Blog Post

“Unusual” Character Hack May Put All iPhones in Peril


Cybersecurity researchers Charlie Miller and Collin Mulliner claim they can bring down your iPhone by sending it just a single “unusual” character, according to Forbes, which first published news of the exploit earlier this week.

A single square character or a series of “invisible” messages can be used to confuse an iPhone, leaving it open to hackers. The exploit affects all models of iPhones, running all versions of the iPhone OS. The only way to protect the phone from attack is to shut it down.

“Someone could pretty quickly take over every iPhone in the world with this,” said Miller. After running the exploit, a hacker has control over any of the iPhone’s features. According to Forbes, this includes “dialing the phone, visiting Web sites, turning on the device’s camera and microphone and, most importantly, sending more text messages to further propagate a mass-gadget hijacking.”

Unlike previous exploits, this one doesn’t require the user to do anything, and can strike at any time. The only prerequisite is that the iPhone is connected to a cellular network. Miller and Mulliner say they informed Apple (s aapl) of the exploit “more than a month” ago, but so far, the company has not issued a patch to close it. Forbes adds that Apple didn’t respond to “repeated calls” seeking comment.

“I’ve given them more time to patch this than I’ve ever given a company to patch a bug,” Miller told Forbes. “As a researcher, I can only show [Apple] the bugs. It’s up to them to fix them.”

Miller is no stranger to exposing security flaws in the iPhone. In 2007, he identified a browser exploit that also gave hackers similar control over a user’s iPhone. Miller and Mulliner are expected to publicize details of the latest flaw today at the Black Hat digital security conference in Nevada.

6 Responses to ““Unusual” Character Hack May Put All iPhones in Peril”

  1. Gazoobee

    This is just a verbatim repeat almost word for word of the FT article from day before yesterday, which has been proven to be inaccurate. Like that article, it also fails to mention that this bug is not iPhone specific and that similar bugs are to be found in Android and Windows mobile. All the articles you can find on this thing are just verbatim repeats of “what Charlie Miller” says and he has a long history of making inflammatory anti-Apple statements.

  2. Re-read the article. It’s not a single character, but a series of SMS messages. It’s just that the single character is the only thing a victim will see during the attack. All other messages won’t even show up in your list of received messages if I’m reading it correctly.

    And the researcher also believes that with some extra effort, even that single character display can be hidden.