Apple Fixes iPhone SMS Vulnerability

Moving to close a hole revealed at the Black Hat security conference on Thursday, Apple has released iPhone OS 3.0.1.

Thomas Claburn, Editor at Large, Enterprise Mobility

July 31, 2009

2 Min Read

Apple on Friday patched a vulnerability in its iPhone that offered cybercriminals a way to steal data or hijack the device using a specially-crafted SMS message.

The company released iPhone OS 3.0.1 specifically to address the vulnerability, which was disclosed at the Black Hat security conference in Las Vegas on Thursday.

The update can be downloaded through iTunes.

As per responsible disclosure practices, Charlie Miller and Collin Mulliner, the security researchers who found the flaw, notified Apple of the problem in advance so the company would have time to prepare a patch.

The pair also identified a vulnerability affecting Android phones. Google said that it fixed the issue prior to the Black Hat presentation.

A poll of 94 security professionals at the Black Hat conference, conducted by security vendor nCircle, has found that more than half of respondents (56%) believe that Apple's iPhone will be the mobile phone that is most vulnerable to attack for the remainder of 2009.

For other phone platforms, speculation about future vulnerability broke down as follows: Android (14%), Blackberry (8%), Nokia OS (5%), Other (15%).

"Unfortunately, it looks like the security problems with iPhone will continue to grow until Apple makes security a higher priority," said Andrew Storms, director of information technology at nCircle, in a statement. "If there is a silver lining for iPhone users, it's that all of the security research attention it is getting could eventually turn the iPhone into one of the most secure mobile platforms."

In a statement issued to The Wall Street Journal, Apple downplayed the danger of the SMS vulnerability by noting that no one had actually lost any personal information through the exploitation of the vulnerability.

That's not entirely surprising given that the vulnerability has only been publicly known for a day, but it does underscore the fact that active exploitation of mobile phone vulnerabilities is currently a far less significant risk than that posed by PC-based malware.

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights