iPhone SMS Vulnerability Patched With OS 3.0.1

Connect to iTunes.We made several cautionary posts about the iPhone’s SMS vulnerability over the past month, and it’s finally getting a fix. iPhone OS 3.0.1 is out today at a whopping 280MB.

Apple was apparently highly pleased with themselves for the fix:

We appreciate the information provided to us about SMS vulnerabilities which affect several mobile phone platforms. This morning, less than 24 hours after a demonstration of this exploit, we’ve issued a free software update that eliminates the vulnerability from the iPhone. Contrary to what’s been reported, no one has been able to take control of the iPhone to gain access to personal information using this exploit.

Nice to hear that no one has actually used the exploit to devious ends, but “less than 24 hours after a demonstration of this exploit” is Bushian in its absurdity. The two dates, the update release and the demonstration, are pretty clearly unrelated. It’s not like Apple just threw this thing together over the last 24 hours. If they had, I probably wouldn’t bother installing it. They’ve known about the problem for at least a month. I know that because I’ve known about the problem for a month.

Here’s to completely arbitrary horn-tooting!

  

iPhone to Get SMS Vulnerability Fix

iPhone SMS.As smartphones become more popular we’re going to see more and more hacks designed to exploit any vulnerability within the phone. As long as the iPhone’s been around, and as widespread as it is, it’s surprising we’ve not seen more news like this.

Though the first of its kind in a while, this iPhone vulnerability is pretty serious. OS X security expert Charlie Miller says through an SMS exploit, attackers could run code using the messaging service. Such an exploit could allow an attacker to track the phone via GPS, enable the microphone for eavesdropping, or even use the phone for a botnet or distributed DOS attack.

At just 140 bytes of data per message, SMS is one of very few ways a hacker can access an iPhone wirelessly. Attackers can send multiple messages to the phone to recompiled once on the device for the exploits mentioned. The real danger is that SMS can be used to send binary to an iPhone, removing user interaction from the equation.

That’s a whole lot more than most iPhone users probably think their phones capable, which is what makes fixing the vulnerability so important. According to Miller, Apple should have the hole patched later this month, before he gives a presentation on the hack at the Black Hat conference in Las Vegas.