The iPhone's SMS vulnerability: What we learned
The last week of July and first week of August is always an interesting time in the security world. That’s when the annual Black Hat and DefCon conferences take place, initiating a flurry of software patches and news stories, as the world’s leading security researchers release their latest findings. (DefCon is the world’s biggest hacker conference, and is always preceded by the closely-tied Black Hat, which focuses on enterprise security professionals).
Most of the presentations at Black Hat are dedicated to exploring new research techniques and methods of finding—then fixing—security issues. Some of these are broad, industry-wide problems (such as new ways of attacking web sites), while others affect only a specific platform, such as Microsoft Windows.
Every year there are usually one or two security issues revealed at Black Hat that grab the consciousness of the security industry and fill the headlines. Some result in sudden gag orders and legal drama, while others shatter through our current understandings, unleashing entirely new categories of attack and defense. As one of the most popular devices in telecommunications history, it’s no surprise that this year we found the focus shifting to the iPhone with a new, creative, and concerning form of attack that affects multiple phones.
This year, security researchers Charlie Miller and Collin Mulliner demonstrated a new technique for exploring mobile phone vulnerabilities by directly manipulating the Short Messaging Service (SMS) used to send text messages. In the process, they discovered multiple vulnerabilities in multiple kinds of phones, including a way to remotely attack and control iPhones. Apple patched the vulnerability the day after the researchers presented, but it created a bit of panic as attendees rushed to disable SMS until Apple released the fix.
Many of us in the research community knew about the research ahead of time (it wasn’t a secret), but once Charlie and Collin presented details, rumors instantly started circulating that it was being actively exploited by bad guys and it created a mini-panic of people disabling SMS and turning off their phones. While it doesn’t look like the vulnerability was ever exploited in the wild, it highlights some interesting issues and the power of modern smartphones.
Back when engineers first designed the GSM mobile phone network (the one used by AT&T and most global providers), they included SMS as almost an afterthought. Mobile phone networks are constantly at work even when you aren’t making a call. Your phone communicates with the network constantly to keep it updated on your location (so calls can route to your phone), receive voice mail notifications, and and know when to ring. That’s why your battery drains even when you aren’t making calls—technically, your phone is always talking. This is known as the signaling network, and it uses dedicated radio channels separate from voice calls. Once the engineers designed this back-end messaging and signaling, they decided it might be nice to also send short text messages to and between phones, dedicated 160 characters to it, and SMS was born.
SMS is basically just another message on the signaling side of the network, which has been adapted for a variety of activities. When you receive a Visual Voicemail on your iPhone, it’s a kind of SMS message. On phones and networks that support multimedia messaging (MMS, which the iPhone 3.0 software supports, but which isn’t yet support by AT&T for the iPhone), an MMS is merely a special SMS with the address for your phone to download the photo, video, or audio file. While you see the result, a voicemail or photo/video (except on AT&T), you never see this initial message that triggers the download or other action. Your phone processes the message before you ever see it.
The SMS attack
Charlie and Collin discovered a way of directly manipulating signaling messages to your phone, without necessarily sending them across the mobile provider’s network. Smartphones are essentially small computers; most use a separate chip for handling wireless communications versus the rest of their applications, while the actual processing of messages is handled with a background application on the phone. The researchers investigated techniques for directly hacking the phone and manipulating the data received by this application, thus allowing them to test without having to send messages over the mobile network. This kept them from experiencing a text messaging bill larger than that of the combined teenage population of a major city.
On the iPhone, this application is called the CommCenter. It handles all of the device’s communications, including Wi-Fi and Bluetooth. The researchers discovered various ways of attacking this program using SMS messages. Some attacks would merely disable wireless or reboot the iPhone user interface, while others could give them control of the phone. Since the phone processes these messages before displaying them to the user, nothing would necessarily be visible on the phone as it was under attack. The most serious attack would take hundreds of messages and eight to 10 minutes to execute, which would unusually drain the battery, but not necessarily show any other indications. The attack worked differently on different versions of the iPhone software, but could be executed via AT&T’s network and potentially allow nearly complete remote control of the phone. They also discovered vulnerabilities in Google’s Android phone operating system, and Windows Mobile.
While Apple could have saved those of us in the security community a little stress by releasing its patch before Black Hat (the researchers notified them of the issue ahead of time), it was fixed in the iPhone 3.0.1 update the next day.
An interesting issue
This new category of attack is interesting for a number of reasons. First, SMS is ubiquitous on modern phones—for many customers, it’s considered as essential as voice communications themselves. I personally struggled with the decision to keep SMS enabled after seeing the research, and decided to accept the risk until I heard of any active attacks by bad guys.
Second, since SMS is always enabled, it completely circumvents firewalls or any other security controls we’re used to using on computers. It’s a back channel that we can’t even filter if we wanted to, unless the phone provider builds in some sort of defense themselves. Since we connect these phones to our home and corporate networks, they could potentially become a back door to our protected networks.
Finally, while iPhone users are fairly used to updating their phones, this isn’t necessarily as true of other brands where a vulnerability could linger for far longer.
Fortunately the iPhone is patched and we have no evidence that the attack was used to compromise anyone in the real world. But it’s an interesting technique, and one we need to keep an eye on in the future now that the doors are open.
[Rich Mogull been working in the security world for 17 or so years, and breaking computers even longer. He currently works as an independent security analyst and writer through Securosis.com and previously spent seven years as an analyst with Gartner. He is a frequent contributor to TidBits.]