It seemed perfectly ordinary when the distinctive Apple chime bounced off the walls in a small Adelaide office as an iPhone downloaded an SMS.
But the calm soon broke as the staffer read a strange message splashed over the top of the iPhone that read “exploit. Downloading PIM data 40%.”
She recognised it as a hack that was siphoning her personal information. Panicking, she killed Bluetooth, wi-fi and 3G, and restarted the phone.
It was a flash or class 0 SMS: A type of message officially used to distribute emergency services notices which rendered in full text on the top home screen of almost all mobile phones on the market.
Savvy BlackBerry, Nokia and Symbian users have used flash SMS for years, but it was a function only available to jailbroken iPhones via a string of command lines through terminal.
However, unlike when sent from other devices, iPhone flash SMSes do not contain information capable of identifying the sender.
Flash SMS sent to Windows devices displays only as a “network message”.
Twenty minutes later and another iPhone beeped in the office. It was a flash SMS containing what appeared to be the same hack.
A third staffer received a flash SMS on his personal iPhone reading that the downloading of PIM data was at 90 percent.
Michael Jenkin called Telstra Business Support. “They didn’t know anything about it,” said Jenkin, the director of consultancy Business Technology Partners.
“I sent data from the iPhone to Telstra and Apple but nothing came of it.”
Telstra did not maintain logs of sent and received flash SMSs.
Two more flash messages hit staff iPhones. ** ?ex_”-=t?e ** 30% downloaded. ios401
The end of the message, “ios401”, corresponded to the firmware running on the factory set iPhone 3Gs devices. Messages also included information on the name of the iPhone operating system.
The beeps continued the following day, and corporate and personal email account data was downloaded to the company’s iPhones.
iTunes account details including a username and password were displayed on one phone. On another, information on .local, the company’s internal network domain, was downloaded.
“We cut Exchange from the phones, ActiveSync too from servers. We changed all passwords,” Jenkin said.
A lady in Florida emailed an employee with news that a screen capture of his iPhone along with iTunes account details was sent to her screen.
The employee also found his Gmail account hacked and the password changed.
Two days after the first message was received in August last year, Jenkins contacted security companies. He sent extensive server logs to Trend Micro which declared the systems absent of malware.
Microsoft forensics professionals found no evidence during what Jenkins called exhaustive tests for network intrusion.
The South Australian Police eCrimes division was asked to investigate. It escalated the case to the Australian Federal Police which cloned the affected phones, but found no sign of exploit.
Apple deemed it a new issue blamed likely on a malware infection, before going quiet, Jenkin said.
Even veteran Apple hacker and Accuvant researcher Charlie Miller told SC he was unfamiliar with flash SMS and could not identify the issue.
Earlier this year, similar flash SMSes began hitting staff phones again.
South Australia’s e-crime head Paul FeatherStone said the messages were identified as flash SMS but could not be distinguished further.
The state police had sent flash SMS to factory-set iPhones from a MobileMe installation operating on a remote machine to demonstrate the attacks.
He noted that these types of attacks could be a result of malicious insiders, or pranksters.
Jenkins asserted that company information did not appear compromised and that staff had sworn innocence.
Can you help Michael? Email SC.
Research by SC found basic instructions from various forums on how to send flash SMS from jailbroken iPhones.
We've crafted them for ease of use and clarity. Use these at your own risk.
This was tested on a jailbroken iPhone 4 iOS 4.3.5, and failed because of a suspected terminal bug that caused minicom to hang.
First you need to install OpenSSH and minicom from Cydia.
Create the directory user/etc on your iPhone by typing: mkdir /usr/etc in terminal, or using an alternative method.
In terminal enter: minicom -s
In the menu select serial port setup using the letter J to navigate down and press return.
Select Serial device by typing a
Change the /dev/tty.baseband to /dev/tty/debug
Press return to exit. Save as dfl.
SSH into your iPhone. You can use putty.
The default username is root and password alpine. If these credentials worked for you, read this.
Type minicom -w and press enter.
(this is as far as I got by publication time because the minicom modem hung. A few workarounds including holding down space failed to help.)
Craft the flash SMS in PDU format here. Set SMSC to 0. Set Message Class to 0. Set Receiver to the target phone number.
In minicom change the modem sms-format tot PDU. Type:
AT+CMGS=(the value from the “Hex PDU message” column)
> (Paste the characters from the PDU string column but do not press enter.)
Your flash message is sent.
Have a better way? Let us know.
Copyright © SC Magazine, Australia
Issue: 347 | March 2016