Apple iPhone vulnerability demonstrated at Black Hat that allows smartphone to be knocked offline

News by SC Staff

A vulnerability in the Apple iPhone has been demonstrated at the Black Hat conference in Las Vegas.

A vulnerability in the Apple iPhone has been demonstrated at the Black Hat conference in Las Vegas.

The bug can enable a hacker to deliver a single invisible text message to a victim that would cause the phone to be knocked offline. Mac hacker Charlie Miller and Collin Mulliner, who gave the demonstration, claimed that the victim would not be able to make phone calls or send text messages, and any WiFi or Bluetooth capability would be disabled.

The researchers were also able to send a barrage of 519 text messages that enabled them to take complete control of a target phone by taking advantage of a memory issue. Only one message, in that case, is visible to the user.

Miller and Mulliner said they notified Apple of the flaw on 18th June, but it has yet to be fixed. An Apple spokesman did not respond to a request for comment.
According to reports, the researchers expect hackers to use the information they presented in their talk to develop an active exploit within two weeks.

In order to perform the attack, the duo utilised a ‘fuzzing' framework known as Sulley and a small tool to ‘man-in-the-middle' the phone's application processor and modem, enabling them to generate a massive number of fuzzed text messages quickly, for free and without anyone knowing it. The two men never had to use the mobile operator's network.

The researchers said that similar vulnerabilities affect Google's Android, which has been patched, and Windows Mobile, which has not.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event 

Webcast: Understanding this year's biggest adversaries - and how to combat them 

Nation-state activity, versatile, slippery strategies and Big Game Hunting - the threats are real, dangerous and ever changing. 
Brought to you in partnership with Crowdstrike