If you receive an iPhone text message with a "single square
character," be afraid. Be very afraid. It's could be hackers using a
iewly discovered iPhone SMS bug to infiltrate your precious phone.
According to CBS 5. "Famed hacker Charlie Miller discovered the flaw
and told Apple about it six weeks ago. The company has not issued a
fix, so Miller will pressure Apple by showing exactly how to hijack
the iPhone at a cybersecurity conference on Thursday." Miller warned
yesterday, "Someone could pretty quickly take over every iPhone in
the world with this." IntoMobile explains how it works: "Using the
exploit, hackers could send a succession of SMS text messages to an
iPhone, allowing them to gain complete control of the handset.
Hackers can then commandeer the iPhone to send similar text message
strings to other iPhones, spreading like wildfire." If you get this
square-character message, there's not much you can do other than turn
your phone off.
Re: NEWS: SMS Bug In Your iPhone Could Prove Disastrous
John Navas <spamfilter1@navasgroup.com> wrote in
news:h1k375lmaemunaamobvdk13sftqgb7moag@4ax.com:
> <http://sfist.com/2009/07/30/sms_text_bug_in_your_iphone.php>
>
> If you receive an iPhone text message with a "single square
> character," be afraid. Be very afraid. It's could be hackers using a
> iewly discovered iPhone SMS bug to infiltrate your precious phone.
> According to CBS 5. "Famed hacker Charlie Miller discovered the flaw
> and told Apple about it six weeks ago. The company has not issued a
> fix, so Miller will pressure Apple by showing exactly how to hijack
> the iPhone at a cybersecurity conference on Thursday." Miller warned
> yesterday, "Someone could pretty quickly take over every iPhone in
> the world with this." IntoMobile explains how it works: "Using the
> exploit, hackers could send a succession of SMS text messages to an
> iPhone, allowing them to gain complete control of the handset.
> Hackers can then commandeer the iPhone to send similar text message
> strings to other iPhones, spreading like wildfire." If you get this
> square-character message, there's not much you can do other than turn
> your phone off.
>
That's not possible! All the fanbois told me there isn't any Apple viruses
in any product. They're perfect!
--
Larry
http://flightaware.com/analysis/allflights_movie.rvt
Each tiny red dot is an airliner in this Quicktime movie, ONE recent day of
air travel in the USA. What would happen if "they" found out this was the
real source of air pollution or cancer or why all the bugs around my
streetlight have disappeared? Would "they" tell us? Would "they" STOP
IT?!
"John Navas" <spamfilter1@navasgroup.com> wrote in message
news:h1k375lmaemunaamobvdk13sftqgb7moag@4ax.com...
> <http://sfist.com/2009/07/30/sms_text_bug_in_your_iphone.php>
>
> If you receive an iPhone text message with a "single square
> character," be afraid. Be very afraid. It's could be hackers using a
> iewly discovered iPhone SMS bug to infiltrate your precious phone.
> According to CBS 5. "Famed hacker Charlie Miller discovered the flaw
> and told Apple about it six weeks ago. The company has not issued a
> fix, so Miller will pressure Apple by showing exactly how to hijack
> the iPhone at a cybersecurity conference on Thursday." Miller warned
> yesterday, "Someone could pretty quickly take over every iPhone in
> the world with this." IntoMobile explains how it works: "Using the
> exploit, hackers could send a succession of SMS text messages to an
> iPhone, allowing them to gain complete control of the handset.
> Hackers can then commandeer the iPhone to send similar text message
> strings to other iPhones, spreading like wildfire." If you get this
> square-character message, there's not much you can do other than turn
> your phone off.
Sounds like a load of horses--t to me. I don't doubt certain exploits are
possible, but probably not as easy as a local "Eyewitless News" team has
made it sound.
Just curious as to how an iPhone would then "send similar text message
strings to other iPhones"? Are iPhones part of a sci-fi-like mass
collective intelligenge aware of all other iPhones around them? Do they
carry a secret internal database of all other iPhones sold and the phone
numbers assigned to them?
The ZDNet version of the story seems to indicate this theoretical hack would
allow the SMS to silently direct the phone to open the browser and download
malicious software from a preset website. I'm curious (and certainly no
expert on iPhone architecture) as to how much "damage" this could do, given
the iPhone's draconian restrictions on running code vs. other phones. How
malicious a "web-app" can one create? From my understanding they can't
access much user data in any significant way, other than maybe reading your
contacts. Sure, I suppose you could create an SMS-sending "bot" out of the
phone which would text everyone you know, or perhaps random numbers. This
would be an inconvenience, and potentially expensive if you don't have a
texting plan- at least until you rebooted, but it's not like a web-app could
install itself and "autorun" again after the phone was rebooted.
This has all the earmarks of a "World Ends at 10, Details at 11!" TV news
shock-story.
In message <OMkcm.36967$E61.16219@newsfe09.iad> "Todd Allcock"
<elecconnec@AnoOspamL.com> was claimed to have wrote:
>Sounds like a load of horses--t to me. I don't doubt certain exploits are
>possible, but probably not as easy as a local "Eyewitless News" team has
>made it sound.
>
>Just curious as to how an iPhone would then "send similar text message
>strings to other iPhones"? Are iPhones part of a sci-fi-like mass
>collective intelligenge aware of all other iPhones around them? Do they
>carry a secret internal database of all other iPhones sold and the phone
>numbers assigned to them?
If you were designing a worm to spread automatically via SMS, wouldn't
you do it this way?
Sure, you'd send a bunch of text messages to non-iPhones, but only
sending messages to phone numbers known to be assigned to authorized
iPhone carriers would limit the amount of junk text messages that would
need to be sent.
On the flip side, the sheer flood of junk SMSes would probably cripple
AT&T's SMS capabilities network-wide, limiting the spread of said virus.
>The ZDNet version of the story seems to indicate this theoretical hack would
>allow the SMS to silently direct the phone to open the browser and download
>malicious software from a preset website.
That's not quite what would happen -- Rather, the malicious code would
probably do it in the background, Safari wouldn't even need to get
loaded.
At least from what I've read it sounds like the iPhone happily assembles
messages of arbitrary length, so the initial payload could be enough to
get online and pull further code/instructions in the background.
However, all of that being said, there is little need to do anything
silently, all you'd need is to point the browser to a compromised
website, there are also known Safari exploits available, so the
transmission by SMS may simply be to force users to visit said websites.
>I'm curious (and certainly no
>expert on iPhone architecture) as to how much "damage" this could do, given
>the iPhone's draconian restrictions on running code vs. other phones.
You've heard of jailbreaking? The app likely jailbreaks enough to meet
it's own needs (this would not include installing typical JB tools or be
remotely similar to what a consumer jailbreak looks like, it would just
weasel in far enough to run as root.
>This has all the earmarks of a "World Ends at 10, Details at 11!" TV news
>shock-story.
Yes, it does. However, if it really is a remotely trigerrable
code-execution situation and if Apple's own apps all still run as root
(they did previously) then the reality need only be limited by the
ingenuity of the badguy.
The flip side is that these attacks will be cleaned up fairly trivially
by Apple via iTunes, you'll just need to get every compromised user to
upgrade to a new version of iTunes, then connect their iPhones. Yay!
On 7/30/09 12:29 PM, in article OMkcm.36967$E61.16219@newsfe09.iad, "Todd
Allcock" <elecconnec@AnoOspamL.com> wrote:
>
> "John Navas" <spamfilter1@navasgroup.com> wrote in message
> news:h1k375lmaemunaamobvdk13sftqgb7moag@4ax.com...
>> <http://sfist.com/2009/07/30/sms_text_bug_in_your_iphone.php>
>>
>> If you receive an iPhone text message with a "single square
>> character," be afraid. Be very afraid. It's could be hackers using a
>> iewly discovered iPhone SMS bug to infiltrate your precious phone.
>> According to CBS 5. "Famed hacker Charlie Miller discovered the flaw
>> and told Apple about it six weeks ago. The company has not issued a
>> fix, so Miller will pressure Apple by showing exactly how to hijack
>> the iPhone at a cybersecurity conference on Thursday." Miller warned
>> yesterday, "Someone could pretty quickly take over every iPhone in
>> the world with this." IntoMobile explains how it works: "Using the
>> exploit, hackers could send a succession of SMS text messages to an
>> iPhone, allowing them to gain complete control of the handset.
>> Hackers can then commandeer the iPhone to send similar text message
>> strings to other iPhones, spreading like wildfire." If you get this
>> square-character message, there's not much you can do other than turn
>> your phone off.
>
>
> Sounds like a load of horses--t to me. I don't doubt certain exploits are
> possible, but probably not as easy as a local "Eyewitless News" team has
> made it sound.
>
> Just curious as to how an iPhone would then "send similar text message
> strings to other iPhones"? Are iPhones part of a sci-fi-like mass
> collective intelligenge aware of all other iPhones around them? Do they
> carry a secret internal database of all other iPhones sold and the phone
> numbers assigned to them?
>
> The ZDNet version of the story seems to indicate this theoretical hack would
> allow the SMS to silently direct the phone to open the browser and download
> malicious software from a preset website. I'm curious (and certainly no
> expert on iPhone architecture) as to how much "damage" this could do, given
> the iPhone's draconian restrictions on running code vs. other phones. How
> malicious a "web-app" can one create? From my understanding they can't
> access much user data in any significant way, other than maybe reading your
> contacts. Sure, I suppose you could create an SMS-sending "bot" out of the
> phone which would text everyone you know, or perhaps random numbers. This
> would be an inconvenience, and potentially expensive if you don't have a
> texting plan- at least until you rebooted, but it's not like a web-app could
> install itself and "autorun" again after the phone was rebooted.
>
> This has all the earmarks of a "World Ends at 10, Details at 11!" TV news
> shock-story.
>
>
>
If NavASS can do anything to berate anything that he doesn't own, he will
spread rumors like wildfire. He is a child who gets his ass in trouble
wherever he goes. Right now, he has been laughed out of the photograophy
groups, so he's over here with nothing better to do...
"Todd Allcock" <elecconnec@AnoOspamL.com> wrote in news:OMkcm.36967
$E61.16219@newsfe09.iad:
> Just curious as to how an iPhone would then "send similar text message
> strings to other iPhones"? Are iPhones part of a sci-fi-like mass
> collective intelligenge aware of all other iPhones around them? Do they
> carry a secret internal database of all other iPhones sold and the phone
> numbers assigned to them?
>
>
....er, ah, no....They'd have to be multitasking for that!...(c;]
--
Larry
http://flightaware.com/analysis/allflights_movie.rvt
Each tiny red dot is an airliner in this Quicktime movie, ONE recent day of
air travel in the USA. What would happen if "they" found out this was the
real source of air pollution or cancer or why all the bugs around my
streetlight have disappeared? Would "they" tell us? Would "they" STOP
IT?!
> >Just curious as to how an iPhone would then "send similar text message
> >strings to other iPhones"? Are iPhones part of a sci-fi-like mass
> >collective intelligenge aware of all other iPhones around them? Do
they
> >carry a secret internal database of all other iPhones sold and the
phone
> >numbers assigned to them?
>
> If you were designing a worm to spread automatically via SMS, wouldn't
> you do it this way?
>
> Sure, you'd send a bunch of text messages to non-iPhones, but only
> sending messages to phone numbers known to be assigned to authorized
> iPhone carriers would limit the amount of junk text messages that would
> need to be sent.
Agreed. My point was the exaggeration of the news quote designed to make
it sound more sinister. Obviously the malware would have to cast a wide
net and hope to hit other iPhones using a "throw enough excrement at the
wall..." methodology.
> On the flip side, the sheer flood of junk SMSes would probably cripple
> AT&T's SMS capabilities network-wide, limiting the spread of said virus.
If 30 million of the nation's teenagers haven't brought the SMS system
down, I'm not sure this could! ;)
> >The ZDNet version of the story seems to indicate this theoretical hack
would
> >allow the SMS to silently direct the phone to open the browser and
download
> >malicious software from a preset website.
>
> That's not quite what would happen -- Rather, the malicious code would
> probably do it in the background, Safari wouldn't even need to get
> loaded.
>
> At least from what I've read it sounds like the iPhone happily assembles
> messages of arbitrary length, so the initial payload could be enough to
> get online and pull further code/instructions in the background.
>
> However, all of that being said, there is little need to do anything
> silently, all you'd need is to point the browser to a compromised
> website, there are also known Safari exploits available, so the
> transmission by SMS may simply be to force users to visit said websites.
The point, however, is how would this "execute" on the iPhone's sandboxed
architecture? (I'm asking because I certainly don't know!) How much
latitude does a web app (because this is all we're really talkng about-
the iPhone can't really download a native app from the web) have to run
amok?
> >I'm curious (and certainly no
> >expert on iPhone architecture) as to how much "damage" this could do,
given
> >the iPhone's draconian restrictions on running code vs. other phones.
>
> You've heard of jailbreaking? The app likely jailbreaks enough to meet
> it's own needs (this would not include installing typical JB tools or be
> remotely similar to what a consumer jailbreak looks like, it would just
> weasel in far enough to run as root.
If this was possible, why hasn't this exploit been used by hobbyists? As
an alternative to jailbreaking, certainly someone would've put up a non-
malicious web-installable app "no jailbreak required" by now, wouldn't
they?
> >This has all the earmarks of a "World Ends at 10, Details at 11!" TV
news
> >shock-story.
>
> Yes, it does. However, if it really is a remotely trigerrable
> code-execution situation and if Apple's own apps all still run as root
> (they did previously) then the reality need only be limited by the
> ingenuity of the badguy.
And the limits of how much the iPhone allows to be done by this method.
As I wondered above, wouldn't this method have been used for quasi-
legitimate uses already if possible? Some dev rejected by the app store
could simply publish his or her app as a "click-to-install" link and let
it "weasel in."
It sounds to me that the hacker found a hole to allow an SMS message to
trigger a web link without the users' need to tap on it, (which is
certainly bad enough,) and imagination is snowballing the threat the rest
of the way.
> The flip side is that these attacks will be cleaned up fairly trivially
> by Apple via iTunes, you'll just need to get every compromised user to
> upgrade to a new version of iTunes, then connect their iPhones. Yay!
Considering how often one needs to dock an iPhone just to change media
files, it wouldn't take long...
In article <OMkcm.36967$E61.16219@newsfe09.iad>, Todd Allcock
<elecconnec@AnoOspamL.com> wrote:
> "John Navas" <spamfilter1@navasgroup.com> wrote in message
> news:h1k375lmaemunaamobvdk13sftqgb7moag@4ax.com...
> > <http://sfist.com/2009/07/30/sms_text_bug_in_your_iphone.php>
> >
> > If you receive an iPhone text message with a "single square
> > character," be afraid. Be very afraid. It's could be hackers using a
> > iewly discovered iPhone SMS bug to infiltrate your precious phone.
> > According to CBS 5. "Famed hacker Charlie Miller discovered the flaw
> > and told Apple about it six weeks ago. The company has not issued a
> > fix, so Miller will pressure Apple by showing exactly how to hijack
> > the iPhone at a cybersecurity conference on Thursday." Miller warned
> > yesterday, "Someone could pretty quickly take over every iPhone in
> > the world with this." IntoMobile explains how it works: "Using the
> > exploit, hackers could send a succession of SMS text messages to an
> > iPhone, allowing them to gain complete control of the handset.
> > Hackers can then commandeer the iPhone to send similar text message
> > strings to other iPhones, spreading like wildfire." If you get this
> > square-character message, there's not much you can do other than turn
> > your phone off.
>
> Sounds like a load of horses--t to me. I don't doubt certain exploits are
> possible, but probably not as easy as a local "Eyewitless News" team has
> made it sound.
it's usual sensationalism and it is due to be patched this weekend.
In message <E0xcm.77186$9P.72601@newsfe08.iad> Todd Allcock
<elecconnec@aNOoSPAMl.com> was claimed to have wrote:
>The point, however, is how would this "execute" on the iPhone's sandboxed
>architecture? (I'm asking because I certainly don't know!) How much
>latitude does a web app (because this is all we're really talkng about-
>the iPhone can't really download a native app from the web) have to run
>amok?
In theory, a web app can't do anything of the sort. In theory, phones
don't execute arbitrary code sent via SMS.
Safari has a bit of a remote-code-execution habit that Apple doesn't
seem to have broken yet, iPhone's Safari implementation has a smaller
attack surface then it's desktop counterparts, but there have been a
variety of issues, and there were a couple reported in OS3.0 shortly
after the release.
>> >I'm curious (and certainly no
>> >expert on iPhone architecture) as to how much "damage" this could do,
>given
>> >the iPhone's draconian restrictions on running code vs. other phones.
>>
>> You've heard of jailbreaking? The app likely jailbreaks enough to meet
>> it's own needs (this would not include installing typical JB tools or be
>> remotely similar to what a consumer jailbreak looks like, it would just
>> weasel in far enough to run as root.
>
>If this was possible, why hasn't this exploit been used by hobbyists? As
>an alternative to jailbreaking, certainly someone would've put up a non-
>malicious web-installable app "no jailbreak required" by now, wouldn't
>they?
Some of the very first jailbreak efforts got in through browser exploits
(via image rendering flaws, if I recall correctly)
From what I understand the problem on the current generation of iPhone
OS is that these types of exploits are generally lost after the OS
reboots, iTunes is needed to make the type of changes that are needed
for a full jailbreak to be sticky.
It's likely that this exploit can be cleaned up with a reboot too,
unless the bad guys have another trick up their sleeves.
Assuming the bad guys can't get around the reboot problem, but also
assuming we have an organized bad guy who wants to maintain his iPhone
botnet across reboots, he would likely have his exploit call home to
report in when it first fires up, and again every hour or so. This
seems like an ideal job for a mesh network of iPhones, if you wanted to
get sophisticated, you'd have a system where iPhones monitor several
neighbors, should a device stop calling in, a SMS attack would be
triggered to re-compromise the device, automating re-infecting a device
after a reboot.
If you wanted to be lazy you'd just have infected phones reinfect
everyone on their contact list regularly, there likely isn't any harm in
a botnet of iPhones sending each other re-infection attempts regularly,
trapping and discarding the message wouldn't be hard and would avoid the
user becoming suspicious by the continual "square SMS" messages.
All of this will be moot if Apple ever bothers to patch the
vulnerability, they've known about it for most of a month so far, and
knew that the vulnerability would be publicly disclosed at Blackhat yet
Apple hasn't bothered to release a patch yet, this speaks to Apple's
commitment to security.
>> Yes, it does. However, if it really is a remotely trigerrable
>> code-execution situation and if Apple's own apps all still run as root
>> (they did previously) then the reality need only be limited by the
>> ingenuity of the badguy.
>
>And the limits of how much the iPhone allows to be done by this method.
>As I wondered above, wouldn't this method have been used for quasi-
>legitimate uses already if possible? Some dev rejected by the app store
>could simply publish his or her app as a "click-to-install" link and let
>it "weasel in."
>
>It sounds to me that the hacker found a hole to allow an SMS message to
>trigger a web link without the users' need to tap on it, (which is
>certainly bad enough,) and imagination is snowballing the threat the rest
>of the way.
Everything I've read says that this is a full remote code execution
exploit, although there may be an upper limit on the size of the
executable that can be sent (but it's beyond the SMS message limits
since the iPhone reassembles multi-part messages before starting code
execution)
By injecting the code into an application running as root (yes, Apple
runs the native apps as root) the code can do whatever it wants,
including downloading a full exploit binary from the intertubes.
Since a reboot kills it, this is less useful for a rejected app
developer to get back in since the app would be rendered useless on
every device reboot, and would be neutered completed after Apple gets
around to patching, so writing for the full jailbreak community is more
productive.
nospam wrote:
> In article <OMkcm.36967$E61.16219@newsfe09.iad>, Todd Allcock
> <elecconnec@AnoOspamL.com> wrote:
>
>> "John Navas" <spamfilter1@navasgroup.com> wrote in message
>> news:h1k375lmaemunaamobvdk13sftqgb7moag@4ax.com...
>>> <http://sfist.com/2009/07/30/sms_text_bug_in_your_iphone.php>
>>>
>>> If you receive an iPhone text message with a "single square
>>> character," be afraid. Be very afraid. It's could be hackers using a
>>> iewly discovered iPhone SMS bug to infiltrate your precious phone.
>>> According to CBS 5. "Famed hacker Charlie Miller discovered the flaw
>>> and told Apple about it six weeks ago. The company has not issued a
>>> fix, so Miller will pressure Apple by showing exactly how to hijack
>>> the iPhone at a cybersecurity conference on Thursday." Miller warned
>>> yesterday, "Someone could pretty quickly take over every iPhone in
>>> the world with this." IntoMobile explains how it works: "Using the
>>> exploit, hackers could send a succession of SMS text messages to an
>>> iPhone, allowing them to gain complete control of the handset.
>>> Hackers can then commandeer the iPhone to send similar text message
>>> strings to other iPhones, spreading like wildfire." If you get this
>>> square-character message, there's not much you can do other than turn
>>> your phone off.
>> Sounds like a load of horses--t to me. I don't doubt certain exploits are
>> possible, but probably not as easy as a local "Eyewitless News" team has
>> made it sound.
>
> it's usual sensationalism and it is due to be patched this weekend.
>
> <http://news.bbc.co.uk/2/hi/technology/8177755.stm>
>
> however, this bit stands out:
>
> "Phones incorporating the Windows Mobile and Google Android operating
> systems are also vulnerable, they said."
>
> so it's not just apple with the security hole. imagine that. where's
> the headlines about them?
>
> and i'm not sure why the carriers can't just detect the 'single square
> character' and discard the bogus sms.
Yesterday, The Reg reported that researchers had discovered a
vulnerability in the iPhone and other mobile devices that made them
vulnerable to an SMS hack.
This morning, Apple fixed it.
Apple spokesperson Tom Neumayr told The Reg about the fix when we
contacted him after the BBC reported that O2 had said a fix was on
the way.
According to Neumayr:
We appreciate the information provided to us about SMS
vulnerabilities which affect several mobile phone platforms. This
morning, less than 24 hours after a demonstration of this exploit,
we've issued a free software update that eliminates the vulnerability
from the iPhone. Contrary to what's been reported, no one has been
able to take control of the iPhone to gain access to personal
information using this exploit.
In article <djj7759m9u40aiotrjokqlhs9iqr6otlpn@4ax.com>, John Navas
<spamfilter1@navasgroup.com> wrote:
> We appreciate the information provided to us about SMS
> vulnerabilities which affect several mobile phone platforms. This
> morning, less than 24 hours after a demonstration of this exploit,
> we've issued a free software update that eliminates the vulnerability
> from the iPhone. Contrary to what's been reported, no one has been
> able to take control of the iPhone to gain access to personal
> information using this exploit.
leaving windows mobile and google android vulnerable.
nospam wrote:
> In article <djj7759m9u40aiotrjokqlhs9iqr6otlpn@4ax.com>, John Navas
> <spamfilter1@navasgroup.com> wrote:
>
>> We appreciate the information provided to us about SMS
>> vulnerabilities which affect several mobile phone platforms. This
>> morning, less than 24 hours after a demonstration of this exploit,
>> we've issued a free software update that eliminates the vulnerability
>> from the iPhone. Contrary to what's been reported, no one has been
>> able to take control of the iPhone to gain access to personal
>> information using this exploit.
>
> leaving windows mobile and google android vulnerable.
Wouldn't that be some windows etc ?.
> > Sounds like a load of horses--t to me. I don't doubt certain
exploits are
> > possible, but probably not as easy as a local "Eyewitless News" team
has
> > made it sound.
>
> it's usual sensationalism and it is due to be patched this weekend.
>
> <http://news.bbc.co.uk/2/hi/technology/8177755.stm>
>
> however, this bit stands out:
>
> "Phones incorporating the Windows Mobile and Google Android operating
> systems are also vulnerable, they said."
You missed some bits (emphasis mine):
"APPLE SAID Phones incorporating the Windows Mobile and Google Android
operating systems were also POTENTIALLY vulnerable..."
> so it's not just apple with the security hole. imagine that. where's
> the headlines about them?
Media darlings have to take the good with the bad. The iPhans don't
complain when it's "big news" everytime the iPhone gets a 5 year-old
feature or program (MMS, Skype, etc.) so don't be surprised when "me too"
works against it!
> and i'm not sure why the carriers can't just detect the 'single square
> character' and discard the bogus sms.
Because the message probably isn't a "single square"- that's just how it
displays on the phone. Presumably the message is a silent SMS control
message like carriers send to configure phones OTA. If I try to open one
of those on my WinMo phone, I get an error message something like "this
message can not be displayed."
Besides, who wants their carrier sniffing their messages looking for
"potential threats?"
In message <djj7759m9u40aiotrjokqlhs9iqr6otlpn@4ax.com> John Navas
<spamfilter1@navasgroup.com> was claimed to have wrote:
> Yesterday, The Reg reported that researchers had discovered a
> vulnerability in the iPhone and other mobile devices that made them
> vulnerable to an SMS hack.
>
> This morning, Apple fixed it.
>
> Apple spokesperson Tom Neumayr told The Reg about the fix when we
> contacted him after the BBC reported that O2 had said a fix was on
> the way.
>
> According to Neumayr:
>
> We appreciate the information provided to us about SMS
> vulnerabilities which affect several mobile phone platforms. This
> morning, less than 24 hours after a demonstration of this exploit,
> we've issued a free software update that eliminates the vulnerability
> from the iPhone. Contrary to what's been reported, no one has been
> able to take control of the iPhone to gain access to personal
> information using this exploit.
Don't forget that the "less then 24 hours" is technically true, but a
bit disingenuous.
This exploit was reported to Apple weeks ago, along with the expected
public release date, they didn't bother fixing it until public release.
On Sat, 01 Aug 2009 19:31:58 -0700, DevilsPGD <DeathToSpam@crazyhat.net>
wrote in <s7t975l5rpehqti5qlr18pl93h14av4u9r@4ax.com>:
>In message <djj7759m9u40aiotrjokqlhs9iqr6otlpn@4ax.com> John Navas
><spamfilter1@navasgroup.com> was claimed to have wrote:
>> According to Neumayr:
>>
>> We appreciate the information provided to us about SMS
>> vulnerabilities which affect several mobile phone platforms. This
>> morning, less than 24 hours after a demonstration of this exploit,
>> we've issued a free software update that eliminates the vulnerability
>> from the iPhone. Contrary to what's been reported, no one has been
>> able to take control of the iPhone to gain access to personal
>> information using this exploit.
There's no way Apple can be sure of that.
>Don't forget that the "less then 24 hours" is technically true, but a
>bit disingenuous.
>
>This exploit was reported to Apple weeks ago, along with the expected
>public release date, they didn't bother fixing it until public release.
And what really matters is how long it will take for iPhones to be
patched, which will depend on whether AT&T is proactive or not.
--
Best regards,
John <http:/navasgroup.com>
If the iPhone is really so impressive,
why do iFans keep making excuses for it?
In article <gqu9755jc63csqs1s4j89n7bkv54sc246u@4ax.com>, John Navas
<spamfilter1@navasgroup.com> wrote:
> >This exploit was reported to Apple weeks ago, along with the expected
> >public release date, they didn't bother fixing it until public release.
>
> And what really matters is how long it will take for iPhones to be
> patched, which will depend on whether AT&T is proactive or not.
it doesn't depend on at&t at all. apple posted the firmware update and
every iphone user will be notified the next time they sync. it's up to
the user to actually download and install it.
On Sat, 01 Aug 2009 20:02:40 -0700, nospam <nospam@nospam.invalid> wrote
in <010820092002408545%nospam@nospam.invalid>:
>In article <gqu9755jc63csqs1s4j89n7bkv54sc246u@4ax.com>, John Navas
><spamfilter1@navasgroup.com> wrote:
>
>> >This exploit was reported to Apple weeks ago, along with the expected
>> >public release date, they didn't bother fixing it until public release.
>>
>> And what really matters is how long it will take for iPhones to be
>> patched, which will depend on whether AT&T is proactive or not.
>
>it doesn't depend on at&t at all. apple posted the firmware update and
>every iphone user will be notified the next time they sync. it's up to
>the user to actually download and install it.
And if they don't happen to sync, as many (most?) don't (very often at
least, if at all), then they are still exposed.
As I wrote, how serious this is will depend on whether AT&T is proactive
or not.
It's not the obligation of users to protect themselves against screwups
by Apple which are unknown to them.
--
Best regards,
John <http:/navasgroup.com>
If the iPhone is really so impressive,
why do iFans keep making excuses for it?
In article <uq7b75p6fvdbpbkm2n01nj2veg01jsue76@4ax.com>, John Navas
<spamfilter1@navasgroup.com> wrote:
> >> And what really matters is how long it will take for iPhones to be
> >> patched, which will depend on whether AT&T is proactive or not.
> >
> >it doesn't depend on at&t at all. apple posted the firmware update and
> >every iphone user will be notified the next time they sync. it's up to
> >the user to actually download and install it.
>
> And if they don't happen to sync, as many (most?) don't (very often at
> least, if at all), then they are still exposed.
bullshit. you don't know how often people sync. most sync fairly often,
particularly since it's a convenient way to charge.
> As I wrote, how serious this is will depend on whether AT&T is proactive
> or not.
and as i wrote, it has nothing to do with at&t, especially since it
affects phones outside of at&t's coverage area.
> It's not the obligation of users to protect themselves against screwups
> by Apple which are unknown to them.
nobody said it was. apple can only provide the update. if the user
declines to install it, so be it.
On Sun, 02 Aug 2009 09:04:14 -0700, nospam <nospam@nospam.invalid> wrote
in <020820090904146152%nospam@nospam.invalid>:
>In article <uq7b75p6fvdbpbkm2n01nj2veg01jsue76@4ax.com>, John Navas
><spamfilter1@navasgroup.com> wrote:
>> And if they don't happen to sync, as many (most?) don't (very often at
>> least, if at all), then they are still exposed.
>
>bullshit. you don't know how often people sync. most sync fairly often,
>particularly since it's a convenient way to charge.
None of the first 4 iPhone users I asked had ever synced.
>> As I wrote, how serious this is will depend on whether AT&T is proactive
>> or not.
>
>and as i wrote, it has nothing to do with at&t, especially since it
>affects phones outside of at&t's coverage area.
AT&T has an exclusive and is the only entity in a position to alert
these users.
>> It's not the obligation of users to protect themselves against screwups
>> by Apple which are unknown to them.
>
>nobody said it was. apple can only provide the update. if the user
>declines to install it, so be it.
The issue is lack of knowledge.
--
Best regards,
John <http:/navasgroup.com>
If the iPhone is really so impressive,
why do iFans keep making excuses for it?
In article <u7kb75h6t2c2ceb7snjbcgm6fmf41frevm@4ax.com>, John Navas
<spamfilter1@navasgroup.com> wrote:
> >> And if they don't happen to sync, as many (most?) don't (very often at
> >> least, if at all), then they are still exposed.
> >
> >bullshit. you don't know how often people sync. most sync fairly often,
> >particularly since it's a convenient way to charge.
>
> None of the first 4 iPhone users I asked had ever synced.
4 out of over 20 million, now there's a statistically valid sample. if
they never synced as you claim, then they don't have a whole lot of
music, videos, apps or contacts on the phone, and that's *very*
atypical.
> >> As I wrote, how serious this is will depend on whether AT&T is proactive
> >> or not.
> >
> >and as i wrote, it has nothing to do with at&t, especially since it
> >affects phones outside of at&t's coverage area.
>
> AT&T has an exclusive and is the only entity in a position to alert
> these users.
only in the usa is at&t the exclusive carrier. the iphone is sold in 80
countries worldwide. remind me again what at&t has to do with that.
> >> It's not the obligation of users to protect themselves against screwups
> >> by Apple which are unknown to them.
> >
> >nobody said it was. apple can only provide the update. if the user
> >declines to install it, so be it.
>
> The issue is lack of knowledge.
the issue is talking out of one's posterior in conjunction with the
self-admitted lack of knowledge.
> In message <djj7759m9u40aiotrjokqlhs9iqr6otlpn@4ax.com> John Navas
> <spamfilter1@navasgroup.com> was claimed to have wrote:
>
>> Yesterday, The Reg reported that researchers had discovered a
>> vulnerability in the iPhone and other mobile devices that made them
>> vulnerable to an SMS hack.
>>
>> This morning, Apple fixed it.
>>
>> Apple spokesperson Tom Neumayr told The Reg about the fix when we
>> contacted him after the BBC reported that O2 had said a fix was on
>> the way.
>>
>> According to Neumayr:
>>
>> We appreciate the information provided to us about SMS
>> vulnerabilities which affect several mobile phone platforms. This
>> morning, less than 24 hours after a demonstration of this exploit,
>> we've issued a free software update that eliminates the vulnerability
>> from the iPhone. Contrary to what's been reported, no one has been
>> able to take control of the iPhone to gain access to personal
>> information using this exploit.
>
> Don't forget that the "less then 24 hours" is technically true, but a
> bit disingenuous.
>
> This exploit was reported to Apple weeks ago, along with the expected
> public release date, they didn't bother fixing it until public release.
And just what have the others done, hmmmm?
On 8/2/09 11:04 AM, in article 020820090904146152%nospam@nospam.invalid,
"nospam" <nospam@nospam.invalid> wrote:
> In article <uq7b75p6fvdbpbkm2n01nj2veg01jsue76@4ax.com>, John Navas
> <spamfilter1@navasgroup.com> wrote:
>
>>>> And what really matters is how long it will take for iPhones to be
>>>> patched, which will depend on whether AT&T is proactive or not.
>>>
>>> it doesn't depend on at&t at all. apple posted the firmware update and
>>> every iphone user will be notified the next time they sync. it's up to
>>> the user to actually download and install it.
>>
>> And if they don't happen to sync, as many (most?) don't (very often at
>> least, if at all), then they are still exposed.
>
> bullshit. you don't know how often people sync. most sync fairly often,
> particularly since it's a convenient way to charge.
>
Bullshit is NavASS' Middle Name.
>> As I wrote, how serious this is will depend on whether AT&T is proactive
>> or not.
>
> and as i wrote, it has nothing to do with at&t, especially since it
> affects phones outside of at&t's coverage area.
>
You don't think AT&T is Omnipotent?!? SHAME!
>> It's not the obligation of users to protect themselves against screwups
>> by Apple which are unknown to them.
>
> nobody said it was. apple can only provide the update. if the user
> declines to install it, so be it.
Most all I know have done so already. ~20 minutes - no big deal. When I go
to sync my phone, it asked if I wanted to. NavASS is trying to blow smoke up
people's asses, nothing new...
> On Sun, 02 Aug 2009 09:04:14 -0700, nospam <nospam@nospam.invalid> wrote
> in <020820090904146152%nospam@nospam.invalid>:
>
>> In article <uq7b75p6fvdbpbkm2n01nj2veg01jsue76@4ax.com>, John Navas
>> <spamfilter1@navasgroup.com> wrote:
>
>>> And if they don't happen to sync, as many (most?) don't (very often at
>>> least, if at all), then they are still exposed.
>>
>> bullshit. you don't know how often people sync. most sync fairly often,
>> particularly since it's a convenient way to charge.
>
> None of the first 4 iPhone users I asked had ever synced.
>
Knowing the crowd you run with, why am I NOT surprised by that statement?!?
What a maroon!
>>> As I wrote, how serious this is will depend on whether AT&T is proactive
>>> or not.
>>
>> and as i wrote, it has nothing to do with at&t, especially since it
>> affects phones outside of at&t's coverage area.
>
> AT&T has an exclusive and is the only entity in a position to alert
> these users.
GAWD! You are dense. Strat has you pegged: You've gotta be the stupidest
fuckhead on the Internet.
>
>>> It's not the obligation of users to protect themselves against screwups
>>> by Apple which are unknown to them.
>>
>> nobody said it was. apple can only provide the update. if the user
>> declines to install it, so be it.
>
> The issue is lack of knowledge.
You said it. Glad you finally admitted that you don't know jack-shit about
anything.
> >> And if they don't happen to sync, as many (most?) don't (very often
at
> >> least, if at all), then they are still exposed.
> >
> >bullshit. you don't know how often people sync. most sync fairly often,
> >particularly since it's a convenient way to charge.
>
> None of the first 4 iPhone users I asked had ever synced.
Then I'll wager that none of those users understood what "sync" meant (or
assumed you meant transfer PIM data).
Ask if they ever connect their iPhone to their computer to add/change the
music/media on it, and you'll get a different answer. I seriously doubt
you've found four users that don't ever use the phone as an iPod!
Adding/changing media is the only time I connwct my wife's, and that's at
least twice a month.
> >> As I wrote, how serious this is will depend on whether AT&T is
proactive
> >> or not.
> >
> >and as i wrote, it has nothing to do with at&t, especially since it
> >affects phones outside of at&t's coverage area.
>
> AT&T has an exclusive and is the only entity in a position to alert
> these users.
On Sun, 02 Aug 2009 10:48:34 -0700, John Navas
<spamfilter1@navasgroup.com> wrote:
>None of the first 4 iPhone users I asked had ever synced.
I have a friend in Florida who bought iPhones for his staff and
family. I think he has 6 of them. I just asked him (via Skype chat)
if he's every synced or backed up any of the phones using iTunes. His
daughter is somewhat of a hack, so she's got iTunes running on her
Mac. However, the other phones have never seen a computah.
I've also seen a few iPhones with only the stock collection of Apps,
which is a clue that they never get synced.
I've also heard some rather odd comments about the long time it takes
to Sync. One iPhone user claimed it took more time than he was
willing to spend: It's apparently a common complaint:
<http://www.eidac.de/?p=60>
<http://www.macosxhints.com/article.php?story=20080727060037590>
>>nobody said it was. apple can only provide the update. if the user
>>declines to install it, so be it.
>The issue is lack of knowledge.
What you don't know, won't hurt you. I think it's more like lack of
understanding. I have a hell of a time getting customers to do
updates, virus scans, and system backups. The only thing that really
works is to let them get infected with a virus, their hard disk die,
or some other preventable failure. After the initial data loss and
disaster, they're far more interested in doing updates, scans, and
backups. For the iPhone, perhaps a few hijacking and publicizing some
high profile security leaks, will help. Otherwise, knowledge of the
update isn't going to help convincing the user to do the update.
What every happened to firmware updates via the OTA interface?
20 million iPhones * 300MBytes/update = 6 terabytes
Never mind. It would probably kill the 3G and GPRS networks.
> >> We appreciate the information provided to us about SMS
> >> vulnerabilities which affect several mobile phone platforms. This
> >> morning, less than 24 hours after a demonstration of this exploit,
> >> we've issued a free software update that eliminates the
vulnerability
> >> from the iPhone. Contrary to what's been reported, no one has been
> >> able to take control of the iPhone to gain access to personal
> >> information using this exploit.
> >
> > Don't forget that the "less then 24 hours" is technically true, but a
> > bit disingenuous.
> >
> > This exploit was reported to Apple weeks ago, along with the expected
> > public release date, they didn't bother fixing it until public release.
> And just what have the others done, hmmmm?
Reportedly, according to the link posted earlier, Google patched it
already. WinMo, Blackberry, or Symbian weren't affected by this
particular exploit.
In article <7q2c75lhc3g4bk39qo6m5j2aq3ogf8jjad@4ax.com>, Jeff
Liebermann <jeffl@cruzio.com> wrote:
> I've also seen a few iPhones with only the stock collection of Apps,
> which is a clue that they never get synced.
that's the exception rather than the rule. there are even iphones still
running 1.x firmware for reasons i cannot fathom.
most people plug the iphone into their computer to charge, and itunes
will automatically launch and pester them about an update (unless
they've disabled that).
> I've also heard some rather odd comments about the long time it takes
> to Sync. One iPhone user claimed it took more time than he was
> willing to spend: It's apparently a common complaint:
> <http://www.eidac.de/?p=60>
> <http://www.macosxhints.com/article.php?story=20080727060037590>
not only is it not common, but that's from a year ago! can't you do any
better?
there was a bug in the 2.0.x firmware that caused backups to sometimes
take absurd amounts of time. because of that, many users just disabled
the backup portion of the sync, making the sync quite fast. more
importantly, that bug was fixed *long* ago in 2.1. btw, the current
firmware is 3.0.1.
NEWS: SMS Bug In Your iPhone Could Prove Disastrous 
Linear Mode
