Charlie Miller (left) and Collin Mulliner present at Black Hat Photo: Sean Michael Kerner |
LAS VEGAS — SMS is a standard feature on hundreds of millions of phone globally and according to a series of researchers it’s also insecure.
At the Black Hat security conference, multiple researchers took the stage to detail how they were able to use to take over a users phone by way of a simple SMS message.
Researchers Zane Lackey and Luis Miras took specific aim at the carrier side of the problem while Charlie Miller and Collin Mulliner took aim at the iPhone itself. “The cool thing is that you only need the phone number in order to start your attacks,” Miller told the audience.
Both sets of researchers began their talks by explaining how the SMS system generally works and why it is an attractive target for security research. An SMS message gets to an end-user eventually, even if they’re not currently on their phone, it will show up when the user starts their phone.
Miller said he informed Apple of the flaw in late June and demonstrated today with a live phone in the audience that the iPhone attack works today.
An Apple (NASDAQ: AAPL) spokesperson wasn’t immediately available for comment.
The flaw enabled Miller and Mulliner to perform a denial of service attack on the user’s iPhone after the user received an initial text message.
Miller explained that he used a technique called Fuzzing, which inject random characters into a code stream to see what would happen, which is what led him to the vulnerability.
“The ultimate goal of fuzzing is to turn it on go to bed, wake up and then find 0-days,” Miller said.
Miller built a tool that enabled him to send the fuzzed SMS messages to his own iPhone in an effort to find something interested. He said he sent over half a million messages to his phone in order to find the vulnerability.
The vulnerability enabled him to crash the CommCenter function of the iPhone. “On the iPhone if you crash CommCenter it kills all other network connection — Wi-Fi, Bluetooth too,” Miller said. “So basically you turn your iPhone into an iPod touch.”
The same tool that Miller and Mulliner built for the iPhone was also built by two researcher for Google Android as well as Windows Mobile.
Miller noted that he found a SMS vulnerability on the Android phone as well. He reported the issue at the end of June and said that Google fixed the issue last week.
“As much as I can’t stand the Android security team they actually did a good job,” Miller said.
SMS Carriers
Researchers Zane Lackey and Luis Miras demoed their own set of SMS vulnerabilites targeted at carriers. “SMS is called a store-and-forward system,” Lackey said. “The recipient is offline lots of time so the SMSC (SMS control) is the control part.”
Lackey noted that with SMS there is the operating system, the phone hardware and the carrier and anyone of those elements could introduce insecurity into the SMS system.
“The Holy Grail of vulnerabilities is to just point the target at a Web server and then it executes,” Lackey said.
Not only are regular SMS text messages a risk, but Lackey noted that voice mail notification are actually SMS messages as well. Lackey said he could spoof the voice mail notification SMS messages.
“Phones are built on the assumption that these messages should only ever be sent by the carriers,” Lackey said.
Miras and Lackey built a tool called TAFT (There is an Attack For That) as an iPhone app in order to enable SMS attacks on the iPhone. But the root of the issue for Miras and Lackey rests with the carriers that should be able to block malicious SMS traffic.
“Do not try this at home,” Miras said. “This is a carrier issue, we disclosed to them and they are working on a fix — and the flaw will probably work for a while. Carriers are monitoring their subscribers and they are looking for this.”