On Thursday at the Black Hack conference in Las Vegas the security researchers, Charlie Miller and Collin Mulliner, demonstrated a SMS security vulnerability that exists in the iPhone, Android based mobile phones, and Windows Mobile phones.
The attack involves simply receiving a series of malformed SMS from a hacker, just receiving these SMS will cause the targeted mobile phone to either crash or worst taken over by the attacker. The latter is possible with the iPhone.
When the attacker takes over the iPhone they can make calls, visit web sites, turn on the camera and most of all forward the SMS to people in the iPhone’s Contact list.
The security researchers informed Apple, Google and Microsoft of the vulnerability about a month ago. At that time, they told these companies that the SMS security vulnerability will be the topic of their speech at the Back Hack conference in Las Vegas. After Google was informed they released a fix to Android. The researchers did not hear from Apple.
This morning Apple released iPhone firmware 3.0.1, which they claim has included the fix for the reported SMS security vulnerability. As of now Microsoft is still investigating the vulnerability in Windows Mobile.
For all iPhone users who had jailbroken their iPhone, please be warned that this update will most like like undo the jailbreak. For iPhone users who had unlocked their iPhones, thus far there are no official news from iPhone Dev Team, if the iPhone firmware 3.0.1 will cause the iPhone to be still unlock-able. One thing we do know is that iPhone firmware 3.0.1 does not upgrade the baseband of the iPhone, so in theory it should still be unlockable with the software from iPhone Dev Team.
[Update: August 1, 2009]
iPhone Dev Team just released an official message confirming that the iPhone firmware 3.0.1 is safe for iPhones, and the upgraded iPhone still can be jailbroken and SIM unlock. Please read the message from iPhone Dev Team for instructions on how to do so.