SMS infects iPhones at Black Hat: PANIC!

At the Black Hat security conference, researchers showed how iPhones and other smartphones are vulnerable to malformed SMS text messages. In IT Blogwatch, bloggers panic and run for the hills, clutching their precious, shiny devices.

Richi Jennings is your humble blogwatcher, who selected these bloggy morsels for your enjoyment. Not to mention Annie Lennox: Backwards/Forwards...

Dan Goodin happens in Vegas:

Researchers have uncovered a bevy of vulnerabilities in smart phones made by multiple vendors, including one in Apple's iPhone that could allow an attacker to execute malicious code without requiring the victim to take any action at all.


The iPhone bug allows an attacker to take complete control of the coveted device simply by sending the owner an SMS, or short message service, message, said Charlie Miller, principal analyst at Independent Security Evaluators. He said he informed Apple's security team of the vulnerability several weeks ago and has yet to receive an official response.

Nick Farrell toes the line:

In a week were it was revealed that the iPhone's encryption was about as useful as a chocolate teapot, security experts have worked out a way of cracking the Jesus phone by using an SMS message. The news makes a mockery of Apple's claims that its software has superior security to anyone else.


An attacker could exploit the hole to make calls, steal data, send text messages, and do basically anything that the user does with their iPhone. The attack is enabled by a serious memory corruption bug in the way the iPhone handles SMS messages. ... Android-based phones were found to be similarly susceptible. ... Google patched the hole in a week and does not tell its users that it is invulnerable to attack either.

Andrew Brandt fills in the gaps:

The researchers are currently working with all major carriers and phone manufacturers to fix the problems, but warn that it may take some time before the vulnerabilities have been patched.

Wesley Roberts clutches at straws:

You have a few options here and a couple that may or may not work for you.

  • Put your iPhone in Airplane mode. This means you won't be able to make calls or receive/send messages. You'll be dead in the water in terms of connectivity.
  • Power down your phone completely. Again, you'll be dead in the water and not even be able to play games :)
  • If you're using a jailbroken iPhone then you can SSH to your iPhone, navigate to the Applications directory and then remove all permissions from This prevents SMS application from running on the phone.
  • This one, I am not sure if it will work or not but you could try disabling SMS in the parental controls. Again, this may or may not work.

Michael Scalisi is in a cod-panic:

What are users to do? Should we turn off our phones and wait for Apple to address the issue? Perhaps. Perhaps we should also disconnect our computers from the Internet and forgo all electronic communication while we're at it. In fact, why not cancel all our credit cards, empty our bank accounts, and keep our money under a mattress?

Now that we live in this highly interconnected world, security is an ongoing issue. Personal information about virtually everyone is available on networked computers. It shouldn’t be assumed that any of these systems are unhackable. Since the iPhone is such a hot item, the minutia of its every issue is immediately broadcast around the world. The announcement that the iPhone has security vulnerability probably isn’t as scary as it's being made out to be.

Dwight Silverman agrees:

Calm down ... you'd think the world had ended. ... a lot of the reaction I've seen - particularly in TV newscasts - have been a little, shall we say, wild-eyed. All the world's iPhones won't shut down later this afternoon; in fact, the odds are very slim that your iPhone will ever be affected.


What's more likely to happen ... is that someone else will figure out the details of the hack and start using it. However, doing so on a mass scale would be difficult. ... Cyberscum who would want to exploit the flaw would first have to fill in any holes the researchers leave in their report. ... Evildoers would have to know that a given number they'd want to attack is attached to an iPhone. ... Developing reliably working software to automate all this would also take time.

So what's your take?

Get involved: leave a comment.

Previously in IT Blogwatch:

Don't miss out on IT Blogwatch:

And finally...

Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and spam. A 24 year, cross-functional IT veteran, he is also an analyst at Ferris Research. You can follow him as @richi on Twitter or richij on FriendFeed, pretend to be Richi's friend on Facebook, or just use good old email:

Copyright © 2009 IDG Communications, Inc.

Shop Tech Products at Amazon