• E-mail this page
• |  Print this page
• | 
• | 
• | 

BlackHat Bombshell #2: iPhones And Other "GSM" Phones Open To SMS Hack

With one bombshell already having been dropped at the BlackHat Conference (that most implementations of SSL are configured to give up everything including logins, credit cards, etc.), researchers dropped another one today when they demonstrated how the SMS infrastructures of GSM-flavored operators such as AT&T and T-Mobile are hackable to the point that cell phones can be hacked and their users can be tricked into divulging confidential information.

By the time you read this, there will probably be some videos of the hacks posted to YouTube. But the net net is that there are different SMS message types. Some for delivering the text messages that people send to and from their cell phones every day and others for provisioning cell phones with over the air software updates.

Here at the BlackHat conference, researchers Luis Miras and Zane Lackey first demonstrated how they were able to send an SMS message to an iPhone that appears to come from 611 (see screenshot below). In other words, it bypasses the anti-spoofing technology run by the GSM carrier. The problem with sending messages from 611 is that many people think of 611 as a trusted number that represents the cell phone company that provisions their phone. In their demonstration, they sent a message from one iPhone to another that appears to come from the 611 number and that asks people to login into a Web site and enter sensitive information. (continued below screenshots)

The second hack they showed is how they could use the SMS infrastructure to prompt a cell phone user (in this case, a iPhone Sony Ericcson phone user) to install an over the air (OTA) software update. The user is presented with the choice to accept or refuse the OTA update. Given how many people would automatically accept the update, you can imagine the damage that would be done once hackers essentially "owned" your phone.

Of even more significance to me is how these attacks can be launched from nothing more than another cell phone.

Here at Blackhat, heads shook and jaws hung open as Miras and Lackey showed a video of their hack. They were not specific about which carrier's SMS infrastructure they hacked and refused to answer when asked. iPHones can be unlocked so it could have been AT&T or T-Mobile. Verizon and Sprint, both of which are not GSM-bsed carriers, are not susceptible to the hack. When asked if they had reached out to AT&T and T-Mobile, the pair of researchers said they were working with the GSM Alliance which in turn was working with all GSM carriers. In my interview of them, they said they had not yet tried their hack on any European-based carriers.

David Berlind is the chief content officer of TechWeb and editor-in-chief of TechWeb.com. David likes to write about emerging tech, new and social media, mobile tech, and things that go wrong and welcomes comments, both for and against anything he writes. He can be reached at dberlind@techweb.com and you also can find him on Twitter and other social networks (see the list below). David doesn't own any tech stocks. But, if he did, he'd probably buy some Salesforce.com and Amazon, given his belief in the principles of cloud computing and his hope that the stock market can't get much worse. Also, if you're an out-of-work IT professional or someone involved in the business of compliance, he wants to hear from you.

Twitter: (@dberlind)
My Facebook Page
Flickr (davidberlind)
YouTube (TechWebTV)
FriendFeed (davidberlind)
Del.icio.us (dberlind )
Me on LinkedIn
Plaxo (davidberlind)
Disqus (DavidBerlind)
Google Profile (David.Berlind)

« Motorola Delivers Profit, But What About Handsets? | Main | Microsoft Is Following Me On Twitter »