Researcher finds serious SMS spoofing flaw on iOS

Researcher finds serious SMS spoofing flaw on iOS

Summary: A well-known security researcher urges iPhone users to distrust the legitimacy of text messages at first sight.

TOPICS: Security

A security research who goes by the handle "pod2g" has found a serious security vulnerability in the way iOS devices handle SMS messages, warning that this could be exploited by online criminals.

The flaw, which the researcher describes as "severe," exists since the beginning of the implementation of SMS in the iPhone, and is still there in iOS 6 beta 4.

According to a post on pod2g's blog, an attacker can exploit this flaw to send an SMS that seems to come from the receiver's bank asking for sensitive information or luring them to a maliciously rigged web site.   In another scenario, an attacker could send a spoofed text message to an iPhone user to use as false evidence; or send spoofed messages to manipulate iPhone users into thinking they are receving legitimate SMS messages.

Here's the skinny on the problem:

  • If you either own a smartphone, or a modem and an account in a SMS gateway, you can send texts in raw PDU format (some services also exist to send a text with an HTTP request in raw PDU format). For the easiest smartphone option, there are different tools available online. I made one for the iPhone 4 that I will publicize soon.
  • In the text payload, a section called UDH (User Data Header) is optional but defines lot of advanced features not all mobiles are compatible with. One of these options enables the user to change the reply address of the text. If the destination mobile is compatible with it, and if the receiver tries to answer to the text, he will not respond to the original number, but to the specified one.
  • Most carriers don't check this part of the message, which means one can write whatever he wants in this section : a special number like 911, or the number of somebody else. In a good implementation of this feature, the receiver would see the original phone number and the reply-to one. On iPhone, when you see the message, it seems to come from the reply-to number, and you loose track of the origin.
Because of the severity of this flaw, pod2g is calling on Apple to fix this issue before the final release of iOS 6.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • So, the carriers don't verify the contents of their SMS protocol

    but it's somehow Apple's fault. I see. Then again, your company doesn't sell A/V software for phone carriers.
    • Has nothing to do with carriers verifying contents

      This isn't about carriers verifying contents; it's about iOS presenting the reply-to address to the user as the sender of the message rather than the actual sender address.
      • Sounds like that's the standard

        Sure, Apple could deviate from the standard, but that's generally a bad thing. (Not to mention folks would cry foul that they were doing "proprietary" stuff with SMS).

        Again, this is no different from email and I suspect other devices would probably have the same issues in how they handle it, if they follow the standard, too.
      • I guess you missed this part of the report

        "Most carriers don't check this part of the message, which means one can write whatever he wants in this section"
  • Blame Shifting

    I like how it's never Apple's fault ever, lol.
    • Expected...

      You wouldn't expect anything less from the usual team of Apple fanbois, would you?
    • I guess you also missed this part of the report

      "Most carriers don't check this part of the message, which means one can write whatever he wants in this section"
      • Check against what?

        How would the carrier, or anyone else, know that it is incorrect?

        The whole purpose of a Reply-To field is simply that, to set the address to receive replies.

        It is Apple's fault to present the Reply-To as the Sender.
  • Nothing new

    Since it's always been easy to spoof the sender of an SMS using other means, this is pretty much irrelevant. It would be easier to use other methods.
    Carlos Alvarez
  • Researcher finds serious SMS spoofing flaw on iOS

    Doesn't affect me because I don't use iOS. Sound familiar?
    Loverock Davidson-
  • User areas

    Need to get rid of those stupid user areas which are ideal targets for attack (Windoze *and* Linux). User data should go on a data disk or partition.

    Where do you put your family photos?

    Dropbox will only use a user area, unless you're a real geek or have a business network.

    Perhaps this kind of attack will make people do something sensible, but I very much doubt it.
    Daddy Tadpole
  • i use windows

    i look at my mail box and say no,no,no yes.not hard to tell my real mail and crap that even comes up looking like cnet's mail know the old saying look befor you leap. better yet read befor you click even text mesages
  • Why just iPhone?

    AFAIK, nearly every device that receives SMS has the same issue with the spoofable reply-to field; the option to enter alphanumeric content and have this display on the phone has been very useful for legitimate senders.
  • You are all children

    The whole argument above is kiddy stuff.

    But then again it's probably astro-turfers anyway hoping to trap those as dumb as they are!

    This is an email like security hole.

    This sort of Phishing attempt I have received on non-smartphones.

    This is not caused by Apple not is it caused by any shiny buttons.

    Apple may be able to improve the situation though.

    All you nit-wits arguing that a good and easy to use UI is somehow wrong just go back to DOS and STFU.
  • A bank asking for sensitive info?

    Any bank who ask for sensitive information by phone, email or SMS should be closed straight away.