Hacker discovers iPhone SMS spoofing issue, asks Apple to fix for iOS 6

Posted:
in iPhone edited January 2014
An independent security researcher in the UK has publicized an iPhone SMS spoofing issue that he hopes Apple will address in iOS 6.

According to a blog posting by "pod2g" the way iOS handles SMS messages supports transmission of optional, advanced features in the SMS specification's User Data Header, including a "reply to" address.

Not all phones support these features, and "most carriers don't check this part of the message, which means one can write whatever he wants in this section," the hacker writes. This would apparently limit the audience of SMS spoofing largely to iPhone users.

Because the iPhone only displays the "reply to" address of incoming SMS messages, there's no way for users to verify the identity of the depicted sender, or to determine if it has been sent from someone other than the displayed phone number (unless the message is delivered via Apple's iMessage, which is both encrypted and unaffected by the SMS flaw because it is not an SMS).

In describing the SMS issue, Pod2g says "I consider [the flaw] to be severe, while it does not involve code execution."

A malicious user could send "spoofed" SMS messages that appear to come from another source (which is routinely done with email spam, as the standard email specification does not authenticate parties in header data either), falsely appearing to come from a friend or trusted source (such as a bank) for example.

The hacker asks Apple to address this issue before releasing iOS 6, noting that this behavior is still present in the latest, fourth developer beta of iOS 6.

Comments

  • Reply 1 of 15
    charlitunacharlituna Posts: 7,217member
    Another hacker getting fame exploiting the media's love of Apple for getting page hits.

    If his interest was just in seeing it fixed he would have quietly told Apple.
  • Reply 2 of 15


    I would not say this is severe at all. So what if they send a text saying "I'm your bank, send me your pin" because the reply isn't going to them. You always know who your replying to… Seems like an issue the carriers need to verify if they really don't want someone to specify another reply-to address, iOS seems to be behaving according to the standard. 

  • Reply 3 of 15
    vaelianvaelian Posts: 446member
    SMS spoofing is an issue that predates iPhone, and there's really nothing Apple can do about it since it is caused by exactly the same constraints that allow E-mail spoofing: trusting all relays between the sender and the receiver. Without cryptographic public-key signatures, which are unfeasible in the case of SMSes due to their short maximum size, there is no way for the receiver to authenticate the sender.
  • Reply 4 of 15
    jragostajragosta Posts: 10,473member
    dev200 wrote: »
    I would not say this is severe at all. So what if they send a text saying "I'm your bank, send me your pin" because the reply isn't going to them. You always know who your replying to… Seems like an issue the carriers need to verify if they really don't want someone to specify another reply-to address, iOS seems to be behaving according to the standard. 

    Of course. But reality doesn't get as many headlines as "Major new security flaw affects only iPhones".
  • Reply 5 of 15


    2 jailbreak apps already let you spoof text messages.  SpoofTexting and SpoofCard both in Cydia.

  • Reply 6 of 15
    allenbfallenbf Posts: 993member

    Quote:

    Originally Posted by jragosta View Post





    Of course. But reality doesn't get as many headlines as "Major new security flaw affects only iPhones".


     


    Exactly.

  • Reply 7 of 15
    japmjapm Posts: 36member

    Quote:

    Originally Posted by dev200 View Post


    So what if they send a text saying "I'm your bank, send me your pin" because the reply isn't going to them. You always know who your replying to…



     


    Exactly! This is NOT a security issue at all.

  • Reply 8 of 15
    normmnormm Posts: 653member
    vaelian wrote: »
    SMS spoofing is an issue that predates iPhone, and there's really nothing Apple can do about it since it is caused by exactly the same constraints that allow E-mail spoofing: trusting all relays between the sender and the receiver. Without cryptographic public-key signatures, which are unfeasible in the case of SMSes due to their short maximum size, there is no way for the receiver to authenticate the sender.

    Apple could indicate when the sender is authenticated (e.g., show a little lock icon or something when it's able to use iMessage to send the message). But it already uses a different color, so maybe that's just an education issue. Still, it might be a worthwhile marketing issue to make the security of iMessage more obvious.
  • Reply 9 of 15
    mstonemstone Posts: 11,510member


    Probably shouldn't click on links in a SMS even though I don't think you can hide the URI in a txt the way you can in an HTML email.


     


    Good to know that they can be spoofed though.


     


    If one was living some secret incognito lifestyle, it could be a concern that an enemy might try to trick you to going to a certain location at a certain time, but that doesn't seem like a widespread security issue.

  • Reply 10 of 15
    mactoidmactoid Posts: 112member


    Besides, what legitimate bank (or any other business) is going to TEXT message you for sensitive information?  Really? Oh..I suppose next you're going to tell me I shouldn't shove my hand into a spinning fan!

  • Reply 11 of 15


    It's not news if it's an inherent problem with SMS, which it is.

     

  • Reply 12 of 15
    gazoobeegazoobee Posts: 3,754member

    Quote:

    Originally Posted by NormM View Post





    Apple could indicate when the sender is authenticated (e.g., show a little lock icon or something when it's able to use iMessage to send the message). But it already uses a different color, so maybe that's just an education issue. Still, it might be a worthwhile marketing issue to make the security of iMessage more obvious.


     


    They already do this.  


     


    As pointed out above by Vaelian this is actually an SMS security flaw due to the lack of encryption and the way it's handled by the carriers.  iMessage is completely secure and not affected by this in any way.  If someone is using SMS to you and you pick it up on your iOS device, the colour of the bubble tells you whether they are also using iMessage at the other end.  It even automatically switches to this far more secure protocol.  The only danger (and despite what some are saying it is a real security risk), is in the use of SMS and the way the carriers don't authenticate it at all.  


     


    If green, unsafe.  Else if blue, safe. 


     


    All the stuff about the "earnestness" of the guy who reported it, is him trying to be famous.  All the stuff that implies that Apple is somehow refusing to fix it is misdirection for page hits.  

  • Reply 13 of 15
    gatorguygatorguy Posts: 24,153member


    "While all devices are capable of receiving these messages, iOS does not allow you to view the number that you're replying to. This enables a malicious sender to fake his identity, making you think that a trusted number is sending the SMS. Because the "reply-to" number is different to the number displayed, iOS would send your message to a hidden number without you realizing."


    So it sounds like a problem somewhat unique to iOS, and perhaps a concern for users right?


    BUT not really. . .


    "While this is an issue Apple should address, there isn't any immediate danger, as companies and financial institutions would never encourage sharing sensitive data over SMS. The researcher states that this could be used to impersonate your bank or incriminate you, but it's difficult to imagine a situation where a user would start divulging sensitive information through a text message. The fact that this flaw has been around since the dawn of iOS but wasn't exploited in a large enough scale to raise eyebrows, speaks volumes."


    http://www.theverge.com/2012/8/17/3249192/ios-sms-security-flaw-phishing-pod2g

  • Reply 14 of 15
    pendergastpendergast Posts: 1,358member
    gatorguy wrote: »
    <p style="font-family:Helvetica, Arial, sans-serif;color:rgb(51,51,51);font-size:14px;margin-bottom:15px;line-height:23px;">"While all devices are capable of receiving these messages, [SIZE=14px]iOS does not allow you to view the number that you're replying to[/SIZE]. This enables a malicious sender to fake his identity, making you think that a trusted number is sending the SMS. Because the "reply-to" number is different to the number displayed, iOS would send your message to a hidden number without you realizing."</p>

    <p style="font-family:Helvetica, Arial, sans-serif;color:rgb(51,51,51);font-size:14px;margin-bottom:15px;line-height:23px;">So it sounds like a problem somewhat unique to iOS, and perhaps a concern for users right?</p>

    <p style="font-family:Helvetica, Arial, sans-serif;color:rgb(51,51,51);font-size:14px;margin-bottom:15px;line-height:23px;">[SIZE=18px]BUT not really. . .[/SIZE]</p>

    <p style="font-family:Helvetica, Arial, sans-serif;color:rgb(51,51,51);font-size:14px;margin-bottom:15px;line-height:23px;">"While this is an issue Apple should address, there isn't any immediate danger, as companies and financial institutions would never encourage sharing sensitive data over SMS. The researcher states that this could be used to impersonate your bank or incriminate you, but it's difficult to imagine a situation where a user would start divulging sensitive information through a text message. The fact that this flaw has been around since the dawn of iOS but wasn't exploited in a large enough scale to raise eyebrows, speaks volumes."</p>

    <p style="font-family:Helvetica, Arial, sans-serif;color:rgb(51,51,51);font-size:14px;margin-bottom:15px;line-height:23px;">http://www.theverge.com/2012/8/17/3249192/ios-sms-security-flaw-phishing-pod2g</p>

    I would think a more likely scenario would involve requesting inappropriate pictures, as that's apparently the world we live in.
  • Reply 15 of 15
    vaelianvaelian Posts: 446member
    [QUOTE]So it sounds like a problem somewhat unique to iOS, and perhaps a concern for users right?[/QUOTE]

    No, SMS spoofing (both names and numbers) is not an iOS-only problem at all and it predates the iPhone, as I mentioned earlier -- I remember doing it (the name spoofing) in 2004 as the high-end Nokias and Siemenses already supported named senders at the time. The number you receive messages from belongs to a central, which can lie about the number it relays messages from, too, so attempting to fix this by displaying a number in the message is as pointless as you are always trusting the sender's central.
Sign In or Register to comment.