pre-Cupcake versions of Android are affected, which means versions 1.0 and 1.1. “Cupcake,” version 1.5, came out in late May. Whether Google fixed it after talking to Miller et al, or whether they found and fixed the hole on their own during 1.5 development, I do not know.
Google maintained in an article yesterday for Information Week that the issue had been patched. Apple did not respond for a request for comment, and it did not appear Information Week attempted to contact either MS or RIM.
July 30th, 2009 at 6:36 pm
@icebike, It’s hit MSNBC, Reuters, and the AP wire. Gotta get around soon.
July 30th, 2009 at 7:03 pm
nice try apple
July 30th, 2009 at 7:11 pm
Well there probably waiting until 3.1 to come out to release the patch…
July 30th, 2009 at 7:44 pm
haha stupid iphone… hmmm wonder why the pre doesnt have this problem… oh yeah now i remember cause its not some iCrap
July 30th, 2009 at 8:43 pm
That cnet article
http://news.cnet.com/8301-27080_3-10299378-245.html?tag=mncol;txt
also confirms that the attack works against unjailbroken iphones running 3.0. (As others noted, the article indicates Google patched Android a day or two after being notified.)
July 31st, 2009 at 1:01 am
Details: http://www.blackhat.com/presentations/bh-europe-09/Gassira_Piccirillo/BlackHat-Europe-2009-Gassira-Piccirillo-Hijacking-Mobile-Data-Connections-whitepaper.pdf
July 31st, 2009 at 1:24 am
Good summerization on the Register http://www.theregister.co.uk/2009/07/31/smartphonehijacking/
http://tinyurl.com/myxp4y
July 31st, 2009 at 9:00 am
I’m surprised none of the phone makers/carriers saw this coming. This stupid hole allows root access without authentication. I think this is careless on everyones part.
Apple will most likely release 3.1 as a fix for this. However, 3.0.1 would suffice and calm some nerves. Now that it’s out, and being widely covered, Apple will need to save face.
July 31st, 2009 at 9:42 am
Day 2 and my iPhone still has not been hacked rolls eyes.
July 31st, 2009 at 11:50 am
Apparently, O2 are releasing a fix… i guess just by updating their carrier bundle: http://news.bbc.co.uk/1/hi/technology/8177755.stm
July 31st, 2009 at 11:50 am
Edit: No they’re not, Apple are! So i guess 3.0.1
July 31st, 2009 at 1:42 pm
Yes, plug phone into Itunes and you will be notified about 3.0.1. Jailbreakers may want to hold off as usual.
This story must have finally hit the New York Times.
August 9th, 2009 at 5:13 pm
Lol get a blackberry lmao. Get a real phone lolol. This just doesn’t happen to berries. Hehe