SMART PHONE (IN)SECURITY Security researchers at the Black Hat security conference in Las Vegas say they've found a way for hackers to use SMS (short message service) text messages to potentially crash or take control of iPhones or smart phones running Google's Android operating system. Image: © ISTOCKPHOTO.COM/PETOO
Smart phones such as the iPhone or those running Google's Android or Microsoft's Windows Mobile operating systems are beloved by their owners for their ability to function as pocket-size, Web-connected computers. Unfortunately, the iPhone and its ilk also share the kinds of security problems that have plagued PCs since the advent of widespread Internet access.
The latest smart-phone security vulnerability garnering attention is one that could allow a hacker to blitz one's iPhone or Android-based device with a deluge of SMS (short message service) text messages, an attack that could allow an intruder to plant a virus on the phone or at the very least cause the phone to shut down (disconnecting calls and Web access in the process).
Security researchers Charlie Miller, principal analyst with Baltimore-based Independent Security Evaluators, and Collin Mulliner, a Ph.D. student at Technical University of Berlin, provided more details about this potential problem today at the Black Hat USA computer security conference in Las Vegas.
On test phones running iPhone versions 2.2 or 2.2.1 or Android versions 1.0, 1.1 or 1.5 operating systems, Miller and Mulliner claim they could crash the programs that manage connectivity to the phones' voice and data networks, causing the units to automatically shut down and require restarting, cutting any calls or Web usage in the process. The researchers claim to have notified Apple and Google of these problems. Although Google says last week it patched the problem in Android, Apple (which introduced 3.0 of its iPhone operating system last month) has not responded to media inquiries, including one from Scientific American. Microsoft isn't necessarily off the hook—the researchers say that, as of the time they wrote their presentation for Black Hat, they were still probing Windows Mobile.
The SMS security problem differs from previous attacks against iPhone users, which required first luring the iPhone user to a virus-infected Web site or open an infected e-mail, Miller told CNET. This new vulnerability involves no effort on the part of the smart-phone user and requires only that an attacker have the victim's phone number, according to CNET. Once inside a victim's phone, the attacker could then send an SMS to anyone in the victim's address book and spread the attack from phone to phone.