

Root vulnerability found in iPhone OS, exploitable via SMS - sounddust
http://tech.yahoo.com/news/pcworld/20090702/tc_pcworld/applepatchingserioussmsvulnerabilityoniphone

======
yan
I'll be waiting for the details of this one. I just love the idea of someone
involuntarily paying $.25 to get rooted.

~~~
sounddust
If it's as as serious as the article claims, I'll be quite shocked. If someone
were to release an iPhone worm that spreads via SMS, then Apple would be
devastated.

~~~
grinich
But they would have better infrastructure to deal with it than any other cell
provider. (iTunes, retail stores, etc.)

~~~
lpgauth
I'm pretty sure AT&T could do some packet filtering and block those bad sms.

~~~
InkweaverReview
I'm sure AT&T would love that. Virus protection, now from AT&T, only $20 more
per month to protect your iPhone.

I don't think I'd trust them to keep up with all the new threats.

------
derefr
This won't be a problem, and that prognosis has nothing to do with the fact
that it's the iPhone that's affected. The carriers _own the networks_. Unlike
Internet worms, which spread "in the wild", these messages would have to pass
through the carriers' networks to get from one iPhone to another. The carriers
can just filter them out, whether the phones are patched or not.

~~~
sounddust
Of course it would be a problem, due to the fact that they can't respond
instantaneously. In order to block these messages, AT&T would have to first 1)
realize that there is a problem, 2) figure out what to filter, 3) implement
the filter. By the time they did all this, the worm would have already spread
to most phones which are turned on. It could easily infect 500,000 phones
before AT&T were able to respond.

If, for example, someone released a worm which sent an infected SMS to all
contacts and proceeded to permanently destroy the device's baseband, ruining
500,000 iPhones before AT&T implemented a filter, how much money do you think
Apple is going to have to spend in repair costs and lost future sales from the
bad PR?

------
jonknee
Well hey, finally a messaging feature that the iPhone really is the first to
have! I hope AT&T supports root kit SMS (RKSMS?).

------
yread
Why do they mention all the security features of the OS when it doesn't help
one bit against this rootkit? It sounds almost as an PR how iPhone is secure!

On another point, from an AT&T memo:

 _On June 25, the day Michael Jackson died, text messages sent on our network
spiked at 65,000 messages per second_

I wonder how much would it be if somebody made this into an exploit sending it
to the whole address book.

~~~
drusenko
I imagine it would be whatever the capacity of the network before melting down
is. If it consecutively gets sent to the entire address book, and there are a
lot of iPhones out there, that is some fast exponential growth.

~~~
andyking
Networks in Britain routinely fall over on New Years' Eve...

------
mhughes
>For starters, the stripped-down version of the OS presents fewer options for
attackers, removing applications and features such as support for Adobe Flash
and Java, which they might otherwise be able to exploit for vulnerabilities.

What does that even mean? It would be more vulnerable if it had Java
installed?

~~~
sneakums
More code, more bugs. More bugs, more vulnerabilities.

------
ynniv
This is singly the most important piece of iPhone news yet. It may even
eclipse the announcement of the device itself... From the Computerworld
article, the exploit gains root access. Imagine a 21 million phone bot-net
created overnight, with the ability to geo-locate each unit and receive audio
and video from it. Remember that most PC exploits can be prevented via a
firewall, and this cannot. Most PC's are also behind a router and not directly
addressable, while phones (via SMS) are not.

How do I stop AT&T from delivering text messages? There's no way to turn them
off at the OS level...

EDIT: You can disable text messages by signing up for Smart Limits for
Wireless Parental Controls ($5/month). You can then add whitelist numbers and
set the SMS quota for greylist numbers to 0.

~~~
derefr
> How do I stop AT&T from delivering text messages? There's no way to turn
> them off at the OS level...

Airplane mode doesn't do this? (Yeah, yeah, Phyrric victory...)

------
igorgue
Where is the source of the iPhone OS to fix it? ;)

------
c00p3r
This is not a big problem, because the fix can be forsed through its update
system, like microsoft doing it.

Similiar vulnerability for Symbian OS is a big thing, because almost no one
updates their phone's firmware. =)

~~~
Sidnicious
Nope, the iPhone doesn't support over-the-air updates. Apple can patch it in
the next version of the OS, but no one's gonna get the update without a
computer.

~~~
c00p3r
Thank you for providing this information. So, it would be something like "new
high-optimized, dramatically improved, much faster build of the OS 3.0".

------
staunch
Just go to <http://awesomeapp.com/> and enter your phone number. We'll install
the app whether you want us to or not!

