UPDATE: Gizmodo received a statement from Apple regarding the 3.0.1 software update:

We appreciate the information provided to us about SMS vulnerabilities which affect several mobile phone platforms. This morning, less than 24 hours after a demonstration of this exploit, we’ve issued a free software update that eliminates the vulnerability from the iPhone. Contrary to what’s been reported, no one has been able to take control of the iPhone to gain access to personal information using this exploit.

ORIGINAL: Apple just went ahead and dropped the iPhone OS 3.0.1 software update for all users to grab directly from iTunes. Still no mention on Apple’s site of what exactly this update includes besides the patching of the recently discovered SMS vulnerability – just don’t expect much of anything else except for the possibility of some potential bug fixes.

Updated yet? Notice anything new? Not going to update? Let us know in the comments below!

As with any update from Apple, if you are currently running the 3.0 software jailbroken, do not update if you wish to keep your device in it’s current state. Updating will break your jailbreak.

This is a story by the iPhone Blog. This feed is sponsored by The iPhone Blog Store.

UPDATED: iPhone OS 3.0.1 Now Available Via iTunes

Technologizer is reporting on the developing story on SMS attacks coming out of today’s Black Hat Conference sessions. Seems like while the iPhone is grabbing a lot of attention, almost all GSM phones are said to be vulnerable. Basically, they get around the anti-spoofing security and send data designed to get access and take control of the phone.

On the iPhone specific side, however:

In a final coup for the conference, Lackey and Miras demonstrated an iPhone app they call TAFT which can, at the click of a few buttons, transmit various types of attacks against specific, vulnerable phone models, including iPhones, and phones running the Windows Mobile 5 and pre-”cupcake” Android operating systems.

Vendors, including Apple are working on patching the exploit, though there is still no word which specific models or firmware versions are vulnerable.

More as the story continues to develop.

This is a story by the iPhone Blog. This feed is sponsored by The iPhone Blog Store.

Black Hat: SMS Attacks Not Just for iPhones

UPDATE: Some folks are telling is that this is an iPhone 2.2.1 exploit already patched in 3.0. We’ll wait for an update from Black Hat before we exhale, however…

Almost a month ago we linked to an Engadget report on Charlie Miller and his SMS exploit for the iPhone. Well, today is the day he intends to show it off at the Black Hat conference.

Thanks to some last minute media attention, however, the general iPhone user base seems to be getting a tad nervous. And rightly so. We’ve said it before and we’ll say it again, in an ideal world, NSA expert come iHacker Charlie, who’s claim to current fame is using Mac exploits to win Pwn2own contests and free laptops, would work with companies like Apple and Microsoft (yes, it looks like Windows Mobile has an exploit as well), and those companies would patch the exploits as immediately as possible, before any “research” was publicly disclosed and any bad guys decided to use them as attack vectors.

TiPb will update post-Miller’s Black Hack disclosure, and hopefully Apple will roll the security fix into a quick 3.0.2 firmware release, or hurry 3.1 out of the gate.

This is a story by the iPhone Blog. This feed is sponsored by The iPhone Blog Store.

Charlie Miller to Demonstrate iPhone SMS Hack at Black Hat Conference Today

In an ideal world, Mac and iPhone hacker Charlie Miller would discover vulnerabilities, inform Apple, and Apple would then patch them before they had any chance of being exploited “in the wild”.

Miller, however, prefers to keep them to himself so he can win MacBooks and detail them at Black Hat conferences. The good of the hacker obviously outweighs the good of the users, every one. So be it.

Miller’s latest iPhone-related find was disclosed at SyScan in Signapore:

a hole that would let attackers “run software code on the phone that is sent by SMS over a mobile operator’s network in order to monitor the location of the phone using GPS, turn on the phone’s microphone to eavesdrop on conversations, or make the phone join a distributed denial of service attack or a botnet.”

Apple, for their part, is hoping to have this patched before Miller’s upcoming Black Hat gig.

We hope so too.

[via Engadget. Thanks Travis for the tip!]

This is a story by the iPhone Blog. This feed is sponsored by The iPhone Blog Store.

iHacker Charlie Discloses iPhone SMS Security Vulnerability

Michael on Facebook sent us link to this announcement on innerfence, which says Google is shutting down the Infinite SMS App.

According to the developers:

Google has claimed no grievance with Infinite SMS other than its success. Their given reason for the block isn’t abuse or wrongdoing; it’s that we brought too many users (and thus too much cost) to an experimental service.

Google’s official statement reads:

Infinite SMS is a third party app that has been using Google technology to provide free SMS for users, while we were paying for the cost of the text messages. While Google is supportive of third party apps, we’ve decided we can’t support this particular usage of our system at this time. SMS chat is still just an experiment in the early testing stages in Gmail Labs. We’re blocking all external XMPP clients from sending SMS; we’re not singling out Inner Fence.

SMS, of course, uses the carrier channel to inexpensively send short 160 byte text messages which the Telco’s then exorbitantly price gouge users $0.20 per message (do the math, thats thousands for megs) or offer bundled in large or unlimited numbers. They’ve even priced them so high for businesses that companies like Twitter — and apparently more so Google — can’t or don’t want to pay for them, especially for international users.

Are you an Infinite SMS user? If so, what are your thoughts on Innerfence, Google, experimental services, and SMS charges?

This is a story by the iPhone Blog. This feed is sponsored by The iPhone Blog Store.

Google Nuking Infinite SMS App for iPhone

Now this is not something new here, but AT&T and American Idol are at it again. The past few days AT&T has been sending out text messages advertising one of Fox’s TV shows. How do I know? I got one of them… Of course this message does not cost the recipient anything and they could easily opt out by responding to the spam with a simple “stop”. Even so, it still has the ability to be bothersome to AT&T customers.

Like I mentioned above this is not something new, I remember getting a similar text message last year when American Idol started. It would become a nuisance if it started to get out of control but a single text, I can live with that. Now imagine this — all TV shows start advertising this way, then add movies, random products, etc… Sounds like this has the possibility to become very annoying sometime in the future.

If what I just mentioned turned out to be the case, would you be able to opt out all together? Would you have to opt out on individual advertisements as they are received? We want to know what is your, our readers, take on all of this?

Sound off in the comments!

This is a story by the iPhone Blog. This feed is sponsored by The iPhone Blog Store.

American Idol Spam Text Messages on AT&T

In case you haven’t read it already, our editor-in-chief, Dieter Bohn, has an outstanding article up at sibling-site WMExperts highlighting his top 5 reasons Twitter is better than SMS (and vice versa).

There’s a lot of intertube fuss about SMS lately, as a recent New York Times article once again shone the spotlight on the disgustingly dirty price gouging (and potential fixing) that goes on when it comes to SMS rates in North America. Basically, SMS (at 160 bytes/characters) is ridiculously cheap for the carriers to transmit, no matter what the scale, and yet the prices have doubled from $0.10 to $0.20 on many networks over the last few years. Voice, by contrast, involves much more data and is much more “expensive” in terms of infrastructure costs. North Americans will pay ludicrous sums of money for “cheap” SMS but not for “expensive” voice, so the carriers take advantage.

Dieter points out that the cost, community, compatibility, control, and context of Twitter give it a clear advantage of SMS, even as the discoverability, dilution of quality, dropping 20 characters, downtime, and potential delays in notification (outside the US) make it still far from perfect.

Flaws and all, Dieter is moving towards Twitter (@backlon) and away from SMS. Am I going to do the same? I already have (@reneritchie) and without really considering it. But here’s the thing — I have considered that not only should I not have to consider it, I don’t think any iPhone user should. (Or any @theiphoneblog follower either!)

I mentioned in my return to the iPhone 3G Round Robin final review that one of the things I’d like to see for the iPhone is a Mobile iChat app, but really taken to the next level. BlackBerry PIN messenger is what puts the “crack” in CrackBerry.com and an always on, multi-tasking Mobile iChat client would go a long way to putting some in the iPhone as well. Beyond that, however, Apple is famous for being the one company that really understands something truly significant for consumer end users:

The interface is the application.

There’s already an SMS client on the iPhone, and guess what? It already kind of looks like iChat. If Apple stuck a Mobile iChat client on as well, it could look functionally identical. So why, then, would Apple need to add that client? Some Twitter clients looks functionally very similar to iChat already as well. Why, then, would we need separate Twitter clients?

From a user-perspective, abstracting an application away from the pipes that feed it is a huge win. Take Mobile Mail for example, you can setup a Gmail, Exchange, MobileMe, or other email account, yet the app itself looks and functions the same regardless. Add one account, take another away, and the user experience doesn’t change. This means that, behind the scenes, you can pretty much muck around with the pipes, improve them, swap an old one out for a new one, drop a troublesome one for a reliable one, all with very low impact on the front end — maybe even no impact at all. It’s transparent to the end user.

Now imagine there was a presence client on the iPhone — I’ll stick with calling it Mobile iChat to keep it simple. You set up your SMS account, your Twitter, your AIM, MobileMe, Jabber, Google Chat… whatever and then you have one consistent UI that elegantly handles and presents your conversations to you. If one pipe disappears, like Pownce, you just delete that account or foward to another. If a new pipe shows up, like BlackBerry announces PIN-like messenger for the iPhone (breathe Kevin, breathe!) you just add it in.

There are, of course, a bunch of reasons why this isn’t likely to happen, and lots of people who prefer to keep their cookies all in separate jars anyway. My personal belief remains, however, that this is the future, and the iPhone is the device that’s going to bring us the closest and the fastest to that future.

Of course, there will always be a place for “better” dedicated client apps that provide unique, rich features focused on a single protocol, but who knows, with push email, maybe all inter-personal text communications could eventually fold into a single unified, consistent, experience. It would, at the very least, be nice to have as a hyper-productivity meets connectivity option. wouldn’t it?

This is a story by the iPhone Blog. This feed is sponsored by The iPhone Blog Store.

On Twitter and SMS and Why it Shouldn’t Matter to iPhone Users

Reader Karl writes in to let us know his twelve year old son discovered a glitch in SMS security:

Being security conscious he turned on the passcode lock and disabled SMS Preview. [...] If a message is received during the passcode entry or while the screen is locked, a generic message of “New Text Message” appears, to prevent viewing of messages without unlocking the phone. [...] If however the phone is placed in emergency call mode, any incoming SMS messages are previewed instead of presented as the generic messages.

Next comes two issues concerning the implementation choices Apple made in the iPhone Mobile Mail client. According to Ars Technica, as disclosed by Aviv Raff, the first involves the way Mail truncates URLs for display on the iPhone. If a malicious URL is properly crafted by an attacker, the truncation can cause a fake URL to be non-obvious to the users, and thus more likely to result in phishing.

The second results from the lack of an option to display images in the full HTML Mobile Mail client. Since images are automatically displayed, spammers can gain confirmation that the email account that received it is active and ripe for spam attack.

As always, malicious attacks evolve and propagate at an alarming rate, and while we hope Apple fixes these immediately if not sooner, the onus is ultimately and always on we end users to pay attention and do everything we can to avoid them.

This is a story by the iPhone Blog. This feed is sponsored by The iPhone Blog Store.

iPhone 2.1 Bug Watch: SMS Security and Mail Phishing/Spamming

When I picked up my shiny black iPhone 3G last Friday, I knew I was going to have to pay the inevitable rate increase for data (another $10 smackers a month).  I also knew I would (hissing a curse under my breath) lose my built-in 200 text messages per month.  AT&T’s SMS packages offer a laughable range of offerings:  $5 a month for 200 messages, then an Olympian leap to $15 for 1500 messages and $20 for unlimited.  What, no room for $10 a month for, say, 750 or 1000 messages?  But I digress.

The basic idea goes thusly: AIM (and thus your AIM app on your iPhone) is able to send free text messages by sending them to +13522225555 (or whatever the phone number is).  There’s a bit more to it, of course, so be sure to click on through and read Carlson’s walkthrough.

(Post updated since publication by request)

This is a story by the iPhone Blog. This feed is sponsored by The iPhone Blog Store.

Tip o’ the Week: Free SMS from your iPhone

We already told you that 1.1.3 hasn’t been all it’s cracked up to be, but one of the issues with the ROM slipped by us. Namely: some people have been experiencing SMS messages getting listed out of order. Threaded text is the best thing since, well, SMS, but it doesn’t do much good if your texts are all out of order.

The problem arises when you don’t have your iPhone’s clock set to update automatically from the network time and your iPhone thinks it’s one time, the carrier another. So presumably the SMS app lists incoming texts by their carrier-based timestamp and yours by the internal timestamp — a mismatch means out of order texts.

The fix – turn on automatic updating and deal with whatever hassles that might bring you if you travel between time zones a lot.

(via Engadget Mobile)

This is a story by the iPhone Blog. This feed is sponsored by The iPhone Blog Store.

Quick Fix for SMS Order Problem