Feeds

White hat warns against iPhone SMS spoofing bug

Apple: It's not US, it's the technology...

High performance access to file storage

Security researchers have discovered an iPhone bug that allows for spoofed SMSes with bogus return addresses to be sent to fanbois.

The bug creates a means for interested parties to send SMS messages to affected handsets that appear to come from any (arbitrary) number that the sender specifies. The issue specifically affects iPhone-fondlers because of the way Apple's iOS handles the User Data Header component of SMS text messages, which defines advanced features only used in smartphones. Specifically, iPhones don’t display the phone number of the indivdual who sent you a message, just whatever name they choose to type in.

Using the flaw, an attacker might be used to spoof messages from either banks or credit card firms, perhaps inviting potential marks to visit websites under the control of hackers. As such it poses a phishing risk, especially with the increased use of mobile banking, to say nothing about the use of text messages to mobiles for out-of-band online banking authentication.

Pod2g, the white hat security researcher who discovered the bug, said the flaw has existed since the beginning of the implementation of SMS in the iPhone, and is still there in iOS 6 beta 4.

In a blog post, Pod2g explains the impact of the bug.

"In the text payload, a section called UDH (User Data Header) is optional but defines lot of advanced features not all mobiles are compatible with. One of these options enables the user to change the reply address of the text. If the destination mobile is compatible with it, and if the receiver tries to answer to the text, he will not respond to the original number, but to the specified one.

"Most carriers don't check this part of the message, which means one can write whatever he wants in this section: a special number like 911, or the number of somebody else. In a good implementation of this feature, the receiver would see the original phone number and the reply-to one. On iPhone, when you see the message, it seems to come from the reply-to number, and you lose track of the origin."

Pod2g is calling on Apple to fix the flaw before releasing the final version of iOS 6.

Apple urged customers to be wary of spoofed SMS messages.

"Apple takes security very seriously," the firm said in a statement, PC World reports. "When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks.

"One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they're directed to an unknown website or address over SMS," it adds. iMessage is Apple's encrypted instant messaging service. ®

SANS - Survey on application security programs

More from The Register

next story
Virgin Media so, so SORRY for turning spam fire-hose on its punters
Hundreds of emails flood inboxes thanks to gaffe
A black box for your SUITCASE: Now your lost luggage can phone home – quite literally
Breakfast in London, lunch in NYC, and your clothes in Peru
AT&T dangles gigabit broadband plans over 100 US cities
So soon after a mulled Google Fiber expansion, fancy that
AT&T threatens to pull out of FCC wireless auctions over purchase limits
Company wants ability to buy more spectrum space in auction
Google looks to LTE and Wi-Fi to help it lube YouTube tubes
Bandwidth hogger needs tube embiggenment if it's to succeed
Turnbull gave NBN Co NO RULES to plan blackspot upgrades
NBN Co faces huge future Telstra bills and reduces fibre footprint
NBN Co plans fibre-to-the-basement blitz to beat cherry-pickers
Heading off at the pass operation given same priority as blackspot fixing
NBN Co in 'broadband kit we tested worked' STUNNER
Announcement of VDSL trial is not proof of concept for fibre-to-the-node
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.