We recently chatted with security expert Charlie Miller from Independent Security Evaluators about the recently-disclosed iPhone vulnerability that would have allowed a malicious hacker to take control of an iPhone through a series of carefully crafted SMS messages.
Alan: Thanks for taking the time to chat, Charlie. Why don’t you start by telling us a little bit about the SMS vulnerability?
Charlie: The iPhone bug has to do with telling the phone there is a certain amount of data, and then not sending it as much as you said you would. The function that reads the data starts returning -1 to indicate an error, but the other parts of the program don't check for this error and actually think the -1 is data from the message. This shows how complex it can be to write secure code, as separately, each part of the program looks correct, but the way they interact is dangerous!
Anyway, depending on what you send, different bad things can happen. At one point, you can get it to exit because it is about to allocate -1 bytes (which is viewed as 0xffffffff--a very large number). This is a denial of service that will knock the phone off the network temporarily.
During my BlackHat talk, we kept sending this denial of service message every 10 seconds to a volunteer from the audience to keep him off the network. As an unfortunate consequence, the messages were getting cued up on the network and his phone was still getting knocked off hours after the talk. He has since gotten back up and running.
Alan: Note to our readers: whenever Charlie says he needs a volunteer, don’t make eye contact. So, how did you send the message? Were you sending it through the SMS interface of another iPhone or doing something like emailing the “telephone number@attwireless” approach?
Charlie: To send the SMS over the carrier network, we had a small application on our attack iPhone that would talk to the modem using GSM AT commands. For testing and finding the bugs, we used this really cool injection framework that my co-presenter Collin Mulliner wrote, which lets you test SMS message implementations by only sending data over TCP. This prevents you from having to send data over the carrier network and doesn't cost anything, and also lets you test many messages very quickly.
Alan: So how do you go from a denial-of-service to a full-on exploit?
Charlie: The worst case has to do with how the program handles concatenated messages. This is a way to send more than 140 bytes at a time. You can send a long message in a series of messages and the phone will reconstruct it into a one long string. It accesses an array based on a value from the data. In the case where it thinks it reads -1, it actually accesses the memory before the array, not in the array. By setting things up just right and being tricky, you can actually leverage this to gain complete control of the device.
The entire attack takes just over 500 messages, although the victim doesn't know they are being sent because they don't show up on the phone. Most of these messages have to do with setting things up "just right." Sixteen of them actually access the array out of bounds.