unless AT&T and other tele companies start filtering text message ...
Reported on the Black Hat 2009
News on iphone-hacks
iPhone SMS Security Vulnerability
Posted by NoskireSecurity researchers are planning to publicize a serious SMS security vulnerability at the Black Hat conference in Las Vegas, NV. In theory this security flaw can allow malicious hackers to ‘take over every iPhone in the world.’ Of course, they would need to know the phone number of every iPhone ever sold which is, I would assume, not such an easy task.
Using a flaw they’ve found in the iPhone’s handling of text messages, the researchers say they’ll demonstrate how to send a series of mostly invisible SMS bursts that can give a hacker complete power over any of the smart phone’s functions. That includes dialing the phone, visiting Web sites, turning on the device’s camera and microphone and, most importantly, sending more text messages to further propagate a mass-gadget hijacking.
Security researchers Charlie Miller and Collin Mulliner have notified Apple about the vulnerability over a month ago, but Apple has yet to address the issue and release a patch for it.
Charlie Miller would suggest you turn the device off as quickly as possible if you happen to receive an SMS text message containing only a single square character.
News on Forbes
If you receive a text message on your iPhone any time after Thursday afternoon containing only a single square character, Charlie Miller would suggest you turn the device off. Quickly.
...
Though Miller and Mulliner say they notified Apple ( AAPL - news - people ) about the vulnerability more than a month ago, the company hasn't released a patch, and it didn't respond to Forbes' repeated calls seeking comment.
...
The iPhone SMS bug is just one of a series that the researchers plan to reveal in their talk. They say they've also found a similar texting bug in Windows Mobile that allows complete remote control of Microsoft ( MSFT - news - people )-based devices. Another pair of SMS bugs in the iPhone and Google's ( GOOG - news - people ) Android phones would purportedly allow a hacker to knock a phone off its wireless network for about 10 seconds with a series of text messages. The trick could be repeated again and again to keep the user offline, Miller says. Though Google has patched the Android flaw, this second iPhone bug also remains unpatched, he adds.
...
As dangerous as his iPhone attack sounds, Miller argues that it's important to expose flaws in SMS software before they can be exploited by more malicious actors. Texting applications' insecurity isn't due to the software's complexity so much as the security community's inattention and the expense of sending thousands of text messages to test a phone's security, Miller says."The bad news is that SMS is the perfect attack vector, but the good news is that it's probably possible to build it securely," he says. "As a researcher, I can only show [Apple] the bugs. It's up to them to fix them."
Regarding this iPhone virus, Apple releases OS 3.0.1 today to fix it (http://www.quickpwn.com/2009/07/iphone-3-0-1.html).
However, no jailbreaking for 3.0.1 yet
So, if you like me never use SMS, do this (http://www.quickpwn.com/2009/07/iphone-virus-patch.html)
What I did is slightly different (of course, jailbreaked iphone only):
Open MobileTerminal;
suto root account (default password is alpine);cd /Applications
chmod 000 MobileSMS.app
Now, SMS app is dead :-)