Apple Releases iPhone OS 3.0.1, Patches SMS Exploit

Apple has released OS 3.0.1 via iTunes and it is the fix we've been looking for in regards to fixing the SMS exploit. I would definitely suggest downloading this ASAP if you own an iPhone unless you would like to allow someone to make your phone act like Skynet.

iPhone SMS Exploit Should Be Patched by the Weekend

In following up with yesterday's story, I saw that AppleInsider had gotten wind of a BBC report that the iPhone SMS exploit should be patched by this weekend via an iTunes update.

For tech-heads that want more detail about how this exploit actually worked, the AppleInsider article detailed it:

The exploit takes advantage of the fact that SMS can send binary code to a phone. That code is automatically processed without user interaction, and can be compiled from multiple messages, allowing larger programs to be sent to a phone. The exploit supposedly exposes the iPhone completely, giving hackers access to the camera, dialer, messaging and Safari. It occurs regardless of hardware revision or which version of the iPhone OS is running.

The technique involves sending only one unusual text character or else a series of "invisible" messages that confuse the phone and open the door to attack. Because users won't know whose messages to block in advance, there's little iPhone owners can do but to shut off the phone immediately if they suspect they're at risk -- a real problem as the trick could also be used to make an iPhone send more messages of its own.

Hopefully this will indeed put any fears of possible hijacking by SMS to rest. Again, I will continue to update if I see any more news.

Potential Security Hole Reportedly Found in iPhones

According to a recent Forbes report (and many other reports all over), two researches will plan on revealing a major security hole in iPhones this afternoon (Thursday, July 30th) at the Black Hat cybersecuirty conference. SMS text messages are apparently the culprit as detailed below:

If you receive a text message on your iPhone any time after Thursday afternoon containing only a single square character, Charlie Miller would suggest you turn the device off. Quickly.

That small cipher will likely be your only warning that someone has taken advantage of a bug that Miller and his fellow cybersecurity researcher Collin Mulliner plan to publicize Thursday at the Black Hat cybersecurity conference in Las Vegas. Using a flaw they've found in the iPhone's handling of text messages, the researchers say they'll demonstrate how to send a series of mostly invisible SMS bursts that can give a hacker complete power over any of the smart phone's functions. That includes dialing the phone, visiting Web sites, turning on the device's camera and microphone and, most importantly, sending more text messages to further propagate a mass-gadget hijacking.

"This is serious. The only thing you can do to prevent it is turn off your phone," Miller told Forbes. "Someone could pretty quickly take over every iPhone in the world with this."

The problem has been reported to Apple; however, I have yet to see any official statement from them, but I will continue to look for them throughout the day. The best I have seen so far is an article from AppleInsider stating that Apple is indeed working on a fix and was supposed to be out at the end of this month (July) and before the conference reveals the bug too all.

Charles Miller is the one primarily responsible for finding this nice little loophole, and he's done it before. So I would definitely believe this exploit is legit.

Being an iPhone owner myself, I will definitely be staying on top of this as best as possible. In the meantime, if you see any strange characters in a SMS text message, shut your iPhone off. Of course, if you don't even want to risk it, you can try keep your iPhone off until this problem is resolved.

Although I'm sure that route will be as easy and trying to cut off a heroine addict cold turkey.

Quick little update: Found a CNET article that describes in detail what this hack can do.