Apple iPhone OS 3.0.1 SMS Vulnerability Debriefing

Apple iPhone SMS vulnerability sequence of events

June 24, 2009 CVE is created (CVE-2009-2204), no details.

July 2, 2009 IDG news service releases story about Charlie Miller demonstrating a malicious text message (Short Message Service (SMS) message) at SyScan ’09 in Singapore that crashes the iPhone. This demonstration suggests that a maliciously crafted text message could give a remote user root access to the phone. The attacker could then install software of their choice.

The story indicates that Apple is working on a patch.

July 3, 2009 IDG news service releases a retraction about Apple working on a patch. Confirmation from Apple was not available.

July 5, 2009 CVE is created (CVE-2009-2315) (Bugtraq ID 35569), as placeholder for July 3 Charlie Miller story.

July 28, 2009 Forbes publishes How To Hijack ‘Every iPhone In The World’ announcing upcoming demonstration of SMS vulverability at Black Hat in Las Vegas.

July 30, 2009 Charlie Wilson and Collin Mulliner demonstrate the SMS vulnerability at Black Hat in Las Vegas.

July 31, 2009 Apple issues security bulletin HT3754 titled About the security content of iPhone OS 3.0.1 (last updated July 31, 2009) announcing the availability of OS 3.0.1, fixing an SMS message vulnerability described in CVE-2009-2204 (the June 24 CVE), crediting Charlie Miller of Independent Security Evaluators and Collin Mulliner of Technical University Berlin. The security bulletin reiterates Apple’s policy about vulnerabilities:

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available.

The iPhone OS 3.0.1 update is available through iTunes.

Apple spokesperson Tom Neumayr announces they have made a security patch available less than 24 hours after a demonstration of this exploit. New York Times, Yahoo News, Gizmodo

We appreciate the information provided to us about SMS vulnerabilities which affect several mobile phone platforms. This morning, less than 24 hours after a demonstration of this exploit, we’ve issued a free software update that eliminates the vulnerability from the iPhone. Contrary to what’s been reported, no one has been able to take control of the iPhone to gain access to personal information using this exploit.

The Apple mailing list announces the availability of OS 3.0.1.

APPLE-SA-2009-07-31-1 iPhone OS 3.0.1

iPhone OS 3.0.1 is now available and addresses the following:

CoreTelephony
CVE-ID: CVE-2009-2204
Available for: iPhone OS 1.0 through iPhone OS 3.0
Impact: Receiving a maliciously crafted SMS message may lead to an unexpected service interruption or arbitrary code execution
Description: A memory corruption issue exists in the decoding of SMS messages. Receiving a maliciously crafted SMS message may lead to an unexpected service interruption or arbitrary code execution. This update addresses the issue through improved error handling. Credit to Charlie Miller of Independent Security Evaluators, and Collin Mulliner of Fraunhofer SIT for reporting this issue.

Installation note:

This update is only available through iTunes, and will not appear in your computer’s Software Update application, or in the Apple Downloads site. Make sure you have an internet connection and have installed the latest version of iTunes from http://www.apple.com/itunes/

iTunes will automatically check Apple’s update server on its weekly schedule. When an update is detected, it will download it. When the iPhone is docked, iTunes will present the user with the option to install the update. We recommend applying the update immediately if possible. Selecting “don’t install” will present the option the next time you connect your iPhone.

The automatic update process may take up to a week depending on the day that iTunes checks for updates. You may manually obtain the update via the “Check for Update” button within iTunes. After doing this, the update can be applied when your iPhone is docked to your computer.

To check that the iPhone has been updated:

* Navigate to Settings
* Select General
* Select About. The version after applying this update will be “3.0.1 (7A400)” or later

Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222

August 4, 2009 CVE is updated (CVE-2009-2204), adding details previously available under CVE-2009-2315 and details from Apple.

August 13, 2009 Just back from Defcon, PaulDotCom Security Weekly reported that Charlie Miller had been unable to exploit this vulnerability in a useful way. AT&T appears to throttle SMS traffic. Useful exploit of the SMS vulnerability requires many SMS messages. By removing AT&T from the testing scenario, by using his own phone to attack his own phone, he could demonstrate the vulnerability.

Was Mr. Miller reporting that a high volume of SMS messages denies SMS traffic to all users of that cell tower?

Procedural issues surrounding the SMS vulnerability and its mitigation

The current mitigation plan builds in a delay of at least one week after the fix becomes available to be reach full deployment.

Were AT&T, O2 and other carriers notified? Were AT&T. O2 and other vendors prepared to filter malicious SMS messages if a security fix was not available before the exploit was in wide use?

Were anti-virus vendors notified? Did they receive a sample of a maliciously crafted SMS message? Have anti-virus vendors distributed detection of these malformed SMS messages?

Notes

Tom Neumayr’s remarks are accurate:

1. The vulnerability had been demonstrated the day before. He did not claim that a fix was made available within 24 hours of the first demonstration, only that a demonstration had occurred 24 hours before the fix was made available.
2. Reports that an iPhone had been controlled or personal information had been disclosed using this exploit (“pwned”) were inaccurate. Reports that this had occurred were misinterpretations of the researchers. Apple confirms that this is a potential consequence of leaving the vulnerability unmitigated, but there were no known successful attacks that controlled the iPhone or disclosed personal information.