Apple Fixes iPhone SMS Vulnerability
Page 1 of 1
Apple is not known for being an especially fast-moving company: Earlier this year it left a Java vulnerability unpatched for several months while other major platforms fixed it immediately.
But on Friday it issued a fix for the SMS vulnerability that was a highlight of the Black Hat conference just one day ago. The vulnerability was shown by several researchers who show how to take over a user's phone by way of a simple SMS message.
One pair of researchers showed the carrier side of the problem while another duo showed the iPhone side of the vulnerability. All that was needed was the phone number of an iPhone to start the attack, they said.
AT&T Wireless referred all calls and inquiries to Apple, while Apple (NASDAQ: AAPL) issued a fix available through iTunes. The fix is the only thing new in iPhone OS 3.0.1, but it's still a full download and install.
Researchers Charlie Miller and Collin Mulliner told the Black Hat conference that the hack works by slightly modifying the data sent by the network, which the user does not see, along with their text message. That string could then allow for the phone to be compromised and taken over remotely.
The problem stemmed from the fact that SMS text messaging systems were built with the assumption that the only thing traveling over those networks would be legitimate text sent by the carriers, so the carriers and phone makers didn't see any need for security.
The researchers said they had informed Apple and Google of the hack prior to Black Hat, and that Google had already addressed the problem in Android.
An Apple spokesperson did not return calls seeking comment.