SMS Hack on the iPhone

The video below shows how easy it is to download someone’s text messages from a smartphone. We did this with an iPhone, but similar techniques can be used on an Android device or any other smartphones.

Here is a summary of steps:

1. Jailbreak the iPhone. We used a zero-day exploit to remotely jailbreak the iPhone without the user’s consent. We then loaded a SSH shell onto the device.

2. Find out the users IP address. In the video we show what the IP address is, but in the real world we can use a scanner to do an OS fingerprint and find out the IP address.

3. Once SSH is loaded on the phone, we can use SCP to transfer the SMS database. On the iPhone this is located at /private/var/Mobile/Library/SMS. We used the SCP protocol to download the SMS database (called sms.db) to our Downloads folder. When we downloaded the SMS database (sms.db) we just renamed it local-sms.db

4. The iPhone will ask for a password. Every iPhone has a default password of “alpine”. Users cannot change this unless they jailbreak their own device first.

5.The SMS messages on the phone can be viewed offline using a SQL viewer. MesaSQLite for Mac OS X, it’s currently in beta and free to download. There are plenty of SQLite apps for Windows too.

This is an oversimplified version of an attack. It can be modified with a little blackhat hacking to be a much more complicated attack. We can modify this so there is no user interaction, performed over 3G networks, and all we need is a user’s phone number.

 

 

 

Besides text messages, other information can be retrieved from different databases. Here is a summary of some of the databases on the iPhone. Happy hacking.

 

Notes backup
/private/var/mobile/Library/Notes

Call History backup
/private/var/mobile/Library/CallHistory

Voicemail backup
/private/var/mobile/Library/Voicemail
Voicemails are stored as 1.amr, 2.amr, within this directory. The custom greeting is stored as Greeting.amr

Contacts/Address Book backup
/private/var/mobile/Library/AddressBook/

Mail backup
/private/var/mobile/Library/Mail

Pictures and Video Recordings
/private/var/mobile/Media/DCIM/

Calendar backup
/private/var/mobile/Library/Calendar/

 

Do you want more info on how to protect yourself against these common threats? Try cloud base scanning thru iScan http://www.iscanonline.com

Comments

  1. Hello,
    I am confused on these steps, are you able to walk me through this process with only the phone number? I don’t wish to publicly post my email address. Is there anyway to contact you?

  2. I’m in need of doing this with no interaction over a 3G network with only the phone number. Can you help me ASAP?

  3. Aamir Lakhani says:

    The video is a quick a demo. If we want to achieve this same hack over the cellular network we would need to scan the wireless tower. This is not that difficult if you are relatively close in a geographical area to your victim device. You can then use some tricks to scan and associate a user’s phone number with an IP address.

    What we did not show on the video was that we actually did a remote jailbreak on the device without the user’s knowledge. To do this we had used a zero-day exploit, than uploaded a shell to the user’s device. The remote jailbreak was customized so we do not need to add Cydia or other type of applications.

    Naturally, the question is how do we do this? Now here is the part you are not going to like, because of DMCA and NDA policies we were asked to not to detail the steps. The actual hack wasn’t something we invented; we did modify it and make perfect it for our use case. The actual attack should be fixed in the next version of iOS and that point I should be able to show you a step by step guide on how to achieve it. Sorry, I have to listen to the lawyers.

  4. Aamir Lakhani says:

    I had someone else that had a similar question… I will paste the same reply. If you need something else in more detail email me or send me a direct message on twitter.
    ——

    The video is a quick a demo. If we want to achieve this same hack over the cellular network we would need to scan the wireless tower. This is not that difficult if you are relatively close in a geographical area to your victim device. You can then use some tricks to scan and associate a user’s phone number with an IP address.

    What we did not show on the video was that we actually did a remote jailbreak on the device without the user’s knowledge. To do this we had used a zero-day exploit, than uploaded a shell to the user’s device. The remote jailbreak was customized so we do not need to add Cydia or other type of applications.

    Naturally, the question is how do we do this? Now here is the part you are not going to like, because of DMCA and NDA policies we were asked to not to detail the steps. The actual hack wasn’t something we invented; we did modify it and make perfect it for our use case. The actual attack should be fixed in the next version of iOS and that point I should be able to show you a step by step guide on how to achieve it. Sorry, I have to listen to the lawyers.

  5. Will it work with IOS 5?

  6. Yes, it can be done on any iOS device, including iOS 5.1

  7. I met Aamir and Tim at DC Geek Day. I asked him about the hack. After a little convincing he showed me the hack and was able to jailbreak my iPhone 4 and get my text messages and web history. All he had was my cell phone number. I had turned the wifi settings off. He said the only limitation he knew was it would not work on the iPad 3 or the iPhone 4s. The phone also “loses” it jailbreak after a reboot so there was no way to tell if you were hacked. Wicked stuff!

  8. Hey is there any way I could contact you privately? I was reading this blog and wanted to know a little more.

  9. Yes, is there a way to contact you privately to find out a little more?

  10. dee smith says:

    please help me asap how to hack sms on iphone….asap

  11. Andreas says:

    I would like to know more details about the hack, how could i get them. Is there anyway you could send me an email about the details or anything?

  12. funny, i have a feeling this happened to me recently im trying to find a way to view this but my account may not have been pushed. i have att and my settings are all the same but for some reason a member of my household can access my text messages in and out, not sure if thats the full extent but i believe so, any ideas?

  13. Aamir Lakhani says:

    Sorry, not allowed to reveal how we did the attack because of NDAs. The vulnerability is pretty much patched in iOS 5.1.1

  14. My iphone was stolen and all I care about are my pictures. I have no idea if I set up photo stream or even how to access it online. It is turned off. I was wondering if I or you could locate it turned off or manually turn it on away from the device. Or even edit it away from the device to get the pictures off it

  15. Please do email me and help me asap too yeah. Really need some urgent use of it. i need the detailed steps as I’m not exactly very IT savvy.

  16. Does this work with any smart phone? Boost, samsungs, ect?

  17. Hi Amir,
    How can we contact you directly? What is your email address?

  18. oh my god!!

    how do you block people doing this to you?!

  19. Aamir Lakhani says:

    We have a couple of articles on this site on how to protect against these attacks. The best thing you can do is:

    1. Make sure your phone is never jailbroken

    2. Make sure you have the lates software on your device. This includes the operating system on your phone as well as apps.

    3. Never connect to open wifi. This means no free wifi or coffee shop wifi. If you tech savy then SSL and VPN.

    4. Be careful when connecting to trusted wifi networks. Make sure there are no rouge access points. You may have very little on what you can do here.

    4.

  20. Aamir Lakhani says:

    You can leave a comment here or look at the about the founder page for my twitter or email.

  21. Anonymous says:

    I’m sorry but I don’t see your email address listed.

  22. Izabela says:

    Hi,
    is there any way to find out whether my text messages are read on my iPhone4? I know they are but don’t know how.
    Also need help to get rid of person who’s hacking my MacBook since 2008 and reading emails, listening to conversations via Skype and recording my laptop camera video. Waiting for your any reply or help as I’m on a verge of madness.
    Thank you.

  23. Aamir,

    For my clarity, would you not be able to give me step by step, so that I can do this on my own?
    and further, are you saying that its not possible on iOS 5.1.1

  24. Aamir Lakhani says:

    Yes that is correct, I am not allowed to give you step by step directions on how to recreate this attack (sorry, not my choice).

    If you have iOS 5.1.1 and you are not jailbroken, I do not know of a way to carry out the exact same method of attack. Your SMS (or databases) may still be vulnerable, but not in the same way this attack was carried out.