iPhone Security Issue Opens Door to SMS Spoofing

[pyrodex]

Just got the follow SMS from myself...

FREE VZW Message. 1st Notice: Your Pix Place account has been inactive for 150 days. Log onto www.vzwpix.com within 30 days or your content will be deleted.

 

[725032]

Oh no way, seriously Apple?!... SORT IT OUT

I feel like my iphone is a mobile security threat.

Apple security is tanking...

 

[theBB]

With any email client I can look at the header and see if the sender field matches the origin server. That information is not preserved in SMS. (Note: this is the actual sender field, not the reply-to field). SMS is easier to spoof than e-mail and much harder to unwind.

I never received such an SMS message, but many commenters here are claiming that when you start replying, you can see the name/number you are replying to. SMS is easier to spoof certainly, just like caller IDs in phone calls, but none of these are bugs on iOS. The system was designed to be this way decades ago. I don't know why phone companies decided that it was a good idea to allow caller IDs to be changed, not just blocked, but they did. That is not Apple's fault.

 

[latinum1]

Misunderstanding of the problem

I am not sure if lots of you misunderstood the problem. It is not just about the SMS spoofing, which is generally possible (independent of the mobile phone platform).

Imagine the following: you receive an SMS from your phone company. Now the spoofing is used to prepare the whole situation. The fake name is your phone companies name. The fake number is your phone companies real number. If you just have that spoofed SMS, you would reply to your phone company.

Let the text be about "We updated our policy. From now on you will receive daily newsletters. If you dont respond, you agree with the policy".

Now the real stuff starts: The bug in iOS lets the spoofed SMS contain more logic than just the common spoofing stuff, parameters that can re-route the SMS reply to another number than the spoofed number. This one will be a paid service number and will charge your bill.

So, hopefully you understood, that the problem is located on top of the common SMS spoofing and uses additional buggy features of iOS. On Windows Phone or Android, just part 1 is possible.

 

[kd5jos]

How this isn't Apple's issue to deal with...

Oh no way, seriously Apple?!... SORT IT OUT

I feel like my iphone is a mobile security threat.

Apple security is tanking...

Read the top answer to the question. Summary:

If customers want a secure platform, they use iMessage. If compatibility is the concern, they use SMS. SMS is not, and has never been designed to be a secure platform.

Telnet is an unsecured communications medium. How many computers pop up a notification that says, "Are you sure you want to use telnet, it sends passwords in cleartext?" Is Apple liable because OS X doesn't have a popup that notifies someone trying to use telnet that it isn't secure?

My turn to ask a question. Why are we bent on finding excuses to make Apple fix this, instead of having the cause of the problem (the SMS standard) fixed? Why is fixing the symptom logical when you can cure it at the cause (the carriers)?

 

[praktical]

iPhone Security Issue Opens Door to SMS Spoofing

Security flaw of deliberately done to allow the FBI CIA NSA and other Government Agencies to manipulate your cell phone data and privacy? I seriously doubt this was a flaw but rather a deliberate back door.

 

[JupiterDoc]

Security flaw of deliberately done to allow the FBI CIA NSA and other Government Agencies to manipulate your cell phone data and privacy? I seriously doubt this was a flaw but rather a deliberate back door.

This makes sense to me. BTW, I learned today about iMessage. When you send a text message to someone who has an iPhone (and iMessage is turned on in settings) the send button is blue. That means the text is free. When you text to someone without an iPhone, the Send button is green. Green is for pay.

 

[CShort]

Yes

This makes no sense. You don't need to use UDH tricks to 'spoof' the sender ID on a text message, you just set whatever sender ID you want to use.
And yes, I know SMS.

Some carriers like "Telstra" do implement some of their own security. Once upon a time they used to do from number verification (this was years ago, not sure about now). So while you are correct if you have signed up to a carrier that does extra security then this is adding a flaw.

Even if it's not really adding much of a security flaw it's still a bug in the software, and if the reply-to is legitimately changed the conversation view is broken without you knowing it!

 

[latinum1]

Read the top answer to the question. Summary:

If customers want a secure platform, they use iMessage. If compatibility is the concern, they use SMS. SMS is not, and has never been designed to be a secure platform.

Telnet is an unsecured communications medium. How many computers pop up a notification that says, "Are you sure you want to use telnet, it sends passwords in cleartext?" Is Apple liable because OS X doesn't have a popup that notifies someone trying to use telnet that it isn't secure?

My turn to ask a question. Why are we bent on finding excuses to make Apple fix this, instead of having the cause of the problem (the SMS standard) fixed? Why is fixing the symptom logical when you can cure it at the cause (the carriers)?

Try to understand my posting, than you will see that it is an Apple Security flaw. They shouldnt turn in the additional hooks on top of it.

 

[ncaissie]

Anyone can do this with emails also. Accept in the header of the email which is usually not shown by the email client it has the originating IP.

I don't see a use for this feature on SMS really. Apple should remove it completely.

 

[Foxtrot41987]

Jailbreak hacker and security researcher pod2g today revealed a newly-discovered security issue in all versions of iOS that could allow malicious parties to spoof SMS messages, making a recipient think that a message came from a trusted sender when it in fact came from the malicious party.

The issue is related to iOS's handling of User Data Header (UDH) information, an optional section of a text payload that allows users to specify certain information such as changing the reply-to number on a message to something other than the sending number. The iPhone's handling of this optional information could leave recipients open to targeted SMS spoofing attacks.pod2g highlights several ways in which malicious parties could take advantage of this flaw, including phishing attempts linking users to sites collecting personal information or spoofing messages for the purposes of creating false evidence or gaining a recipient's trust to enable further nefarious action.

In many cases the malicious party would need to know the name and number of a trusted contact of the recipient in order for their efforts to be effective, but the phishing example shows how malicious parties could cast broad nets hoping to snare users by pretending to be a common bank or other institution. But with the issue resulting in recipients being shown the reply-to address, an attack could be discovered or thwarted simply by replying to the message, as the return message would go to the familiar contact rather than the malicious one.

Article Link: iPhone Security Issue Opens Door to SMS Spoofing

If you have IOs 17 and the recipient does not and you send a large quantity text over 100 characters in 1 bar or less service this will lead to spoofing that text 50-150 times. Closing out your text app will reset this. Update: you will not incur multiple charges for the text just will get locked out by said user