iPhone Bug Allows SMS Spoofing

← Back to Stories (view on slashdot.org)

iPhone Bug Allows SMS Spoofing

Posted by Soulskill on Friday August 17, 2012 @09:10AM from the working-as-intend-ish dept.

Trailrunner7 writes "The iPhone SMS app contains a quirky bug that could allow someone to send a user a text message that appears to come from any number that the sender specifies. The researcher who discovered the bug said it could be used by attackers to spoof messages from a bank or credit card company and send the victim to a target site controlled by the attacker. The issue lies in the way iOS implements a section of the SMS message called User Data Header, which has a number of options, one of which allows the user to change the phone number that the text message appears to come from. The advent of mobile banking apps, some of which use SMS messages for out-of-band authentication, makes this kind of attack vector perhaps more worrisome and useful for attackers than it would seem at first blush."

20 of 92 comments (clear)

Min score:

Reason:

Sort:

What is old is new again... by Anonymous Coward · 2012-08-17 09:14 · Score: 2, Insightful

Pretty much iOS hides the SMS equivilent of the From: field, and only shows the Reply To: field
Lovely fail there since a lot of sites use SMS for some sort of authentication, Google, and Blizzard among them.
1. Re:What is old is new again... by stephanruby · 2012-08-17 09:27 · Score: 4, Interesting
  
  Lovely fail there since a lot of sites use SMS for some sort of authentication, Google, and Blizzard among them.
  Yes, but even if you can spoof the sms from header? How are you going to guess the code they send you?
  Notice, the same thing can be done with emails and even http requests. It's easy to forge the headers on those, but if a site implements only half of a handshake without sending back a token to the originating address for two-way verification, then it's the web site that is deemed insecure, not the client.
2. Re:What is old is new again... by nedlohs · 2012-08-17 09:27 · Score: 2
  
  Sure if you ignore that the From: field is also set entirely by the sender to anything they want.
3. Re:What is old is new again... by 93+Escort+Wagon · 2012-08-17 09:48 · Score: 2
  
  My bank has made a big deal about having an iPhone app, being able to do photo deposits of checks with an iPhone, etc. So I can see both the motivation for exploiting this and how such an exploit might be successful.
  
  --
  #DeleteChrome
4. Re:What is old is new again... by ethanms · 2012-08-17 10:06 · Score: 2
  
  Lovely fail there since a lot of sites use SMS for some sort of authentication, Google, and Blizzard among them.
  So? This doesn't affect them I don't think--the SMS based authentication I've seen with my bank and Google all involve them sending me a code which I enter on their site. This issue wouldn't cause any problems with that.
5. Re:What is old is new again... by msauve · 2012-08-17 11:18 · Score: 3, Insightful
  
  "a lot of sites use SMS for some sort of authentication, Google, and Blizzard among them"
  
  Their problem. They have poorly designed systems. The spoof mentioned is no different from what anyone can do with email, simply.
  
  There are legitimate reasons to allow a sender to signify a different "from" number. One example might be someone using Google Voice, where they want to send an SMS via the carriers network (where a different phone number is associated), but have it appear as coming from the GV number to the recipient (or same, via an SMS gateway from a PC, etc.).
  
  For security, similar to the common password reset procedures via email, sites might accept a request via SMS, but then return a necessary confirmation code to the "from" number. Even if you can send an SMS which appears to be from an arbitrary number, you can't get the reply (and confirmation code) unless you're actually associated with that number.
  
  --
  "National Security is the chief cause of national insecurity." - Celine's First Law
6. Re:What is old is new again... by SpelledBackwards · 2012-08-17 17:08 · Score: 2
  
  I wanted to also mod this as offtopic, but then I began to wonder if tongxili knows someone is spoofing his name.
7. Re:What is old is new again... by ls671 · 2012-08-17 17:52 · Score: 2
  
  You can add callerid on phone calls which is funnily trusted enough by banks and others, when you activate your credit card for example. Callerid is easily spoofed if you get a VOIP account for a few cents.
  Many VOIP providers even give you a 25 cents credit to try the system for free without verifying your identity. Yet, many people believe callerid as the plain truth when they see a call coming in.
  There is so many weak authentication scheme that are trusted by the majority of people and institutions, some other posters could probably add to the list.
  
  --
  Everything I write is lies, read between the lines.
Problem with the iPhone, or the cell system? by Bradmont · 2012-08-17 09:15 · Score: 5, Insightful

I'm no apple fanboy by any stretch of the imagination, but this seems like a security vulnerability with the cell phone system, not with the app. No client should ever be trusted in a network security context, and this is no different. It may have shown up as a bug in the iPhone software, but it is the cell networks that should have protection against these sorts of things...
1. Re:Problem with the iPhone, or the cell system? by GameboyRMH · 2012-08-17 09:20 · Score: 5, Insightful
  
  It is sort of design flaw in the cell phone system that the phone has any say in the matter, but that's a done deal and now this is a bug in the phone. This is the sort of thing that should be firmware-controlled.
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
2. Re:Problem with the iPhone, or the cell system? by mapsjanhere · 2012-08-17 09:26 · Score: 3, Funny
  
  Apple doesn't make mistakes, it's not a bug, it's a feature.
  
  --
  I'm aging rapidly, I bought a new game and had no idea if my machine was good for it.
3. Re:Problem with the iPhone, or the cell system? by Obfuscant · 2012-08-17 09:54 · Score: 3, Interesting
  
  No, the receiving IPhone is using data that comes from the sending phone rather than the tower. This is definitely an IPhone issue.
  
  Not limited to iPhone. I have yet to find an Android SMS app that doesn't discard the sending "number" in favor of anything that looks like an email address in the body of the message.
  T-Mobile has an email to SMS gateway that copies the From and Subject headers into the front of the message separated by '/'. They send these SMS from a number in the 3-4 thousand range, and keep a back-mapping so a reply to that SMS number will go back to the email sender. EVERY SMS app I've seen on Android pulls the email address from the body of the SMS message and throws away the reply-to number. That means I can never reply to an email I get via SMS, except through the phone's email app. Which has a different email address associated with it.
  Anyone know an SMS app for Android that does NOT do this?
4. Re:Problem with the iPhone, or the cell system? by starfishsystems · 2012-08-17 10:49 · Score: 2
  
  I'm more inclined to describe it as an inherent SMS vulnerability that one particular product happened to touch.
  
  Will fixing the iPhone make this vulnerability go away? No. Anyone who wants to exploit it simply has to find a hackable cell phone, or engineer one for themselves.
  
  --
  Parity: What to do when the weekend comes.
Why trust everything to these little devices. by Anonymous Coward · 2012-08-17 09:17 · Score: 3, Insightful

I don't understand why people even do banking on a device that is so easily lost. And before people start screaming at me, please know that this is coming from someone who had his bank account broken into from using only legitimate ATMs from actual banks(didn't even know there was such a thing as a card skimmer).
That's not news by psergiu · 2012-08-17 09:32 · Score: 5, Informative

As long as you are allowed to mess with the SMS message header, you can do this on ANY phone - it's part of the GSM standard - Small Message Service was intended for testing & internal use, nowhere is stated that the "Sender" field must be the actual sending phone number. In fact, that field is alphanumerical, you can put anything in there, not just numbers. Also, there's nothing in the GSM network to prevent this, the message is routed by destination, not by sender.
I was sending "faked" messages like those over 10 years ago using the "service" menus on old Nokia & Motorola GSM phones.
Anyone relying on those SMS headers for authentication is either stupid or malicious.

--
1% APY, No fees, Online Bank https://captl1.co/2uIErYq Don't let your $$$ sit in a no-interest acct.
Re:So what? by Em+Adespoton · 2012-08-17 10:05 · Score: 4, Insightful

The method is:
1) send you a fake email telling you to log into your account to update your settings/read the policy change/etc.
2) link to a phishing site, which pulls all the assets from the legit bank, but redirects the password form
3) trigger an SMS event just like the real bank, to send you the token needed to log in to the phishing site
4) harvest your account info.
5) Profit!
However, it'd make more sense to just make the phishing site a proxy and let the actual bank send the SMS token to the customer. That way, the customer logs in for them, and they can then do whatever they want....
Re:So what? by nedlohs · 2012-08-17 11:06 · Score: 2

Which won't help them because they still don't have the SMS from the bank for the other half of the tweo factor authentication.
Re:So what? by nedlohs · 2012-08-17 11:08 · Score: 2

And why do they need the fake SMS code step in the first place? They can just do the "site attempts to login to your real bank which will send a real code via SMS" step without bothering with it.
Foolhardy by SuperKendall · 2012-08-17 12:41 · Score: 2

If you use whole drive encryption then you don't need to remote wipe your laptop.
Since the new owner has an infinite amount of time to brute force the login that decrypts the whole drive, why is that really better than being sure?

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Epic facepalm by dackroyd · 2012-08-17 14:57 · Score: 2

Totally non-authenticated communication method found to be not authenticated ! More details at 11.
I can't believe that this is news to anyone. Do you really think that people who send marketing, information or run 'adult' services via SMS have a huge bank of mobile handsets with people sitting typing messages into them?
No - they have computers that connect to a bulk SMS supplier (e.g. the company I used to work for http://www.dialogue.net/sms_toolkit/) that allows them to send SMS with any Originating Address that they choose whether that's someone's phone, a shortcode or the name of the company.
Mobile phone operators do sometimes implement limits on what can be set for the O.A. for messages entering their network but there just isn't the infrastructure in place to authenticate what is set for the O.A. within the network.

--
"Free software as in beer, copy protection as in racket" - Telsa Gwynne