Apple iPhone owners having trouble with SMS messages and other security
breaches can now get some relief from the Cupertino, Calif.-based company in the form of an update.
A hole in Apple iPhone security can now be fixed with the iPhone OS 3.0.1 update released Friday and only available through the latest version of iTunes. Apple recommends iPhone owners apply the update immediately.
The security hole, first discovered by Charlie Miller, a principal security analyst with Independent Security Evaluators, enabled a hacker to run software code on the iPhone that is sent via an SMS. The code can turn on the microphone of the iPhone, allowing the hacker to listen in on conversations, or force the iPhone to become part of a denial-of-service (DoS) attack. This method does not use the wireless carrier, so it is free and invisible to the carrier.
The security hacker and Collin Mulliner of Fraunhofer SIT wrote the software to exploit the security weakness, targeting iPhones on AT&T's network and on four different networks in Germany.
The duo notified Apple of the security flaw earlier this month, but Apple didn't make a patch available before Miller and Mulliner demonstrated the possibility of an attack in greater detail on Thursday at Black Hat, a security conference in Las Vegas.
On Friday, Apple gave credit to Miller and Mulliner for reporting the issue; Apple released this message in an e-mail with information about its update: "A memory corruption issue exists in the decoding of SMS messages. Receiving a maliciously crafted SMS message may lead to an unexpected service interruption or arbitrary code execution. This update addresses the issue through improved error handling. Credit to Charlie Miller of Independent Security Evaluators and Collin Mulliner of Fraunhofer SIT for reporting this issue."
Security analysts say it's unclear at this time how much effect the hole in security has had on consumers.
"It could be potentially devastating and can be used to fingerprint en masse iPhone users," said Jose Nazario, a security analyst with Arbor Networks. "Most carriers have mechanisms in place to detect SMS spams. The activity of a single pointer flooding out messages generally triggers someone to say, 'I have to have a look at this.' Whether or not carriers will be able to put filters in place is still unclear."
Apple Not Alone
Analysts believe Apple's slow response to deal with the flaw will only hurt it in the future.
"Apple is getting a black eye with this, and it draws more attention to them because of them lagging to deal with these issues," Nazario said. "There are those who are patient and professional, but others will look at this and say, 'I'll show them that I am smarter than them' and get back at them. I think that it really behooves the point that companies need to take these threats seriously."
Miller and Mulliner also found similar vulnerabilities with SMS security flaws in the Android and Windows Mobile operating systems. The bug affecting Google's Android, however, did not allow a hacker to take control of the phone.
"I can confirm that the SMS bug affecting Android has been fixed," said Google spokesperson Jay Nancarrow.