Researcher finds serious SMS spoofing flaw on iOS
Summary: A well-known security researcher urges iPhone users to distrust the legitimacy of text messages at first sight.
A security research who goes by the handle "pod2g" has found a serious security vulnerability in the way iOS devices handle SMS messages, warning that this could be exploited by online criminals.
The flaw, which the researcher describes as "severe," exists since the beginning of the implementation of SMS in the iPhone, and is still there in iOS 6 beta 4.
According to a post on pod2g's blog, an attacker can exploit this flaw to send an SMS that seems to come from the receiver's bank asking for sensitive information or luring them to a maliciously rigged web site. In another scenario, an attacker could send a spoofed text message to an iPhone user to use as false evidence; or send spoofed messages to manipulate iPhone users into thinking they are receving legitimate SMS messages.
Here's the skinny on the problem:
- If you either own a smartphone, or a modem and an account in a SMS gateway, you can send texts in raw PDU format (some services also exist to send a text with an HTTP request in raw PDU format). For the easiest smartphone option, there are different tools available online. I made one for the iPhone 4 that I will publicize soon.
- In the text payload, a section called UDH (User Data Header) is optional but defines lot of advanced features not all mobiles are compatible with. One of these options enables the user to change the reply address of the text. If the destination mobile is compatible with it, and if the receiver tries to answer to the text, he will not respond to the original number, but to the specified one.
- Most carriers don't check this part of the message, which means one can write whatever he wants in this section : a special number like 911, or the number of somebody else. In a good implementation of this feature, the receiver would see the original phone number and the reply-to one. On iPhone, when you see the message, it seems to come from the reply-to number, and you loose track of the origin.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
So, the carriers don't verify the contents of their SMS protocol
Has nothing to do with carriers verifying contents
Sounds like that's the standard
Again, this is no different from email and I suspect other devices would probably have the same issues in how they handle it, if they follow the standard, too.
I guess you missed this part of the report
Blame Shifting
Expected...
I guess you also missed this part of the report
Check against what?
The whole purpose of a Reply-To field is simply that, to set the address to receive replies.
It is Apple's fault to present the Reply-To as the Sender.
Nothing new
Researcher finds serious SMS spoofing flaw on iOS
User areas
Where do you put your family photos?
Dropbox will only use a user area, unless you're a real geek or have a business network.
Perhaps this kind of attack will make people do something sensible, but I very much doubt it.
i use windows
Why just iPhone?
You are all children
But then again it's probably astro-turfers anyway hoping to trap those as dumb as they are!
This is an email like security hole.
This sort of Phishing attempt I have received on non-smartphones.
This is not caused by Apple not is it caused by any shiny buttons.
Apple may be able to improve the situation though.
All you nit-wits arguing that a good and easy to use UI is somehow wrong just go back to DOS and STFU.
A bank asking for sensitive info?