iPhone SMS attack on show at Black Hat

Apple has just over a day to patch a bug in its software, ahead of the Black Hat conference, that could let hackers take over the iPhone.

Share

Apple has just over a day to patch a bug in its software, ahead of the Black Hat conference, that could let hackers take over the iPhone.

It can patch the bug by sending out a SMS (Short Message Service) message. The bug was discovered by noted iPhone hacker Charlie Miller, who first talked about the issue at the SyScan conference in Singapore.

At the time, Miller said he'd discovered a way to crash the iPhone via SMS, and that he thought that the crash could ultimately lead to working attack code.

Since, then he's been working hard, and he now says he's able to take over the iPhone with a series of malicious SMS messages. In an interview Tuesday, Miller said he will show how this can be done during a presentation at the Black Hat security conference in Las Vegas this Thursday with security researcher Collin Mulliner.

"SMS is an incredible attack vector for mobile phones," said Mulliner, an analyst with Independent Security Evaluators. "All I need is your phone number. I don’t need you to click a link or anything."

Miller reported the flaw to Apple about six weeks ago, but iPhone's maker has yet to release a patch for the issue. Apple representatives could not be reached for comment, but the company typically keeps quiet about software flaws until it releases a patch.

If it does release a pre-Black Hat patch, Apple will not be alone. Microsoft had to scramble to put out an emergency fix for an issue in its Active Template Library (ATL), used to build ActiveX controls. This "out-of-cycle" patch was released Tuesday, ahead of another Black Hat presentation on that particular vulnerability.