iOS 8.2 stops attackers being able to restart your iPhone with a malicious Flash SMS


iPhone restartsApple rolled out a brand new version of iOS for iPhone owners today, largely in readiness for the imminent arrival of the Apple Watch.

For most people, iOS 8.2 is will be a pretty unexciting update.

The only thing they’re likely to notice is that Apple has plonked another icon on their Home Screen that does nothing - as yet - but play promotional videos for the new wearable Apple gadget.

Thanks Tim.

iOS 8.2

In something of a replay of Apple pushing an unwanted U2 album onto customers last year, the Apple Watch app will be similarly unwanted by many, and unfortunately - like Stocks, Weather, Reminders and several other Apple apps - cannot be deleted from your iOS device.

The best you will be able to do is throw the app into a folder - presumably alongside Newsstand.

But what will have gone unnoticed by many fervent iOS updaters is that the new version of the iPhone operating system includes a number of important security fixes.

Perhaps the most interesting is a bug discovered by Swedish programmer Roman Digerberg.

Digerberg discovered a worrying security hole in iOS which meant he could force iPhones to restart just by sending them a carefully-crafted SMS message.

Now, of course, this was no ordinary SMS message. Instead what Digerberg was sending were Flash SMS messages (also known as Class 0 SMS messages). Flash SMS messages appear immediately on your phone’s main screen, rather than in your regular Messages app, and are typically used for emergency or high-priority notifications.

Digerberg has claimed that he could make an anonymous text messages to a recipient’s lock screen, even if the iPhone receiving the message is not set up to display messages in that fashion.

Furthermore, he has said that it is possible to meddle with the numeric display of voicemail messages, “or to just put a red dot in its place, that the user is unable to remove.”

Meddling with voicemail numbers

Meddling with voicemail numbers is one thing, but actually finding a way to remotely restart other people’s iPhones is a whole different level of threat.

Some people think that I should start a pay service online where you can anonymously send different types of messages,” Digerberg told journalists last month after feeling frustrated that Apple wasn’t taking him seriously. “You can imagine what chaos there would be if people start sending unwanted and unavoidable messages to each other and make changes in each other’s phones.”

I guess we should be grateful that Apple has now fixed the Class 0 SMS vulnerability, and that attackers won’t be able to exploit it going forward. But it’s clear that more than seven years after the iPhone was first launched fundamental security holes are still being found that could make you regret one day not having a bog standard non-smartphone as a backup.

Read more about the security fixes in iOS 8.2 in this Apple support advisory.

Tags: , , , , , , ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , , , , , ,

One Response

  1. @Digerberg

    March 10, 2015 at 3:39 pm #

    last bug is still not fixed , I can still send /delete missed calls, make red dot and send anonymous messages.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.