iPhone SMS Attack: A Perfect Example Of Apple and AT&T Customer Service FAIL

This is a perfect example of what not to do during a time of confusion: stay silent. After news broke yesterday evening that iPhone users are at risk of having their device taken control of by a hacker, the web, radio, newspapers, TV, and the rest of the mainstream media have picked up on the story. iPhone users that aren’t privy to the details of the situation are scared. Being the go-to tech guy for friends, relatives, and clients, I’ve been receiving questions all day asking for advice. I don’t mind answering questions or helping people out; quite the opposite in fact. But what I do find deplorable is that Apple and AT&T are staying completely mum on the situation: there are no official blog posts, email updates, or – ironically – text messages to iPhone owners regarding the current status of the affairs. And that is poor communication, plain and simple.

Let’s get the basics out of the way: two security researchers – Collin Mulliner and Charlie Miller – have found a serious exploit in the way the iPhone handles SMS messages. If a hacker plays his cards right, he would be able to take complete control of an iPhone by means of sending a text message to the device. Complete control means making phone calls, stealing data, sending text messages without the owner’s consent… you get the idea.

But it gets worse: Apple was notified about the exploit six weeks ago. And in that time, the company has not issued an update to the iPhone OS. By comparison, the Android OS was also vulnerable to a similar attack. Google fixed the problem within a day or two of being notified of the problem. And all that brings us to the present: this evening, the two researchers who found this bug are presenting their exploit at the Black Hat security conference in Las Vegas. Yet the most interesting part of all this is that neither Apple nor AT&T have made any official statements regarding the situation:

• The latest headline on Apple’s Hot News web page reads Apple releases MobileMe iDisk app. That app will surely do us a lot of good when hackers are getting ready to direct our iPhones to call Sri Lanka at $1.23 per minute!
• AT&T’s web page dedicated to all things iPhone doesn’t even have a blog/latest news section. That is, if you can even find the iPhone page within AT&T’s site. Hint: It’s at att.com/iphone.
• And – finally – no text messages have been sent to any customers regarding the status of the situation. I remember that AT&T sent me a message a few months ago when an update to the iPhone OS was released, directing me to connect my iPhone the computer and grab the update. But that was at a time when security wasn’t at the forefront of anybody’s brain. Receiving a text message update today would be far more important than it was back then.

Without knowing what to do and what security precautions to take, my iPhone-owning friends are panicking. They’ve checked apple.com and have found nothing. They’ve Googled the status of the affair, or called me. And I didn’t know what to tell them. So some of them have resorted to turning their iPhones off completely!

Can you join me in saying that this particular case of customer service is a complete and utter example of FAIL?

In Apple’s defense, the company’s iPhone engineers may be frantically trying to figure out the details of the exploit and put out an update. They may be collaborating with AT&T, trying to find the solution to the problem. In fact, that’s what they’re most likely doing at the current moment! But while the engineers are doing that, the customer service departments at both companies need to put out some updates. Nothing special, just something saying that both companies are looking into the situation and expect to release further details at a certain time later today, directing customers to a special web page with updates regarding this particular scenario. This is a situation where Apple’s well-known tradition of silence and secrecy hurts the customer. But then again, the silence is more for the company than the customer, isn’t it?

We will be discussing this story further on today’s TNR Daily Bit Podcast: Live at 5:30p EST (21:30GMT). Join us here.

Image courtesy of ThePhoenix

Update 1: I would like to follow up and say that I understand that the exploit isn’t “in the wild” so to speak: it has not yet had any real-world effects. However, regular consumers (read: not geeks) knew about it and were asking me questions since early morning. So in that regard alone, Apple and AT&T should have done a better job communicating that it is investigating the bug and working on a fix; at the very least! At most, they could have stated the obvious: that the exploit is not yet public and that consumers shoudln’t be worried just yet. Although that could have had its own set of adverse effects. Perhaps it would prompt other “security experts” to find the bug and exploit it themselves on the unaware public.

Update 2: Secondly, Apple should have plain and simple fixed the bug a long time ago (read: when it was told about it). Thanks to Jason Statham in the comments. PS: I’m so delighted we have such high-profile readers and commenters on our site!

Posted in ATT, Apple, Business, Customer Service, Featured, Security, iPhone