Exclusive Interview: Hacking The iPhone Through SMS

Features
By
published

Explaining The Vulnerability

Alan: So, in essence, you’re slowly transmitting the machine code for a full fledged application of your own, only it’s done over 140 bytes at a time?

Charlie: Sort of. I am also carefully setting things up so that memory is in a predictable fashion. Normally, the layout of memory is very unpredictable. But if you make enough allocations of a particular size, you can start to introduce some predictability. This technique is sometimes called heap feng shui, and is used to make exploits that rely on certain conditions more reliable. For example, I have to make sure data I control shows up right before this array that I can access before the first element.

This attack is especially dangerous for a few reasons. One is that it doesn't require any user interaction. Normally, I do browser exploits where you have to get a user to go to a particular site. Here, I can attack your phone while it’s in your pocket or on the charger or whatever. The other thing that makes it really bad is the process that handles SMS messages, CommCenter, runs as root and has no restrictions. By comparison, the browser runs as the lowly "mobile" user and has a sandbox, which prevents it from doing things like forking or sending SMS messages.

Alan: So how did you first discover the vulnerability?

Charlie: I found the bug by sending in thousands of malformed SMS messages to the device, a process known as fuzzing.

Alan: So, the injection framework allowed you direct access to CommCenter? Thousands? Were you sending thousands of random strings and tracking the output?

Charlie: Actually, the framework sat right between CommCenter and the modem on the device. The framework relays all the information from the modem to CommCenter and also could inject SMS messages as well. In this way, there was no way for CommCenter to know if the message had really come from the modem or if it had come for us. 

The data wasn’t totally random. The way it works is you take good data, obtained by reading the SMS-related specifications, and add small anomalies to them. So the whole SMS message is legitimate except one small part. Repeat this for all small parts. It takes a lot of effort to generate these types of test cases.

Alan: So, once you had identified the vulnerability, what did it take to move it toward the exploit stage?

Charlie: As for writing the exploit, it was extremely difficult. I'm used to writing browser exploits where you have a lot of control in the environment. You can make the browser do whatever you want using JavaScript and HTML. This allows the attacker to set up memory in very predictable ways. Here, I was limited to 140 byte SMS messages and the process performed a lot of actions between each message. It took me about 2.5 weeks to get it all worked out, but it was really cool when it worked.

Alan: 2.5 weeks? Wow. That’s essentially nothing compared to how long the iPhone has been around. Was this in the original iPhone software?

Charlie: The bug’s probably been there forever. I checked back to iPhone OS 2.2. That's the scary thing. How many other bugs like this do bad guys know about? I'm a smart guy, but there are plenty of people as smart and smarter than me out there who can find these kinds of bugs.

Alan Dang
18 Comments Comment from the forums
  • burnley14
    Wow, don't make Charlie angry. He can take over your phone remotely and kill you with it.
    Reply
  • ethaniel
    Unless he hacks Chuck Norris's iPhone. That would be the end of him. :P
    Reply
  • ossie
    As usual, mr. Charlie "no more free bugs" just likes to overemphasize his findings - free advertising is always great - but it seems his greediness isn't finding the proper nourishment (read cash from blackmailed manufacturers).
    Crashing an equipment is one thing (getting easier in these days of consumerism induced fast paced "innovation"), but taking it over is in a whole different lot.
    Why didn't he demo the iPhone takeover code at BH? I'm sure he would have liked to really impress the audience, but, as it needs a lot of very careful setup, the chances for failure would have been way too high. There are a lot of unexpected events which could have taken place in a real environment (read through the network), as opposed to a laboratory environment (frame injection without external disturbance), which would impede the "golden sequence" to reach it's victim in the desired way (out of order message delivery is just one, which comes quickly to mind).
    Reply
  • downer88
    ethanielUnless he hacks Chuck Norris's iPhone. That would be the end of him.Chuck Norris doesn't use a phone, he uses his "outside" voice!

    Seriously, no offense but I though mobile phone exploits were nothing new.
    Reply
  • This should be considered a nice and very credible rebuttal to the ridiculous interview with Joanna Rutkowska... Charlie is a real security expert, and he says Mac security sucks. Take note, Apple fanboys.
    Reply
  • steiner666
    downer88Chuck Norris doesn't use a phone, he uses his "outside" voice!
    lol

    and of course "jailbroken" iphones couldn't take down a network, how stupid must ppl really be to believe Apple/AT&Ts shit
    Reply
  • anonymousdude
    Charlie_FangirlThis should be considered a nice and very credible rebuttal to the ridiculous interview with Joanna Rutkowska... Charlie is a real security expert, and he says Mac security sucks. Take note, Apple fanboys.
    The safety of a Mac lies in its market share. Less market share less atacks,viruses,trojans, etc. That's why people using linux hardly ever have a problem with security.
    Reply
  • anonymousdude: Linux has all but idiot-proof security, low-level exploits are very difficult, there are package repositories that have everything you could ever need without resorting to potentially untrustworthy 3rd party downloads, and they were doing Microsoft's UAC long before Microsoft, and far better and less annoying. Not to mention, they have a far better scheme for handling execute bits and possible remote execution of arbitrary code. An OS is only as good as the idiot who's using it, but Linux has done by far the best job of idiot-proofing an OS, if it hits 99% marketshare, it will still have a fraction of the problems Windows and OSX do, and there are viruses for OSX, ask Apple who recommend MULTIPLE antiviruses be installed on Macs. Out of tens of thousands of free, open source Linux packages, there are hardly any antiviruses or firewalls even available for Linux, because it is actually for real, not necessary. No shit...

    Reply
  • @synonymousdude,

    OS X is built on UNIX the same as Linux. Please do some research before you spout about things you obviously no nothing about. Otherwise quite wasting the time of everyone that reads the comments.

    Thanks,
    Reply
  • rorosdad: Obviously you know nothing about UNIX or Linux or the inner-workings of OSX. UNIX operating systems follow a standard called POSIX. There is quite a bit of room for differences in how they are implemented. The BSD kernel OSX stole is not the same kernel that Linux uses, besides, most of the security doesn't necessarily happen in the kernel, user interaction happens in the desktop and window managers. Is there package managers for OSX like Synaptic or Adept? Is anybody at Apple smart enough to thwart low-level exploits, or do they only hire "trend-settings hipsters" to be developers? You obviously don't know much about OSes, maybe you should try to educate yourself before acting defiant to me.
    Reply