Critical iPhone SMS Vulnerability Revealed

By  |  Thursday, July 2, 2009 at 8:00 pm

Yesterday, security researcher Charlie Miller gave Apple a good pantsing at the SyScan conference in Singapore. Miller, who is the author of “The Mac Hacker’s Handbook,” revealed that the iPhone allows remote code installation and execution through SMS, a security hole that Apple is working to patch up.

That means that a hacker could potentially turn the iPhone into a remote tracking device by exploiting its microphone and GPS capability, or do whatever else he or she pleases.

Software that runs devices like the iPhone is complex, and there is always going to be a Charlie Miller who can uncover defects. However, Apple has been sharply criticized for lacking a company wide, holistic approach to secure software development. Vulnerabilities will continue to slip by its engineers, placing iPhone user’s personal information and privacy at risk.

The iPhone 3.0 update contained 46 security patches, but it did not address against the SMS vulnerability that Miller discovered–that fix is on its way (likely to be wrapped into the iPhone 3.1 update).

I expect that this SMS vulnerability is just the tip of the iceberg, and we will continue to see more like it until Apple upgrades its security practices.

 
10 Comments


Read more: , , ,

8 Comments For This Post

  1. sfmitch Says:
    July 2nd, 2009 at 8:38 pm

    The tone of this article is very misleading.

    The ‘Pantsing’ that Charlie Miller gave Apple was to discover a security flaw in the iPhone, report it to Apple with an agreement not to discuss the specifics of the vulnerability for a month. That sure doesn’t seem like a big deal, let alone a ‘Pantsing’.

    The link you gave for Apple being ‘Sharply criticized’ is an article that doesn’t criticize Apple at all but rather, “… humbly present a few suggestions on how Apple can become a leader in consumer computing security over the long haul.”

    Sorry, but the author (David Worthington) loses serious credibility by sensationalizing in this way.

  2. David Worthington Says:
    July 2nd, 2009 at 9:35 pm

    @sfmitch ask apple what its security development lifecycle is and get back to me. hint: you won’t get an answer.

  3. sfmitch Says:
    July 3rd, 2009 at 7:11 am

    @David Worthington

    Me: Your post was misleading.

    You: I know it was but I’m on a crusade.

    I checked out your blog on that SD site and you are a Microsoft LOVER. You seem to write about any detail, no matter how small, as long as it is Microsoft related. I didn’t really think that was what Technologizer.com was going for. I really thought Harry wanted unbiased (or reasonably close) content. Live and learn.

  4. David Worthington Says:
    July 3rd, 2009 at 1:48 pm

    Microsoft deserves credit for its SDL work. The entire industry acknowledges that. Apple is one of many companies that falls short on security. Note that I have quoted some of the most respected security experts in the industry in my “biased” articles.

    Am I a Microsoft lover? Maybe you should look at what I’ve written at SD Times before you rush to judgment. I’ve also been critical of Microsoft on this site.

    Not everyone is a fanboy (sorry, but it’s the truth). I own two Apple computers, and am iPhone. My old PC still runs Windows XP. I like all of those machines, but actually prefer my Macs!

  5. David Worthington Says:
    July 3rd, 2009 at 1:52 pm

    PS: Look beyond your nose.

    http://www.sdtimes.com/content/article.aspx?ArticleID=32690
    http://www.sdtimes.com/link/32627
    http://www.sdtimes.com/content/article.aspx?ArticleID=33574
    http://www.sdtimes.com/link/33224
    https://www.technologizer.com/2009/02/12/microsoft-to-open-retail-stores-really/

  6. Paul Puri Says:
    July 3rd, 2009 at 6:03 pm

    Aaah snaap Mitch. You got served! Technologizer style.
    ;>)

  7. sfmitch Says:
    July 4th, 2009 at 9:27 am

    My point (which you still haven’t addressed) is that you link to several articles to support as evidence and the underlying articles don’t support you.

    This blog post is needlessly sensationalistic and misleading.

    Are those SD Times articles supposed to show how you have dropped the hammer on Microsoft, too. If so, once again, you’re liked articles don’t support your argument.

  8. ZenMaster Says:
    July 9th, 2009 at 9:14 am

    The important is:
    “Critical iPhone SMS Vulnerability Revealed”

    Me and others, we dont care about sfmitch vs David Worthington secondary chok talk, to be honest.

    K.I.S.S.

2 Trackbacks For This Post

  1. Apple Patches iPhone SMS Security Flaw | Think Plus Says:
    August 1st, 2009 at 6:35 am

    […] attack using an iPhone with OS 2.2.1, but the vulnerability was not patched with the 3.0 update. Technologizer backs up the the pair’s claim, pointing out that the hole was not among the 46 security flaws […]

  2. Mac Security Improves with Snow Leopard  | Technologizer Says:
    August 29th, 2009 at 10:25 am

    […] have made no bones about my opinion that Apple has done a lackluster job at security, but it deserves credit for moving in the right […]