Exclusive Interview: Hacking The iPhone Through SMS


We recently chatted with security expert Charlie Miller from Independent Security Evaluators about the recently-disclosed iPhone vulnerability that would have allowed a malicious hacker to take control of an iPhone through a series of carefully crafted SMS messages.

Alan: Thanks for taking the time to chat, Charlie. Why don’t you start by telling us a little bit about the SMS vulnerability?

Charlie: The iPhone bug has to do with telling the phone there is a certain amount of data, and then not sending it as much as you said you would. The function that reads the data starts returning -1 to indicate an error, but the other parts of the program don't check for this error and actually think the -1 is data from the message. This shows how complex it can be to write secure code, as separately, each part of the program looks correct, but the way they interact is dangerous!

Anyway, depending on what you send, different bad things can happen. At one point, you can get it to exit because it is about to allocate -1 bytes (which is viewed as 0xffffffff--a very large number). This is a denial of service that will knock the phone off the network temporarily.  

During my BlackHat talk, we kept sending this denial of service message every 10 seconds to a volunteer from the audience to keep him off the network.  As an unfortunate consequence, the messages were getting cued up on the network and his phone was still getting knocked off hours after the talk. He has since gotten back up and running.

Alan: Note to our readers: whenever Charlie says he needs a volunteer, don’t make eye contact. So, how did you send the message? Were you sending it through the SMS interface of another iPhone or doing something like emailing the “telephone number@attwireless” approach?

Charlie: To send the SMS over the carrier network, we had a small application on our attack iPhone that would talk to the modem using GSM AT commands. For testing and finding the bugs, we used this really cool injection framework that my co-presenter Collin Mulliner wrote, which lets you test SMS message implementations by only sending data over TCP. This prevents you from having to send data over the carrier network and doesn't cost anything, and also lets you test many messages very quickly.

Alan: So how do you go from a denial-of-service to a full-on exploit?

Charlie: The worst case has to do with how the program handles concatenated messages. This is a way to send more than 140 bytes at a time. You can send a long message in a series of messages and the phone will reconstruct it into a one long string. It accesses an array based on a value from the data. In the case where it thinks it reads -1, it actually accesses the memory before the array, not in the array. By setting things up just right and being tricky, you can actually leverage this to gain complete control of the device.

The entire attack takes just over 500 messages, although the victim doesn't know they are being sent because they don't show up on the phone. Most of these messages have to do with setting things up "just right." Sixteen of them actually access the array out of bounds.

  • burnley14
    Wow, don't make Charlie angry. He can take over your phone remotely and kill you with it.
  • ethaniel
    Unless he hacks Chuck Norris's iPhone. That would be the end of him. :P
  • ossie
    As usual, mr. Charlie "no more free bugs" just likes to overemphasize his findings - free advertising is always great - but it seems his greediness isn't finding the proper nourishment (read cash from blackmailed manufacturers).
    Crashing an equipment is one thing (getting easier in these days of consumerism induced fast paced "innovation"), but taking it over is in a whole different lot.
    Why didn't he demo the iPhone takeover code at BH? I'm sure he would have liked to really impress the audience, but, as it needs a lot of very careful setup, the chances for failure would have been way too high. There are a lot of unexpected events which could have taken place in a real environment (read through the network), as opposed to a laboratory environment (frame injection without external disturbance), which would impede the "golden sequence" to reach it's victim in the desired way (out of order message delivery is just one, which comes quickly to mind).
  • downer88
    ethanielUnless he hacks Chuck Norris's iPhone. That would be the end of him.Chuck Norris doesn't use a phone, he uses his "outside" voice!

    Seriously, no offense but I though mobile phone exploits were nothing new.
  • This should be considered a nice and very credible rebuttal to the ridiculous interview with Joanna Rutkowska... Charlie is a real security expert, and he says Mac security sucks. Take note, Apple fanboys.
  • steiner666
    downer88Chuck Norris doesn't use a phone, he uses his "outside" voice!

    and of course "jailbroken" iphones couldn't take down a network, how stupid must ppl really be to believe Apple/AT&Ts shit
  • anonymousdude
    Charlie_FangirlThis should be considered a nice and very credible rebuttal to the ridiculous interview with Joanna Rutkowska... Charlie is a real security expert, and he says Mac security sucks. Take note, Apple fanboys.
    The safety of a Mac lies in its market share. Less market share less atacks,viruses,trojans, etc. That's why people using linux hardly ever have a problem with security.
  • anonymousdude: Linux has all but idiot-proof security, low-level exploits are very difficult, there are package repositories that have everything you could ever need without resorting to potentially untrustworthy 3rd party downloads, and they were doing Microsoft's UAC long before Microsoft, and far better and less annoying. Not to mention, they have a far better scheme for handling execute bits and possible remote execution of arbitrary code. An OS is only as good as the idiot who's using it, but Linux has done by far the best job of idiot-proofing an OS, if it hits 99% marketshare, it will still have a fraction of the problems Windows and OSX do, and there are viruses for OSX, ask Apple who recommend MULTIPLE antiviruses be installed on Macs. Out of tens of thousands of free, open source Linux packages, there are hardly any antiviruses or firewalls even available for Linux, because it is actually for real, not necessary. No shit...

  • @synonymousdude,

    OS X is built on UNIX the same as Linux. Please do some research before you spout about things you obviously no nothing about. Otherwise quite wasting the time of everyone that reads the comments.

  • rorosdad: Obviously you know nothing about UNIX or Linux or the inner-workings of OSX. UNIX operating systems follow a standard called POSIX. There is quite a bit of room for differences in how they are implemented. The BSD kernel OSX stole is not the same kernel that Linux uses, besides, most of the security doesn't necessarily happen in the kernel, user interaction happens in the desktop and window managers. Is there package managers for OSX like Synaptic or Adept? Is anybody at Apple smart enough to thwart low-level exploits, or do they only hire "trend-settings hipsters" to be developers? You obviously don't know much about OSes, maybe you should try to educate yourself before acting defiant to me.