

Swedish developer discovers security hole in iPhone - orjan
http://translate.google.com/translate?hl=en&sl=sv&tl=en&prev=_dd&u=http%3A%2F%2Fwww.idg.se%2F2.1085%2F1.546628%2Fsa-enkelt-hackar-han-iphone

======
orjan
Google Translate didn't do a good job, so I cleaned up the translation a bit:

A Swedish programmers has discovered a serious security hole in the iPhone.
TechWorld's news editor gets his phone hacked - and can not do anything about
it.

A few days ago, TechWorld was contacted by the developer Roman Digerberg, who
said he'd found serious security holes in iOS. Among other things, he asserted
that it was possible to send an anonymous text message that appears on the
lock screen, even when this is set to not display messages.

He also said that it was possible to manipulate the number that denotes the
number of voice mail messages, or to just put a red dot in place of the
indicator, which the user can not remove. When TechWorld talks to him, he
tells us more:

How did you discover this? \- It was by pure chance. I wrote a program in C#
for my GPS tracker, which would facilitate the programming of it. By mistake I
sent the text message to my iPhone which then began to beep and display
strange messages on screen. Soon, I realized that I had created a monster.

What did you do? \- I have been in contact with Apple, both via email and
phone, but they seem totally uninterested in this. I've been thinking about
making the source available online. People will start doing harakiri with each
other's phones, but why should you care about it when not even Apple does?

He also reports that he has received offers from several companies that want
to buy the software to use it for advertising, since it is next to impossible
to ignore the messages that pop up on the screen.

He offers to demonstrate how it works and TechWorld's news editor gives him
his phone number. Soon, things start to happen in his phone:

[image]

Apparently there were lots of people who tried to call in the last minute.
However, the voicemail does not have any new messages.

[image]

But it still says that there were 250 missed calls. And it will not disappear,
no matter what we do.

Roman Digerberg calls us to check that it worked. During our conversation, he
sends another message:

[image]

Indeed a very good call. But maybe not so fun when ad companies get the
technology, starting with mass mailings that can not be ignored or turned off.

After taking screenshots, he removes everything in seconds.

\- You can not remove it, only I can remove it, he explains.

He is also sending over examples of much nastier things he can do:

[image]

So what should we make of this? An extra important call that was missed?

Or this, which has great potential to cause heart attacks:

[image]

He explains, without going further into technical details, that it's about
manipulating classes in the message structure. Other than sending messages
that can not be avoided and manipulating figures for the number of messages,
he says that he also managed to lock a phone altogether and that a restart was
required to get it working again.

\- Some think that I should start a paid service where you can anonymously
send different types of messages. You can imagine what chaos there would be if
people sit and sends unwanted and unavoidable messages to each other and make
changes in each other's phones. That said, I realize that this is a monster,
says Roman Digerberg.

~~~
vvvVVVvvv
Thanks for the proper translation.

Any chance you translate the message in the last picture ?

~~~
toxik

      Voice mail
    
      250 new messages in voice mail
    

Maybe you meant this one:

    
    
      > SIM-ERROR
      > PUSH DISMISS TO ERASE TELEPHONE
      > Sincerely, Your mom.

~~~
vvvVVVvvv
Hey thanks a lot mate.

Sorry for the late reply though.

------
patrickas
It seems to me he is just manipulating the DCS of the SMS being sent. This is
standard behavior according to the GSM SMS specs.

[http://www.etsi.org/deliver/etsi_gts/03/0338/05.00.00_60/gsm...](http://www.etsi.org/deliver/etsi_gts/03/0338/05.00.00_60/gsmts_0338v050000p.pdf)

From section 4, "SMS Data Coding Scheme" can be used to control "Voicemail
Message Waiting" among other indicators and to send messages of "Class 0"
which instruct the phone to shall "display the message immediately and send an
acknowledgement to the SC when the message has successfully reached the MS
irrespective of whether there is memory available in the SIM or ME."

Admittedly it has been over a decade since I last played with sending such
messages to phones, but it did seem to me like a bug in the spec, giving too
much control to anyone with access to an sms-c (or any other mean to change
the DCS field). Back then all phones I tested had implemented the spec as
described.

~~~
orjan
Interesting. Then that would mean that not only iPhone will be affected by
this. Would be nice to see the code.

------
robinduckett
Isn't this just SMS "Flash" messages? That's how I was told the voicemail
count worked when the iPhone came out on O2 in the UK all those years ago.

[http://en.wikipedia.org/wiki/Short_Message_Service#Flash_SMS](http://en.wikipedia.org/wiki/Short_Message_Service#Flash_SMS)

~~~
brunnsbe
I don't think it's just Flash-messages, or it could be based on Flash-messages
containing faulty data. He gets the phone tricked to show that there is 250
missing calls on both lock screen and in the home screen (does the voice mail
sms use flash?). Certain types of messages also locks the whole phone so that
it has to be rebooted.

~~~
nav1
As far as I know voicemail uses flash messages to indicate the number of
messages.

~~~
ersii
Not in Sweden on Swedish carriers though. At least not at Telia, 3, Tele2 or
telenor. (That's pretty much all of the large ones that owns parts of the
cellular network)

------
x0054
If Apple does not care about this vulnerability, sell it to the black hat
community, let them spam with it. 500 visits a day to the Genius Bar per store
will get this issue fixed in a hurry.

------
orjan
It appears he is sending a specially formatted SMS message that the iPhone
doesn't handle correctly.

~~~
JetSpiegel
I blame the baseband processor.

That thing is evil!

------
sergiotapia
Why risk legal trouble? Just sell it to black hat organizations and make tons
of money with zero repercussions from outdated laws.

In this case I'm not sure those hacking laws apply, but who knows with these
legislators. Anyone familiar with Swedish law in this area?

~~~
eli
1) I don't think you're right about that and 2) some people would find selling
exploits to criminals to be amoral even if it were legal.

------
Kiro
OT but I love how his name is translated. Novel The Black Mountains.

~~~
robinduckett
Google Translate seems to think Roman Digerberg translates to: "Digestion
novel Berg"

~~~
gpvos
GT actually generates both these translations in different places.

------
chrisBob
The important thing that is missing is if this is an iPhone only issue.

------
badman_ting
I'm not sure I agree on the severity, but of course Apple is being dumb by
simply not communicating with the guy about it. Jeez.

~~~
chrisBob
He says he has talked with Apple via both email and phone.

~~~
dsl
It isn't really an issue they can fix. Voicemail and missed call notifications
come in from carriers over specially formatted messages. You'd need to develop
a new out of band messaging protocol that is as reliable as SMS delivery and
get all the 30+ carriers Apple works with globally to roll it out before they
could turn off the old stuff.

~~~
__david__
Why does it have to be out of band? Couldn't they just append a signature or
something?

