Slashdot Mirror

← Back to Stories (view on slashdot.org)

iPhone Bug Allows SMS Spoofing

Posted by Soulskill on from the working-as-intend-ish dept.

Trailrunner7 writes "The iPhone SMS app contains a quirky bug that could allow someone to send a user a text message that appears to come from any number that the sender specifies. The researcher who discovered the bug said it could be used by attackers to spoof messages from a bank or credit card company and send the victim to a target site controlled by the attacker. The issue lies in the way iOS implements a section of the SMS message called User Data Header, which has a number of options, one of which allows the user to change the phone number that the text message appears to come from. The advent of mobile banking apps, some of which use SMS messages for out-of-band authentication, makes this kind of attack vector perhaps more worrisome and useful for attackers than it would seem at first blush."

5 of 92 comments (clear)

  1. Problem with the iPhone, or the cell system? by Bradmont · · Score: 5, Insightful

    I'm no apple fanboy by any stretch of the imagination, but this seems like a security vulnerability with the cell phone system, not with the app. No client should ever be trusted in a network security context, and this is no different. It may have shown up as a bug in the iPhone software, but it is the cell networks that should have protection against these sorts of things...

    1. Re:Problem with the iPhone, or the cell system? by GameboyRMH · · Score: 5, Insightful

      It is sort of design flaw in the cell phone system that the phone has any say in the matter, but that's a done deal and now this is a bug in the phone. This is the sort of thing that should be firmware-controlled.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
  2. Re:What is old is new again... by stephanruby · · Score: 4, Interesting

    Lovely fail there since a lot of sites use SMS for some sort of authentication, Google, and Blizzard among them.

    Yes, but even if you can spoof the sms from header? How are you going to guess the code they send you?

    Notice, the same thing can be done with emails and even http requests. It's easy to forge the headers on those, but if a site implements only half of a handshake without sending back a token to the originating address for two-way verification, then it's the web site that is deemed insecure, not the client.

  3. That's not news by psergiu · · Score: 5, Informative

    As long as you are allowed to mess with the SMS message header, you can do this on ANY phone - it's part of the GSM standard - Small Message Service was intended for testing & internal use, nowhere is stated that the "Sender" field must be the actual sending phone number. In fact, that field is alphanumerical, you can put anything in there, not just numbers. Also, there's nothing in the GSM network to prevent this, the message is routed by destination, not by sender.

    I was sending "faked" messages like those over 10 years ago using the "service" menus on old Nokia & Motorola GSM phones.

    Anyone relying on those SMS headers for authentication is either stupid or malicious.

    --
    1% APY, No fees, Online Bank https://captl1.co/2uIErYq Don't let your $$$ sit in a no-interest acct.
  4. Re:So what? by Em+Adespoton · · Score: 4, Insightful

    The method is:
    1) send you a fake email telling you to log into your account to update your settings/read the policy change/etc.
    2) link to a phishing site, which pulls all the assets from the legit bank, but redirects the password form
    3) trigger an SMS event just like the real bank, to send you the token needed to log in to the phishing site
    4) harvest your account info.
    5) Profit!

    However, it'd make more sense to just make the phishing site a proxy and let the actual bank send the SMS token to the customer. That way, the customer logs in for them, and they can then do whatever they want....