Tag Archives | Apple. iPhone

Your GSM Phone is (Probably) Vulnerable to Malicious Text Messages

Posted by Andrew Brandt on July 30, 2009 at 11:47 am

TAFT screen iphone 25Virtually all GSM phones (such as Apple’s iPhone) and GSM wireless operators (such as AT&T and T-Mobile) on the planet appear to be vulnerable to attacks using specially crafted SMS text messages discovered by security researchers Zane Lackey and Luis Miras. At the Black Hat Briefings this morning, the two researchers demonstrated several different ways they could bypass anti-spoofing protection in cellphones, and as a result, could send phones hidden commands, profile phones, or even exploit vulnerabilities that remotely disable a targeted phone’s ability to send and receive calls or text messages.

The researchers described how they set up test systems which could read the header data sent along with text messages, then used software to craft their own custom headers and messages and sent those messages to various types of GSM phones. Based on the behavior of the phones they tested, they were able to create several kinds of automated attacks for various phone models, and determined a method an attacker could use to silently connect to mobile phones and retrieve information that permits the attacker to identify the make and model of phone, and other profiling information.

One aspect of the vulnerability not well understood is how different models of phones will behave when they receive these specially-crafted messages. Some, like the Sony Ericsson model shown at right, provide the user no context as to whether information pushed down to the phone comes from a legitimate source.taft sony settings screen med

In a final coup for the conference, Lackey and Miras demonstrated an iPhone app they call TAFT which can, at the click of a few buttons, transmit various types of attacks against specific, vulnerable phone models, including iPhones, and phones running the Windows Mobile 5 and pre-“cupcake” Android operating systems.

The researchers are currently working with all major carriers and phone manufacturers to fix the problems, but warn that it may take some time before the vulnerabilities have been patched.

35 comments

iPhone SMS Vulnerability: Should You be Scared?

Posted by Jason Meserve on July 29, 2009 at 10:25 am

iPhone ScreamRun for the hills! That’s the message iPhone owners are receiving after multiple reports say security researchers will tomorrow unveil an iPhone vulnerability that could allow the popular device to be taken over via simple SMS (or text) message.

The bug, discovered by iPhone hacker Charlie Miller, will be outlined during a presentation at the Black Hat security conference in Las Vegas on Thursday. Miller’s presentation will supposedly show, as Forbes’ headline screams, “How To Hijack ‘Every iPhone In The World’”. To do so, attackers only need to send a series of specially-formatted SMS messages to an iPhone in order to take over functions such as dialing and turning on the camera and microphone, as well spreading the attack via an affected iPhone’s contact list.

Apple, which Miller notified about the bug six weeks ago, has not commented on the vulnerability and as of this writing has not released a patch for the problem. What can iPhone owners do in the meantime? Miller tells Forbes about the only thing that will surely protect the device is to turn it off.

Miller’s talk isn’t the only centered around SMS vulnerabilities. Other talks will show a somewhat similar flaw in Windows Mobile that would allow for complete control of a device to be achieved through a SMS hack. A third Black Hat talk will center around how an SMS flaw that affects both iPhone and Google Android devices could be used to knock impacted phones off a carrier network for upwards of ten seconds via a blast of SMS messages.

Should you be scared of these newest flaws and really turn off your iPhone in anticipation of an attack? I don’t think so. The SMS attack vector is not all that new. This past spring, CSO Online did a video demonstration of such an attack against various smart phones (see parts one and two of the video).

While the various Black Hat presentations this week will show SMS as being a newer vector for attacking popular smartphone platforms, the odds are still relatively low that any one device will be hit. Most likely (or hopefully), device makers like Apple and carriers will come up with a patch for the SMS flaws well before any mainstream attacks occur. You have a greater chance of being bitten by a Twitter-based hack than an SMS attack.

5 comments

What if…Microsoft Had a Windows App Store?

Posted by Harry McCracken on July 28, 2009 at 6:18 pm

Windows 95I continue to think of my iPhone not as a phone but as a personal computer. Which is why I continue to be so nonplussed about Apple’s barring of some applications on the grounds that they compete with its own apps, and others at (reportedly) the behest of AT&T. The moves may well serve Apple’s short-term goals. Long term, though, I think they’ll make the iPhone a weaker, less useful platform. That’s not in the interest of iPhone owners, Apple, AT&T, or (come to think of it) anyone except Apple’s competitors.

All of which got me wondering: What if an Apple-like App Store had been the been the only sanctioned way to acquire software for other major computing platforms? Like, for instance, Microsoft Windows? And what if, in this alternative universe, Microsoft’s policies and actions had mirrored those of Apple today?

It would have changed everything–and not for the better. After the jump, a speculative FAQ about the Windows App Store.

Continue Reading →

29 comments

Hey, iPhone, Are You a Computer or a Phone?

Posted by Harry McCracken on July 28, 2009 at 10:36 am

iPhone DecisionWhat a revoltin’ development this is. As my colleague Jason Meserve has written, TechCrunch is reporting that Apple has rejected Google’s Google Voice app for the iPhone, as well as a couple of unofficial Google Voice apps which Apple says duplicate standard iPhone features. The logical assumption is that Apple did so because AT&T is nonplussed about Google providing phone services. But as Daring Fireball’s John Gruber says, maybe Apple just sees Google as an Apple rival who it doesn’t want leveraging the iPhone platform.

In either case, one thing’s clear: These apps aren’t being kept out of the App Store in the interest of iPhone owners. Apple’s monopoly on app distribution means that iPhone owners who haven’t unlocked their phones simply don’t have control over their devices.

In most respects that matter, the iPhone is by far the best mobile platform that has ever existed. I keep telling people that it proves that it’s not going to be very long until we think of a Personal Computer as something we carry in our pockets, and even laptops begin to look like antiques. But an iPhone that’s deprived of apps that Apple and/or carriers dislike for competitive reasons isn’t really a PC. It’s just a phone that offers a heck of a lot of applications. And the App Store, like the crummy, self-serving download stores that carriers have put on phones, is a walled garden–just a really big walled garden.

For thirty years, PC owners have had the final call on what software they used. That’s why many people run Apple software on Microsoft operating systems and Microsoft software on Apple operating systems. It’s why people get to run Firefox and Chrome on Windows, even though they duplicate features in Internet Explorer. If it hadn’t been this way for decades, the growth of the Windows and Mac platforms would have been horribly stunted, and the computers we use today would be a lot less useful and interesting. And if Apple maintains these policies moving forward, the iPhone platform will be horribly stunted, and iPhones will be a lot less useful and interesting than they might have been.

I keep coming back to what Steve Jobs told us at the Apple event that introduced the App Store last year:

Jobs said that Apple wouldn’t distribute porn or malicious apps or privacy-invading apps, and said that Apple’s interests and those of third-party developers were the same. The slide also mentioned “Bandwidth hogs,” which apparently meant stuff like SlingPlayer, and “Unforeseen,” which I assumed at the time referred to other applications that put iPhone owners at risk in one way or another. What he didn’t do is say that Apple would reject software that competed with Apple or AT&T offerings.

I’m looking on the bright side: Apple’s approval process is capricious enough that it’s entirely possible it’ll change its mind and permit Google Voice apps on the App Store at some point. A couple of months ago, the company approved the excellent e-reader Eucalyptus shortly after rejecting it. Doesn’t that establish a precedent for quiet undoing of bad decisions?

25 comments

No Google Voice Apps for the iPhone

Posted by Jason Meserve on July 28, 2009 at 9:23 am

Google Voice LogoGoogle Voice aficionados–of which there are more by the day–were excited to see mobile apps for the service launch for Android and BlackBerry devices. The general consensus: A similar iPhone app must be right around the corner. Not so fast.

The unofficial GV Mobile app written by Sean Kovac has been rejected by Apple or, more likely, AT&T, according to Mashable and Kovac. GV Mobile lets Google Voice account holders dial numbers through the address book or keypad, send SMS messages, retrieve call history data and take calls on a different phone–all functions the Google Voice web site offers. Google too had its official Voice application rejected by Apple, according to TechCrunch.

The problem with Kovac’s app, Apple says, is that this duplicates functionality of the iPhone and therefore is not needed. “Richard Chipman from Apple just called–he told me they’re removing GV Mobile from the App Store due to it duplicating features that the iPhone comes with (Dialer, SMS, etc). He didn’t actually specify which features, although I assume the whole app in general,” Kovac wrote on his blog.

Continue Reading →

4 comments

The Apple Tablet: Some Possibly Answered Questions

Posted by Harry McCracken on July 27, 2009 at 5:08 pm

Potentially Answered QuestionsAbout the only thing we know for sure about Apple’s allegedly upcoming tablet computer is that there’s definitely misinformation floating around at the moment. Last week, AppleInsider. Last week, AppleInsider was exceptionally confident that Apple will be shipping its long-awaited tablet computer in the first quarter of next year. This week the Financial Times (in a story co-reported by my very old friend Joe Menn) is confirming that the tablet is due in September of this year. Unless we’re talking two different tablets here, somebody is wrong. (Or everybody–no Apple product is a sure thing until somebody brandishes it onstage at an Apple event.)

Still, chances seem very good that Apple is indeed working on a tablet device, and I’m going to assume for the moment that the FT has it right and the tablet will be here in a few weeks. (In part because venerable and traditional media outlets have a better track record of being right when they declare something to be true, and in part because I’m tired of waiting.)

So I’m choosing this moment to publish what I’m calling a PAQ on the tablet. That stands for Possibly Answered Questions–there are no real answers in this story, just me trying to piece together rumors and semi-educated guesses into something that sounds logical. I’ll try to remember to go back and fact-check all this stuff once if Apple releases a tablet, but I wouldn’t be the least bit surprised if I get much or most of this wrong.

Continue Reading →

47 comments

Finding Sexual Predators? There’s an App for That.

Posted by David Worthington on July 27, 2009 at 3:45 pm

Sex Offender iPhone AppFor ninety-nine cents, iPhone users can download an app called Offender Locator to locate sexual offenders in their vicinity. You might be surprised what you learn, even if you’re not personally worried about sex offenders at the moment.

Offender Locator was reviewed on TechCrunch today. The app has become one of the top ten paid offerings in iPhone store despite the fact that the same information has already been available on the Web for some time.

Offender Locator leverages the iPhone’s built-in GPS to locate local U.S. sex offenders, or alternatively, users can input an address manually. I installed it out of curiosity about how many offenders were listed around me in Manhattan. The GPS function did not work, so I entered in my mother’s address.

Lo and behold, the first result was someone that I knew. It was a neighborhood man who used to idle his car and chat with me at the corner while I waited for the bus to come and take me to my junior high (I had seen him around while I was jogging after school). My mother always told me not to take him up on his offer to “learn how to play pool” at his house, and her instincts were prescient.

With this app, she could have validated her concern, and altered other neighbors about the man’s unusually attentive behavior toward a minor.

My take is that making it easier for a parent or guardian to access information that can protect a child is a good thing–even if a nominal fee is included. It is worth nothing that selling people’s personal information can run afoul of some state laws.

No comments

Google Latitude on the iPhone: Impressive! Not Confusing!

Posted by Harry McCracken on July 24, 2009 at 11:38 am

LatitudeGoogle’s Latitude–which lets you use your phone to share your location with friends–has finally debuted on the iPhone, months after it showed up for Android, BlackBerry, and Windows Mobile. On the iPhone, it’s a Safari-based Web app rather than an iPhone app. But it’s apparently only a Web app because Apple was unhappy with the native app that Google developed. “We worked closely with Apple to bring Latitude to the iPhone in a way Apple thought would be best for iPhone users,” says the Google blog post announcing the iPhone version. “After we developed a Latitude application for the iPhone, Apple requested we release Latitude as a web application in order to avoid confusion with Maps on the iPhone, which uses Google to serve maps tiles.”

Of course, this is the iPhone we’re talking about, so Apple’s requests aren’t really requests; if it had a problem with the native version of Latitude, it would presumably never the the light of day in the App Store. I’m not entirely clear on why Apple believed that Latitude would confuse iPhone owners, since Apple not only permits other mapping-related apps to be distributed on the App Store but encourages their creation by helping developers embed maps in their wares. And Latitude’s functionality is almost completely unrelated to what you get in Apple’s Maps app.

Also, iPhone owners aren’t dummies, and at least some of us would rather risk the possibility of being confused in return for the possibility of being pleased by a useful new app.

That said, the Web-based version of Latitude is impressive stuff. Google builds some of the best iPhone Web apps there are–like its iPhone-ized version of Gmail–and it’s hard to imagine that a native iPhone version would be much better than what it’s done in Safari. Latitude for the iPhone has one fundamental limitation that the other versions don’t: It can’t broadcast your location to your buddies unless you’re running the app. But it would have to deal with that even it were a native iPhone application, since Apple doesn’t permit third-party software to run in the background. (If the company doesn’t loosen up the multitasking limitations, maybe it can add some sort of ability for a GPS-related app to continue to send your location even when it’s not running, akin to the Push Notifications the iPhone already has.)

In the long run, apps like Latitude and Glympse might end up being features in a program like the iPhone’s Maps, not standalone software. For now, though, I want them to flourish–and I’m sorry that Apple thinks they’d befuddle us, and that its monopoly on distribution of iPhone apps means its gut check on such matters is gospel.

6 comments

That iPhone Worker Suicide Story

Posted by Harry McCracken on July 22, 2009 at 3:11 pm

Apple has confirmed that an employee of its Chinese manufacturing partner Foxconn committed suicide last week. Various online reports say that the staffer, Sun Danyong, was responsible for iPhone prototypes and took his own life after one disappeared. And some stories are saying that Foxconn’s security department may have harshly interrogated or beaten him.

It’s hard to know what to make of this without definitive facts on what happened–the fact that it happened so far away, and that some of the coverage is in another language, doesn’t help clarify things. One story quotes a Foxconn spokesperson as saying “regardless of the reason of Sun’s suicide, it is to some extent a reflection of Foxconn’s internal management deficiencies.” That’s either a misquote or an example of amazing honesty that you’d never hear from an American PR person. But Daring Fireball’s John Gruber is right: Apple needs to find out what happened, and needs to be prepared to fire Foxconn if it’s enforcing Apple-related security by assaulting its own employees.

4 comments

Navigon Navigation Comes to the iPhone

Posted by Harry McCracken on July 22, 2009 at 8:31 am

NavigonOne by one, the big names in GPS navigation are landing on the iPhone, thanks to iPhone OS 3.0’s support for turn-by-turn directions. Last month, AT&T released a navigation service powered by TeleNav. And today, Germany’s Navigon announced that the North America. version of its MobileNavigator is available on Apple’s App Store.

AT&T’s Navigator costs $10 a month and downloads maps as needed; MobileNavigator is selling for a flat cost of $99.99 ($69.99 until August 15th) and comes with a full set of maps. I haven’t tried it yet, but the idea of paying once for unlimited use is mighty appealing.

TomTom’s iPhone app is the most eagerly-anticipated GPS system for the iPhone–in part because it’s the one that was demonstrated at Apple’s WWDC keynote–and you might want to wait until it’s available before you plunk down your money for any GPS software. But one way or another, I’ll bet that lots of iPhone owners end up letting their phones tell them how to drive.

Here’s a video demo from Navigon:

4 comments