As promised, iPhone security expert Charlie Miller, along with colleague Collin Mulliner, demonstrated a vulnerability in the SMS messaging system which can ultimately lead to hacking of an iPhone. Miller and his cohorts identified similar flaws in the Android and Windows Mobile operating systems, though no complete exploits were demonstrated. However, security researchers Zane Lackey and Luis Miras also demonstrated that the vulnerability can affect any GSM phone, though exactly how each phone reacts to the vulnerability differs.
The problem stems from the SMS system. Phones have to accept SMS messages, and these security experts have found that carefully crafted messages can be interpreted as binary instructions instead of text. Some phones may see a scrambled message—the iPhone, for instance, will show a text with just a square—or may see nothing at all. Lackey and Miras showed an exploit for a Sony Ericsson phone that simply showed the message, "New settings received. Install?" The user might easily assume the data is from a legitimate source.
Miller wrote a "non-malicious" exploit for the SMS bug on the iPhone that demonstrated that Miller could take over the device, though he stopped short of actually doing so. "What I actually demoed showed that I could get to the point I could do anything I wanted," he told Ars over the phone. "I didn't want to show actual malicious code, but if I wanted to, I could steal contact info or passwords, dial the phone, send other SMS messages, anything."
Google has already patched the vulnerability that Miller identified in Android and Apple has been working on a patch for the iPhone OS. An O2 spokesperson told BBC News that a patch would be available via iTunes on Saturday, though Apple has not confirmed that information. Miller told Ars that Apple has asked him to help test a patch, though that test hasn't yet happened. Miller did confirm that the problem affects iPhone OS up to 3.0, and he suspects it also affects current 3.1 betas. Other phone operating systems would also need patched to the fix the problem.
"AT&T is going to be involved [in the test with Apple], and they are going to monitor and see if they can filter these messages or do anything on their end," Miller said. Lackey and Miras have said that they are working with all major carriers to fix the problems they identified as well. Miller told Ars it would be relatively trivial for AT&T or other carriers to simply filter out "bad" SMS messages that he has identified, which would stop the problem before it ever got to a user's phone.
Miller said that users shouldn't be worried yet—that is unless Apple and other vendors are slow to release patches. "Probably nothing is going to happen for at least a week," Miller said. "What I gave out at Black Hat wasn't enough to actually just turn around and write malware. It took me about two and a half weeks for me to write all the code for my exploit, so it would take some time to be able to duplicate that."