Researchers have discovered a way to take complete control of an iPhone merely by sending special text messages. At the Black Hat security conference in Las Vegas on Wednesday, they took the opportunity to demonstrate the attack on one of the iPhones of our trusty US colleagues at CNET UK sister site CNET News.
Although an attacker could exploit the flaw to make calls, steal data, send text messages and do basically anything that you can do with your iPhone, the researchers were kind and merely rendered our sample temporarily inoperable.
Here's what happened. While we were talking on the phone to Charlie Miller (right), senior security researcher at Independent Security Evaluators, his partner, Collin Mulliner (left), sent us a text message from his phone. One minute we were talking to Miller and the next minute our phone was dead. After a few seconds it came back to life, but we weren't able to make or receive calls until we rebooted.
The attack is enabled by a serious memory-corruption bug in the way the iPhone handles text messages, said Miller. There is no patch, despite the fact that Apple was notified of the problem about six weeks ago, he said.
It's similar to a text-message attack that CNET News wrote about in April. Mobile security firm Trust Digital was able to send a text to a phone that opened up a Web browser and directed the phone to a malicious Web site where malware could be downloaded.
Android-based phones are similarly susceptible to the more recent text attack, except that an attacker could temporarily knock the phone off the network but not take control, according to Mulliner, who's getting his PhD at the Technical University of Berlin. Google patched the hole last week within a day or two of being notified of the problem, he said.
A bug in the code written by HTC that controls the user interface on Windows Mobile devices could also be exploited via the text messages, making it so there are no buttons to push, with the result that the phone can't be used, said Miller.
For the attack to work, an attacker must send hundreds of SMS control messages, which are different from standard text messages, according to Miller. Only the initial text may be seen, he said.
The researchers will demonstrate the attack on an Android phone and an iPhone during their presentation on Thursday.
Previous iPhone attacks required an attacker to lure the iPhone user to visit a malicious Web site or open a malicious file, but this attack requires no effort on the part of the user and requires only that an attacker has the victim's phone number, Miller said.
Once inside a victim's phone, the attacker could then send a text to anyone in the victim's address book and spread the attack from phone to phone, he said.
Miller discovered a hole in the mobile version of Safari shortly after the iPhone was launched in 2007. Earlier this year, he won a contest at CanSecWest by exploiting a hole in Safari.