Slashdot Mirror
iPhone Bug Allows SMS Spoofing
Trailrunner7 writes "The iPhone SMS app contains a quirky bug that could allow someone to send a user a text message that appears to come from any number that the sender specifies. The researcher who discovered the bug said it could be used by attackers to spoof messages from a bank or credit card company and send the victim to a target site controlled by the attacker. The issue lies in the way iOS implements a section of the SMS message called User Data Header, which has a number of options, one of which allows the user to change the phone number that the text message appears to come from. The advent of mobile banking apps, some of which use SMS messages for out-of-band authentication, makes this kind of attack vector perhaps more worrisome and useful for attackers than it would seem at first blush."
Pretty much iOS hides the SMS equivilent of the From: field, and only shows the Reply To: field
Lovely fail there since a lot of sites use SMS for some sort of authentication, Google, and Blizzard among them.
I'm no apple fanboy by any stretch of the imagination, but this seems like a security vulnerability with the cell phone system, not with the app. No client should ever be trusted in a network security context, and this is no different. It may have shown up as a bug in the iPhone software, but it is the cell networks that should have protection against these sorts of things...
I don't understand why people even do banking on a device that is so easily lost. And before people start screaming at me, please know that this is coming from someone who had his bank account broken into from using only legitimate ATMs from actual banks(didn't even know there was such a thing as a card skimmer).
As long as you are allowed to mess with the SMS message header, you can do this on ANY phone - it's part of the GSM standard - Small Message Service was intended for testing & internal use, nowhere is stated that the "Sender" field must be the actual sending phone number. In fact, that field is alphanumerical, you can put anything in there, not just numbers. Also, there's nothing in the GSM network to prevent this, the message is routed by destination, not by sender.
I was sending "faked" messages like those over 10 years ago using the "service" menus on old Nokia & Motorola GSM phones.
Anyone relying on those SMS headers for authentication is either stupid or malicious.
1% APY, No fees, Online Bank https://captl1.co/2uIErYq Don't let your $$$ sit in a no-interest acct.
The only thing SMS authentication stuff is used for is for the bank/etc to send you an SMS with a code in it that you need to enter to login. How does someone else being send you a non-working code at a time you likely aren't trying to login to your bank/etc anyway possibly matter in the slightest?
Sure some people probably though they could trust the sender information on an SMS, and it not being might enable some shenanigans (sending X a rude/etc message that seems to be from Y), but I can't see how it damages two factor authentication via SMS.
The cell phone system itself doesn't look in the user data header. It's in the text area, and an in-band extension to SMS. Many programmable phones let applications send whatever they want in the user data header.
This is only a problem for phones and SMS gateways dumb enough to believe any ID information in the user data header. Now if Apple displays the source in the user data header in place of the telco-provided source, they're doing it wrong.
Sign up online for txt messaging service. Said service asks you what number you want txts to appear to come from.
Send txt messages to your hearts content.
The dude who tracked down his stolen bike in Seattle used "Burner" app to spoof his CallerID... http://www.engadget.com/2012/08/09/burner-iphone-app-disposable-number/ http://www.youtube.com/watch?v=9-GVpIaPEGM
I don't understand why people even do banking on a device that is so easily lost.
Because it's also more easily wiped.
You'd really be better off banking only on mobile devices with proper passcodes set, and knowing how to remote-wipe on demand.
Your desktop or laptop could easily be stolen too, but is harder for most people to set up a real remote-wipe on.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
The one thing I use SMS for is as a one time pad. A code is sent to me, which I enter as a secondary login credential. Nothing in the text leads me to the site. I have never assumed that SMS is any more secure than email, and I don't think there is any reason to do so.
Of course, if this is a real bug, it needs to be fixed. There are a lot of people out there who depend on a relatively secure SMS system to carry on affairs. It is also worthy to note that an iPhone does not use SMS by default, but messaging if possible.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
Aren't you glad you're in the walled garden? Look who you've been walled in with...
Seven puppies were harmed during the making of this post.
There are android apps which are designed to do just this. No glitch required, just install the app. With the plethora of no contract and inexpensive android phones available this would be a much better option for a would-be fraudster.
It isn't new, and it isn't an iPone app bug, it's the way the SMS system was built. The process that most SMS pin things work is that you are accessing the bank via another means and the bank sends you a pin via SMS, faking the sender serves no purpose. Sending an SMS requesting your details should be ignored, like similar emails. The researcher who 'discovered' the bug needs to learn about GSM and SMS.
There was an unknown error in the submission.
why?...
captcha: fascism
iOS shows you who will actually receive the message if you reply, which given the choices is probably the best option.
This hole is not unique to iOS, nor new. In fact it is only a hole insofar as you open a hyperlink from the message.
The real bug is that the carrier gateways don't validate the messages.
Natural != (nontoxic || beneficial)
If you use whole drive encryption then you don't need to remote wipe your laptop.
Since the new owner has an infinite amount of time to brute force the login that decrypts the whole drive, why is that really better than being sure?
"There is more worth loving than we have strength to love." - Brian Jay Stanley
This just in, a flaw has been discovered in Email, allowing an attacker to arbitrarily spoof the From: address.
All hell is bound to break loose.
"The issue lies in the way iOS implements a section of the SMS message called User Data Header, which has a number of options, one of which allows the user to change the phone number that the text message appears to come from."
That's not a security flaw, that's just unbelievably stupid design. Didn't they learn how big of a problem caller ID spoofing was? It should never have been put in there. I guess Apple really is sincerely bad at security.
Because whole drive encryption guarantees they can't get in. While remote wipe is throwing all caution to the wind and hoping for the best.
No.
iOS remote wipe is based on whole drive encryption. It scrambles the decryption block so nothing can get in, ever.
So you have only whole drive encryption, vs. whole drive encryption where you can ALSO tell the system to toast the whole storage instantly.
Because whole drive encryption guarantees they can't get in.
What part of "infinite time to brute force the password" did I not make clear? A laptop will not wipe the storage after a million tries. Most people's passwords are simple enough (or, hell stored on a sticky note in the laptop bag) that they can be guessed if anyone makes a reasonable attempt.
Whole drive encryption is not enough, real security is defense in depth - not relying on any one thing.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Totally non-authenticated communication method found to be not authenticated ! More details at 11.
I can't believe that this is news to anyone. Do you really think that people who send marketing, information or run 'adult' services via SMS have a huge bank of mobile handsets with people sitting typing messages into them?
No - they have computers that connect to a bulk SMS supplier (e.g. the company I used to work for http://www.dialogue.net/sms_toolkit/) that allows them to send SMS with any Originating Address that they choose whether that's someone's phone, a shortcode or the name of the company.
Mobile phone operators do sometimes implement limits on what can be set for the O.A. for messages entering their network but there just isn't the infrastructure in place to authenticate what is set for the O.A. within the network.
"Free software as in beer, copy protection as in racket" - Telsa Gwynne
Because it's also more easily wiped.
Wrong.
So very wrong.
Once I have your device, I simply disconnect it from the network. Plug it into a machine I control, copy the data wholesale (bit by bit) and take my time on reading it. Both Android and Iphone have a bootloader that allows this. As all the Jailbreaking groups have shown us, it's trivial to break Apple's security.
Phones are emphatically not safe, any data you store on there is much easier for an attacker to get to simply because an attacker can get a phone easier than your laptop.
Your only defence against this is to _NOT_ store sensitive data on any mobile device (phone or laptop). So using banking applications that store data on the device itself are inherently insecure. The secure way to do banking (or any high security transaction) on a mobile device is to use a web site, then you only have to worry about your banks servers being stolen (or your end point being compromised, but for the purposes of this argument I'll assume you know how to keep that secure).
Calling someone a "hater" only means you can not rationally rebut their argument.
Received this SMS today:
"Congratulations, your number made you Apple's winner! Go to http://www.apple.ca.freebie.cc and enter code 0000 to claim your free Apple product!"
Lots of people report receiving the same SMS from different numbers. All the reports are from yesterday or today.