Apple Fixes iPhone SMS Vulnerability

Moving to close a hole revealed at the Black Hat security conference on Thursday, Apple has released iPhone OS 3.0.1.
Apple on Friday patched a vulnerability in its iPhone that offered cybercriminals a way to steal data or hijack the device using a specially-crafted SMS message.

The company released iPhone OS 3.0.1 specifically to address the vulnerability, which was disclosed at the Black Hat security conference in Las Vegas on Thursday.

The update can be downloaded through iTunes.

As per responsible disclosure practices, Charlie Miller and Collin Mulliner, the security researchers who found the flaw, notified Apple of the problem in advance so the company would have time to prepare a patch.

The pair also identified a vulnerability affecting Android phones. Google said that it fixed the issue prior to the Black Hat presentation.

A poll of 94 security professionals at the Black Hat conference, conducted by security vendor nCircle, has found that more than half of respondents (56%) believe that Apple's iPhone will be the mobile phone that is most vulnerable to attack for the remainder of 2009.

For other phone platforms, speculation about future vulnerability broke down as follows: Android (14%), Blackberry (8%), Nokia OS (5%), Other (15%).

"Unfortunately, it looks like the security problems with iPhone will continue to grow until Apple makes security a higher priority," said Andrew Storms, director of information technology at nCircle, in a statement. "If there is a silver lining for iPhone users, it's that all of the security research attention it is getting could eventually turn the iPhone into one of the most secure mobile platforms."

In a statement issued to The Wall Street Journal, Apple downplayed the danger of the SMS vulnerability by noting that no one had actually lost any personal information through the exploitation of the vulnerability.

That's not entirely surprising given that the vulnerability has only been publicly known for a day, but it does underscore the fact that active exploitation of mobile phone vulnerabilities is currently a far less significant risk than that posed by PC-based malware.

Registration is now open for the leading enterprise communications event, VoiceCon. It happens in San Francisco, Nov. 2-5. Find out more and register.