iOS 8.2 stops attackers being able to restart your iPhone with a malicious Flash SMS

Graham Cluley

iPhone restartsApple rolled out a brand new version of iOS for iPhone owners today, largely in readiness for the imminent arrival of the Apple Watch.

For most people, iOS 8.2 is will be a pretty unexciting update.

The only thing they’re likely to notice is that Apple has plonked another icon on their Home Screen that does nothing – as yet – but play promotional videos for the new wearable Apple gadget.

Thanks Tim.

iOS 8.2

In something of a replay of Apple pushing an unwanted U2 album onto customers last year, the Apple Watch app will be similarly unwanted by many, and unfortunately – like Stocks, Weather, Reminders and several other Apple apps – cannot be deleted from your iOS device.

The best you will be able to do is throw the app into a folder – presumably alongside Newsstand.

But what will have gone unnoticed by many fervent iOS updaters is that the new version of the iPhone operating system includes a number of important security fixes.

Perhaps the most interesting is a bug discovered by Swedish programmer Roman Digerberg.

Digerberg discovered a worrying security hole in iOS which meant he could force iPhones to restart just by sending them a carefully-crafted SMS message.

Now, of course, this was no ordinary SMS message. Instead what Digerberg was sending were Flash SMS messages (also known as Class 0 SMS messages). Flash SMS messages appear immediately on your phone’s main screen, rather than in your regular Messages app, and are typically used for emergency or high-priority notifications.

Digerberg has claimed that he could make an anonymous text messages to a recipient’s lock screen, even if the iPhone receiving the message is not set up to display messages in that fashion.

Furthermore, he has said that it is possible to meddle with the numeric display of voicemail messages, “or to just put a red dot in its place, that the user is unable to remove.”

Meddling with voicemail numbers

Meddling with voicemail numbers is one thing, but actually finding a way to remotely restart other people’s iPhones is a whole different level of threat.

“Some people think that I should start a pay service online where you can anonymously send different types of messages,” Digerberg told journalists last month after feeling frustrated that Apple wasn’t taking him seriously. “You can imagine what chaos there would be if people start sending unwanted and unavoidable messages to each other and make changes in each other’s phones.”

I guess we should be grateful that Apple has now fixed the Class 0 SMS vulnerability, and that attackers won’t be able to exploit it going forward. But it’s clear that more than seven years after the iPhone was first launched fundamental security holes are still being found that could make you regret one day not having a bog standard non-smartphone as a backup.

Read more about the security fixes in iOS 8.2 in this Apple support advisory.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

One Reply to “iOS 8.2 stops attackers being able to restart your iPhone with a malicious Flash SMS”

  1. last bug is still not fixed , I can still send /delete missed calls, make red dot and send anonymous messages.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES