A look at the SMS exploits

Published: August 3rd, 2009

Further to my post from this morning promising more on the SMS attacks, here’s the commentary from Bruce…
———————
If you haven’t seen the news about a bug in the iPhone OS enabling itto be compromises through specially crafted SMS messages, it makesinteresting reading. The idea that you can simply SMS someone and pwntheir phone is a pretty scary one. Having attended the technicalsession at BlackHat, I wanted to weigh in on the conversation and givesome context…

The specially crafted SMS message exploits is not exactly a newone. We have for years been able to alter phones, our providers do thisregularly, and interact without a user knowing. What makes this one sointeresting is that it is not limited just to the iPhone, nor is ithard to achieve if you use the tools created by researchers CharlieMiller and Collin Mulliner. As a bit of background, the exploit uses aflaw on many implementations of smartphones (Apple’s iPhone, Google’sAndroid and Microsoft’s Windows Mobile) that when they receivedspecific command embedded in SMS messages, they either cause anapplication on the device to crash, which cases a Denial of Service, orfull remote control.

In the case of each type of phone, the commands are specific and soyou not only need to know the phone number, but also the type ofdevice. Once they know those things, Charlie Miller and Collin Mullinerwere able to successfully demonstrate their attacks. In the DoS case ofthe iPhone and Android devices, the flaws are (were in Apple’s case asthey tell us it has been patched) able to crash components of theoperating systems and cause the phones to disconnect themselves fromthe network and reconnect. Keep in mind that most providers queue SMSmessages and so when the phone comes back online, it may receiveanother message… In some cases user interaction is required to resetthe phone. In the Windows Mobile case, the operating system was notvulnerable, an HTC application included a flaw that was exploitable.

As I am sure you can imagine, taking remote control of a device wassomewhat more complex and exploited a memory issue in the way thatmulti part text messages are handled to enable the attackers to injecttheir code in to the machine through heap spraying and then executingthat code through the buffer underflows. The process could mean sendinghundreds of text messages to a single phone, but interestingly enoughthe user may not see many or indeed any of these due to the way thesystems handle incomplete text messages.

In summary, the thing to think about is that these are not reallytrivial matters to find and exploit from scratch, but at the end of theday when was the last time you updated your phone?

Lemme know what you think?

Bruce



Related Download
Designing for enterprise automation Sponsor: IBM
Designing for enterprise automation

Register Now
Uncategorized