OP here. In short, it sounds like the iPhone SMS infrastructure is susceptible to buffer overflow attacks. Seems the guys who have found it have given Apple a lot of time to fix it with no response so far.
<i>Though Miller and Mulliner say they notified Apple about the vulnerability more than a month ago, the company hasn't released a patch, and it didn't respond to Forbes' repeated calls seeking comment.</i><p>those new android phones are coming out later this year, right?
This makes me wonder if the reason we haven't seen major threats on other mobile devices/platforms is due more to the lack of a market penetration vs. a lack of security.<p>It's the old 'Apple doesn't get viruses' argument in reverse. Not as many viruses targeted Macs because it had a smaller user base, so they focused on Windows. Now that Apple has serious traction with a device which is in someways ideally suited to forwarding the virus, they are becoming the focus on an attack.
This was reported earlier in the month. Most blogs' source reference is this Yahoo Tech article, that claims:<p>"Apple is working to fix an iPhone vulnerability that could allow an attacker to remotely install and run unsigned software code with root access to the phone."<p><a href="http://tech.yahoo.com/news/pcworld/20090702/tc_pcworld/applepatchingserioussmsvulnerabilityoniphone" rel="nofollow">http://tech.yahoo.com/news/pcworld/20090702/tc_pcworld/apple...</a><p>No details on if Apple dropped the ball or if they were actually working on it in the first place.<p>My best guess to the vulnerability is the iPhones new MMS capability. They probably had to punch some holes in the sandbox to get MMS media saved on to the phone.
If you have a vulnerability that could result in the takeover of every iPhone in the world, along with a noticable increase in SMS message traffic over carrier networks, and the manufacturer has not fixed it yet...<p>... then you probably shouldn't release it.<p>(Also: Buffer Overflow? Hello? Did someone develop this ten years ago?)
Funny, no one paid much attention when this was posted four weeks ago. People never pay much attention to security until its about to bite them.<p>Ho hum, if you would like to avoid the SMS apocalypse you can hope that Apple releases a security update before the conference, or you can sign up for AT&T's Smart Limits for Wireless Parental Controls ($5/mo) and set your SMS quota to 0 (add your Mom to the whitelist first).
I'm not trying to be the dumbass comment but this better make its way to a celebrity phone somewhere. SOMETHING of real value has to come of this... obviously, other than a more secure SMS infrastructure.