Google Translate didn't do a good job, so I cleaned up the translation a bit:
A Swedish programmers has discovered a serious security hole in the iPhone. TechWorld's news editor gets his phone hacked - and can not do anything about it.
A few days ago, TechWorld was contacted by the developer Roman Digerberg, who said he'd found serious security holes in iOS. Among other things, he asserted that it was possible to send an anonymous text message that appears on the lock screen, even when this is set to not display messages.
He also said that it was possible to manipulate the number that denotes the number of voice mail messages,
or to just put a red dot in place of the indicator, which the user can not remove.
When TechWorld talks to him, he tells us more:
How did you discover this?
- It was by pure chance. I wrote a program in C# for my GPS tracker, which would facilitate the programming of it.
By mistake I sent the text message to my iPhone which then began to beep and display strange messages on screen.
Soon, I realized that I had created a monster.
What did you do?
- I have been in contact with Apple, both via email and phone, but they seem totally uninterested in this.
I've been thinking about making the source available online. People will start doing harakiri with each other's phones,
but why should you care about it when not even Apple does?
He also reports that he has received offers from several companies that want to buy the software to use it for advertising,
since it is next to impossible to ignore the messages that pop up on the screen.
He offers to demonstrate how it works and TechWorld's news editor gives him his phone number.
Soon, things start to happen in his phone:
[image]
Apparently there were lots of people who tried to call in the last minute. However, the voicemail does not have any new messages.
[image]
But it still says that there were 250 missed calls. And it will not disappear, no matter what we do.
Roman Digerberg calls us to check that it worked. During our conversation, he sends another message:
[image]
Indeed a very good call. But maybe not so fun when ad companies get the technology, starting with mass mailings that
can not be ignored or turned off.
After taking screenshots, he removes everything in seconds.
- You can not remove it, only I can remove it, he explains.
He is also sending over examples of much nastier things he can do:
[image]
So what should we make of this? An extra important call that was missed?
Or this, which has great potential to cause heart attacks:
[image]
He explains, without going further into technical details, that it's about manipulating classes in the message structure. Other than sending messages that can not be avoided and manipulating figures for the number of messages, he says that he also managed to lock a phone altogether and that a restart was required to get it working again.
- Some think that I should start a paid service where you can anonymously send different types of messages.
You can imagine what chaos there would be if people sit and sends unwanted and unavoidable messages to each other and make changes in each other's phones. That said, I realize that this is a monster, says Roman Digerberg.
From section 4, "SMS Data Coding Scheme" can be used to control "Voicemail Message Waiting" among other indicators and to send messages of "Class 0" which instruct the phone to shall "display the message immediately and send an acknowledgement to the SC when the message has successfully reached the MS irrespective of whether there is memory available in the SIM or ME."
Admittedly it has been over a decade since I last played with sending such messages to phones, but it did seem to me like a bug in the spec, giving too much control to anyone with access to an sms-c (or any other mean to change the DCS field). Back then all phones I tested had implemented the spec as described.
I don't think it's just Flash-messages, or it could be based on Flash-messages containing faulty data.
He gets the phone tricked to show that there is 250 missing calls on both lock screen and in the home screen (does the voice mail sms use flash?). Certain types of messages also locks the whole phone so that it has to be rebooted.
So er, I assume the way an SMS works is basically
User A -> Carrier A -> Carrier B -> User B.
Now, it makes sense that Carrier B sends control messages to user b (although a phone crashing message sounds bad, phone should reject).
But, why would Carrier B forward control messages from Carrier A? Carrier A has no business messing with user B's unread message count etc. Why not drop those control messages?
If Apple does not care about this vulnerability, sell it to the black hat community, let them spam with it. 500 visits a day to the Genius Bar per store will get this issue fixed in a hurry.
[+] [-] orjan|12 years ago|reply
A Swedish programmers has discovered a serious security hole in the iPhone. TechWorld's news editor gets his phone hacked - and can not do anything about it.
A few days ago, TechWorld was contacted by the developer Roman Digerberg, who said he'd found serious security holes in iOS. Among other things, he asserted that it was possible to send an anonymous text message that appears on the lock screen, even when this is set to not display messages.
He also said that it was possible to manipulate the number that denotes the number of voice mail messages, or to just put a red dot in place of the indicator, which the user can not remove. When TechWorld talks to him, he tells us more:
How did you discover this? - It was by pure chance. I wrote a program in C# for my GPS tracker, which would facilitate the programming of it. By mistake I sent the text message to my iPhone which then began to beep and display strange messages on screen. Soon, I realized that I had created a monster.
What did you do? - I have been in contact with Apple, both via email and phone, but they seem totally uninterested in this. I've been thinking about making the source available online. People will start doing harakiri with each other's phones, but why should you care about it when not even Apple does?
He also reports that he has received offers from several companies that want to buy the software to use it for advertising, since it is next to impossible to ignore the messages that pop up on the screen.
He offers to demonstrate how it works and TechWorld's news editor gives him his phone number. Soon, things start to happen in his phone:
[image]
Apparently there were lots of people who tried to call in the last minute. However, the voicemail does not have any new messages.
[image]
But it still says that there were 250 missed calls. And it will not disappear, no matter what we do.
Roman Digerberg calls us to check that it worked. During our conversation, he sends another message:
[image]
Indeed a very good call. But maybe not so fun when ad companies get the technology, starting with mass mailings that can not be ignored or turned off.
After taking screenshots, he removes everything in seconds.
- You can not remove it, only I can remove it, he explains.
He is also sending over examples of much nastier things he can do:
[image]
So what should we make of this? An extra important call that was missed?
Or this, which has great potential to cause heart attacks:
[image]
He explains, without going further into technical details, that it's about manipulating classes in the message structure. Other than sending messages that can not be avoided and manipulating figures for the number of messages, he says that he also managed to lock a phone altogether and that a restart was required to get it working again.
- Some think that I should start a paid service where you can anonymously send different types of messages. You can imagine what chaos there would be if people sit and sends unwanted and unavoidable messages to each other and make changes in each other's phones. That said, I realize that this is a monster, says Roman Digerberg.
[+] [-] lutorm|12 years ago|reply
[+] [-] moccajoghurt|12 years ago|reply
I should read more careful. Thank you.
[+] [-] vvvVVVvvv|12 years ago|reply
Any chance you translate the message in the last picture ?
[+] [-] patrickas|12 years ago|reply
http://www.etsi.org/deliver/etsi_gts/03/0338/05.00.00_60/gsm...
From section 4, "SMS Data Coding Scheme" can be used to control "Voicemail Message Waiting" among other indicators and to send messages of "Class 0" which instruct the phone to shall "display the message immediately and send an acknowledgement to the SC when the message has successfully reached the MS irrespective of whether there is memory available in the SIM or ME."
Admittedly it has been over a decade since I last played with sending such messages to phones, but it did seem to me like a bug in the spec, giving too much control to anyone with access to an sms-c (or any other mean to change the DCS field). Back then all phones I tested had implemented the spec as described.
[+] [-] orjan|12 years ago|reply
[+] [-] robinduckett|12 years ago|reply
http://en.wikipedia.org/wiki/Short_Message_Service#Flash_SMS
[+] [-] brunnsbe|12 years ago|reply
[+] [-] 0x0|12 years ago|reply
I guess this is a "feature", then.
[+] [-] im3w1l|12 years ago|reply
Now, it makes sense that Carrier B sends control messages to user b (although a phone crashing message sounds bad, phone should reject). But, why would Carrier B forward control messages from Carrier A? Carrier A has no business messing with user B's unread message count etc. Why not drop those control messages?
[+] [-] jbrooksuk|12 years ago|reply
[+] [-] Fasebook|12 years ago|reply
[+] [-] x0054|12 years ago|reply
[+] [-] orjan|12 years ago|reply
[+] [-] JetSpiegel|12 years ago|reply
That thing is evil!
[+] [-] sergiotapia|12 years ago|reply
In this case I'm not sure those hacking laws apply, but who knows with these legislators. Anyone familiar with Swedish law in this area?
[+] [-] eli|12 years ago|reply
[+] [-] Kiro|12 years ago|reply
[+] [-] robinduckett|12 years ago|reply
[+] [-] MrZongle2|12 years ago|reply
[+] [-] chrisBob|12 years ago|reply
[+] [-] badman_ting|12 years ago|reply
[+] [-] chrisBob|12 years ago|reply