On Thursday, two researchers plan to reveal an unpatched iPhone bug that could virally infect phones via SMS.
you receive a text message on your iPhone any time after Thursday
afternoon containing only a single square character, Charlie Miller
would suggest you turn the device off. Quickly.
That small cipher
will likely be your only warning that someone has taken advantage of a
bug that Miller and his fellow cybersecurity researcher Collin Mulliner
plan to publicize Thursday at the Black Hat cybersecurity conference in
Las Vegas. Using a flaw they’ve found in the iPhone’s handling of text
messages, the researchers say they’ll demonstrate how to send a series
of mostly invisible SMS bursts that can give a hacker complete power
over any of the smart phone’s functions. That includes dialing the
phone, visiting Web sites, turning on the device’s camera and
microphone and, most importantly, sending more text messages to further
propagate a mass-gadget hijacking.
“This is serious. The only thing you can do to prevent it is turn off
your phone,” Miller told Forbes. “Someone could pretty quickly take
over every iPhone in the world with this.”
Though Miller and Mulliner say they notified Apple about the vulnerability more than a month ago, the company hasn’t
released a patch, and it didn’t respond to Forbes’ repeated calls
Update July 31
A patch as been issued from the vendor on this.
Apple just released APPLE-SA-2009-07-31-1. iPhone OS 3.0.1 fixes the problem.