Exclusive Interview: Hacking The iPhone Through SMS

Features
By Alan Dang
published

Explaining The Vulnerability, Continued

Alan: What about push notifications and visual voicemail? Don’t those rely on SMS?

Charlie: Not sure about the push notifications, although that would make sense. It does use SMS to alert when new voice mail arrives, as well as indicating where the phone can pick up the actual sound files. It also uses SMS as notification of MMS messages.

Alan: So potentially, the push notifications or new voicemail arrival have “magic strings?" Couldn’t a malicious hacker direct the iPhone to pick up a forged voice mail with sound files from somewhere else?

Charlie: It is not that they have magic strings, but rather that SMS is more than text messages. It can be used to transfer data as well. Some carriers use it to send ringtones and OTA updates, for example. There is a byte in the header in the data that tells the device what kind of data it is, and the device knows how to handle different kinds of data. The concatenated messages I spoke of earlier have this “identifier” byte set to 00. Normal text messages don’t even have this data header. Another type of data indicates the number of voice mails that are waiting. Finally, a different type of data (one destined for a particular SMS “port”) tells the phone where to get the sound file. This also explains why I can send 500 messages and you don’t know about it. They are all “data” SMS messages and so your phone doesn’t display them to you since they are not simple text messages.

Many people wanted to know how to disable SMS when this bug came out. In most cases, you cannot disable them because SMS is a core feature of the phone, and the carriers rely on it for much of the functionality you depend on.

For testing, I tried to have the iPhone pick up a sound file from my Web server, but apparently the AT&T infrastructure will only allow it to pick up this file from their servers.

Alan: In your opinion, had Apple audited the code for security, should they have caught the bug?

Charlie: Umm...bugs are hard to find, which is why people pay me to look for them. This bug wasn't obvious by any means, and it was the only one I found while performing a moderate fuzzing effort, so I guess I can't fault them too much.

Alan: Seems like there are themes to security though. Programmers get trained to think about the boundary cases when debugging or malformed user input, but I think a lesson learned here is that the interaction between different modules is important to consider. What’s been the reception to your “No Free Bugs” campaign?

Charlie: Mostly silence. Some people have written with support, but mostly no one talks about it. It’s probably mostly my fault because I'm terrible at organizing things, and I am very busy with work and research, so haven't put any time in it. I still think if vendors paid, more people would look for bugs. This SMS stuff is a good example. Between us, Collin and I found one bug in iPhone, Android, and Windows Mobile. Then we stopped testing. We had enough for our talk, what motivation did we have to keep looking? This is really an unpaid hobby for us, so we do the minimum level of work possible to get results good enough for conference presentations. If researchers were going to get paid big bucks for these bugs, they would look and find them.

As another example, I'm not looking at SMS bugs anymore, I'm moving on. That is what researchers do now. Why would I keep looking for these extremely dangerous bugs? I won’t get paid and since there were a rash of SMS talks at BlackHat, conferences won’t be interested in them for a while. That is really what “No More Free Bugs” is about--motivating skilled researchers to look for bugs. Bad guys are already motivated by the financial gains they stand to make and will continue looking for these powerful bugs.

Alan Dang
18 Comments Comment from the forums
  • burnley14
    Wow, don't make Charlie angry. He can take over your phone remotely and kill you with it.
    Reply
  • ethaniel
    Unless he hacks Chuck Norris's iPhone. That would be the end of him. :P
    Reply
  • ossie
    As usual, mr. Charlie "no more free bugs" just likes to overemphasize his findings - free advertising is always great - but it seems his greediness isn't finding the proper nourishment (read cash from blackmailed manufacturers).
    Crashing an equipment is one thing (getting easier in these days of consumerism induced fast paced "innovation"), but taking it over is in a whole different lot.
    Why didn't he demo the iPhone takeover code at BH? I'm sure he would have liked to really impress the audience, but, as it needs a lot of very careful setup, the chances for failure would have been way too high. There are a lot of unexpected events which could have taken place in a real environment (read through the network), as opposed to a laboratory environment (frame injection without external disturbance), which would impede the "golden sequence" to reach it's victim in the desired way (out of order message delivery is just one, which comes quickly to mind).
    Reply
  • downer88
    ethanielUnless he hacks Chuck Norris's iPhone. That would be the end of him.Chuck Norris doesn't use a phone, he uses his "outside" voice!

    Seriously, no offense but I though mobile phone exploits were nothing new.
    Reply
  • This should be considered a nice and very credible rebuttal to the ridiculous interview with Joanna Rutkowska... Charlie is a real security expert, and he says Mac security sucks. Take note, Apple fanboys.
    Reply
  • steiner666
    downer88Chuck Norris doesn't use a phone, he uses his "outside" voice!
    lol

    and of course "jailbroken" iphones couldn't take down a network, how stupid must ppl really be to believe Apple/AT&Ts shit
    Reply
  • anonymousdude
    Charlie_FangirlThis should be considered a nice and very credible rebuttal to the ridiculous interview with Joanna Rutkowska... Charlie is a real security expert, and he says Mac security sucks. Take note, Apple fanboys.
    The safety of a Mac lies in its market share. Less market share less atacks,viruses,trojans, etc. That's why people using linux hardly ever have a problem with security.
    Reply
  • anonymousdude: Linux has all but idiot-proof security, low-level exploits are very difficult, there are package repositories that have everything you could ever need without resorting to potentially untrustworthy 3rd party downloads, and they were doing Microsoft's UAC long before Microsoft, and far better and less annoying. Not to mention, they have a far better scheme for handling execute bits and possible remote execution of arbitrary code. An OS is only as good as the idiot who's using it, but Linux has done by far the best job of idiot-proofing an OS, if it hits 99% marketshare, it will still have a fraction of the problems Windows and OSX do, and there are viruses for OSX, ask Apple who recommend MULTIPLE antiviruses be installed on Macs. Out of tens of thousands of free, open source Linux packages, there are hardly any antiviruses or firewalls even available for Linux, because it is actually for real, not necessary. No shit...

    Reply
  • @synonymousdude,

    OS X is built on UNIX the same as Linux. Please do some research before you spout about things you obviously no nothing about. Otherwise quite wasting the time of everyone that reads the comments.

    Thanks,
    Reply
  • rorosdad: Obviously you know nothing about UNIX or Linux or the inner-workings of OSX. UNIX operating systems follow a standard called POSIX. There is quite a bit of room for differences in how they are implemented. The BSD kernel OSX stole is not the same kernel that Linux uses, besides, most of the security doesn't necessarily happen in the kernel, user interaction happens in the desktop and window managers. Is there package managers for OSX like Synaptic or Adept? Is anybody at Apple smart enough to thwart low-level exploits, or do they only hire "trend-settings hipsters" to be developers? You obviously don't know much about OSes, maybe you should try to educate yourself before acting defiant to me.
    Reply