ADVERTISEMENT
latest stories:

Google Android, iPhone May Be Vulnerable to SMS Hackers

Security researchers say at this week's Black Hat security conference that they can break into and/or shut down popular smart phones
iPhone, Android, Apple, Google, security



© ISTOCKPHOTO.COM/PETOO

Smart phones such as the iPhone or those running Google's Android or Microsoft's Windows Mobile operating systems are beloved by their owners for their ability to function as pocket-size, Web-connected computers. Unfortunately, the iPhone and its ilk also share the kinds of security problems that have plagued PCs since the advent of widespread Internet access.

The latest smart-phone security vulnerability garnering attention is one that could allow a hacker to blitz one's iPhone or Android-based device with a deluge of SMS (short message service) text messages, an attack that could allow an intruder to plant a virus on the phone or at the very least cause the phone to shut down (disconnecting calls and Web access in the process).

Security researchers Charlie Miller, principal analyst with Baltimore-based Independent Security Evaluators, and Collin Mulliner, a Ph.D. student at Technical University of Berlin, provided more details about this potential problem today at the Black Hat USA computer security conference in Las Vegas.

On test phones running iPhone versions 2.2 or 2.2.1 or Android versions 1.0, 1.1 or 1.5 operating systems, Miller and Mulliner claim they could crash the programs that manage connectivity to the phones' voice and data networks, causing the units to automatically shut down and require restarting, cutting any calls or Web usage in the process. The researchers claim to have notified Apple and Google of these problems. Although Google says last week it patched the problem in Android, Apple (which introduced 3.0 of its iPhone operating system last month) has not responded to media inquiries, including one from Scientific American. Microsoft isn't necessarily off the hook—the researchers say that, as of the time they wrote their presentation for Black Hat, they were still probing Windows Mobile.

The SMS security problem differs from previous attacks against iPhone users, which required first luring the iPhone user to a virus-infected Web site or open an infected e-mail, Miller told CNET. This new vulnerability involves no effort on the part of the smart-phone user and requires only that an attacker have the victim's phone number, according to CNET. Once inside a victim's phone, the attacker could then send an SMS to anyone in the victim's address book and spread the attack from phone to phone.

Miller, who spent five years as a global network exploitation analyst with the National Security Agency (the U.S.'s cryptologic organization), regularly probes Apple gear in search of weaknesses, Popular Mechanics reported last October. He was also part of a team of security researchers who in 2007 found what is considered to be the iPhone's first exploitable vulnerability (which allows hackers to break into an iPhone via Apple's Safari Web browser). "Because of all the hype surrounding the iPhone and the large amount of personal information stored on the device, we wanted to see what level of security the device currently provides for the user," Miller and his colleagues explained on the Independent Security Evaluators Web site at the time.

Black Hat has become one of the premier venues for hackers to showcase controversial methods of breaking into many of the electronic devices—PCs, smart phones and networking routers, to name a few—on which society has come to depend. At the 2005 conference, a security researcher demonstrated how to take control of Cisco network routers thanks to a security hole in Cisco's software. The company demanded that Black Hat remove information about this from its conference handouts and obtained a court order to prevent the researcher from presenting this information in the future.

At times lost in translation is the fact that many security vulnerabilities can be exploited by only the most sophisticated hackers who have the time, will and financial incentive to do this. The security researchers who dissect computer programs for weaknesses are seen by some as the counterbalance to lax technology companies that sell vulnerable products and by others as opportunists who promote their work so they can sell products and services designed to fix the problems that they find.

Rights & Permissions
Share this Article:

Comments

You must sign in or register as a ScientificAmerican.com member to submit a comment.
Scientific American Holiday Sale

Limited Time Only!

Get 50% off Digital Gifts

Hurry sale ends 12/31 >

X

Email this Article

X