At the SyScan conference in Singapore, Charlie Miller described a vulnerability in the iPhone’s SMS system, a flaw that could “allow an attacker to remotely install and run unsigned software code with root access to the phone.
It’s unlikely that this will be exploited vastly, but it’s still a very serious risk due to the sheer numbers of iPhones out there. According to the security researched said that the attack “exploits a weakness in the way iPhones handle text messages received via SMS (Short Message Service),” however he has made an agreement with Apple to keep the details out of the press so that Apple have a chance to fix it before someone else figures it out and makes matters more serious.
Miller only gave the following information concering the vulnerability: “The SMS vulnerability allows an attacker to run software code on the phone that is sent by SMS over a mobile operator’s network. The malicious code could include commands to monitor the location of the phone using GPS, turn on the phone’s microphone to eavesdrop on conversations, or make the phone join a distributed denial of service attack or a botnet.”
Miller will be going into more detail of this at the Black Hat USA expo in Las Vegas later on this years, giving Apple a chance to patch it. Apple have planned to get a fix ready for later this month.