Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

iPhone Security Issue Opens Door to SMS Spoofing

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
67,794
38,388



ios_messages_icon-150x150.jpg


Jailbreak hacker and security researcher pod2g today revealed a newly-discovered security issue in all versions of iOS that could allow malicious parties to spoof SMS messages, making a recipient think that a message came from a trusted sender when it in fact came from the malicious party.

The issue is related to iOS's handling of User Data Header (UDH) information, an optional section of a text payload that allows users to specify certain information such as changing the reply-to number on a message to something other than the sending number. The iPhone's handling of this optional information could leave recipients open to targeted SMS spoofing attacks.
In the text payload, a section called UDH (User Data Header) is optional but defines lot of advanced features not all mobiles are compatible with. One of these options enables the user to change the reply address of the text. If the destination mobile is compatible with it, and if the receiver tries to answer to the text, he will not respond to the original number, but to the specified one.

Most carriers don't check this part of the message, which means one can write whatever he wants in this section : a special number like 911, or the number of somebody else.

In a good implementation of this feature, the receiver would see the original phone number and the reply-to one. On iPhone, when you see the message, it seems to come from the reply-to number, and you [lose] track of the origin.
Click to expand...
pod2g highlights several ways in which malicious parties could take advantage of this flaw, including phishing attempts linking users to sites collecting personal information or spoofing messages for the purposes of creating false evidence or gaining a recipient's trust to enable further nefarious action.

In many cases the malicious party would need to know the name and number of a trusted contact of the recipient in order for their efforts to be effective, but the phishing example shows how malicious parties could cast broad nets hoping to snare users by pretending to be a common bank or other institution. But with the issue resulting in recipients being shown the reply-to address, an attack could be discovered or thwarted simply by replying to the message, as the return message would go to the familiar contact rather than the malicious one.

Article Link: iPhone Security Issue Opens Door to SMS Spoofing
 
Article Link
https://www.macrumors.com/2012/08/17/iphone-security-issue-opens-door-to-sms-spoofing/
SMS sender spoofing is possible anyway. If you have the tools mentioned, just change the sender field. No need to fiddle with the reply-to field. Everyone using SMS knows about this.
 
Uhm. With lots of short message services on the internet you can specify a sender ID anyway… so while this is definitely a bug in the iOS implementation, there are way more ground-breaking issues here that affect any type of phone.
 
This needs to be closed but it's not such a big deal; this information is not easily modified.

There are already services that allow you to spoof sms and do not require this security hole. Even after this is closed if you want to spoof sms there are a few ways to do it.
 
Last edited:
It is easy to spoof caller ID and fool every phone on earth. How is this any more dangerous?
 
This is such a non-issue. Its not like anybody unwise enough to send their personal info over SMS is going to be wise enough to verify the 10-digit phone number below the name of their supposed financial institution before hitting send. The financial institutions I deal with all have plethora of phone numbers they use. Do we really see somebody foolish enough to type in their account number then tapping on the name of the SMS recipient jotting down the phone number and then going to the financial institution website to verify the recipient is the one they expect it to be?

This is no different than getting SPAM SMS supposedly from Target stores with a link to go to "target.scamu.cn". Its the same as getting an email from "yahoo@195.23.3.1" asking you to verify your Yahoo password with an embedded link. Its simple phishing. If you are careless enough to fall for phishing then there is no reason to believe you would be careful enough to double-check that unrecognized 10-digit phone number associated with the SMS reply-to recipient even if Apple provided access to it in iOS.

Moral of the story: don't send your sensitive/confidential information over SMS (includes credit card numbers, social security numbers, bank accounts).

UPDATE: What Apple should do is warn you whenever the "reply-to" of an SMS does not match the sender. In fact even Android (which shows the reply-to) should be warning you that the reply-to does not match the sender. That is the only deterrent I could think of that might actually work.
 
I think we could use a slight rewrite of the article. It didn't say "malicious party" nearly often enough for me.
 
This makes no sense. You don't need to use UDH tricks to 'spoof' the sender ID on a text message, you just set whatever sender ID you want to use. Any text message can contain up to 16 digits or 11 alphanumeric characters of sender ID, and there's absolutely nothing that ensures this data is somehow verified or official.

Just as with an email you can, technically, originate it from wherever the hell you like, so can you with a text message.

This 'discovery' is not a discovery at all. In fact, it doesn't seem to be a problem at all. It would only be a problem if the sender ID displayed on the iPhone could be one thing, but the destination of the reply text messages could actually be something else that the user had no knowledge of. Correct me if I'm wrong, but in this instance the user is fully aware of the number they're texting. So no problem.

And yes, I know SMS.
 
bse3 said:
so while this is definitely a bug in the iOS implementation, there are way more ground-breaking issues here that affect any type of phone.
Click to expand...
Why is it a bug? Emails can have different sender and reply-to addresses. Obviously SMS system was set up to allow such capability and iOS has actually implemented it. It does not become a bug, just because other phones were ignoring that capability.
 
miniConvert said:
It would only be a problem if the sender ID displayed on the iPhone could be one thing, but the destination of the reply text messages could actually be something else that the user had no knowledge of.
Click to expand...

Agree with this. You are correct, this is not possible. When a reply-to address is specified iOS displays that and ignores the sender.
 
theBB said:
Why is it a bug? Emails can have different sender and reply-to addresses. Obviously SMS system was set up to allow such capability and iOS has actually implemented it. It does not become a bug, just because other phones were ignoring that capability.
Click to expand...

while true it is not hard to go threw the full header information and see if it has been spoofed. A lot of places will quickly kill a message if some of the servers it goes threw do not line up right no matter who the from address is.
 
Not new at all. I got this on my phone a couple months back. Or so I think -- but it does sound related:

First I got a message -- with a link -- from an unknown number. Because it appeared on my lockscreen I swiped to see what it was, but I didn't activate the link. I deleted the message.

Later in the morning, I noticed a blank sms in iMessage. Good thing I had cleared all my sms's the other day, else I wouldn't have seen it! I opened it, and the header said it was sent to about a hundred other numbers NOT in my address book! I called my service provider but they said my number didn't send out a hundred sms's and that there wasn't anything abnormal with my usage.

Still, I was concerned.

So I wiped the phone clean (again). TWICE. Furthermore, I deleted all my backups and started fresh... and this time, WITHOUT any jailbreaks.

This is a clever virus/worm. I figured it takes the contacts from your addressbook and then has the NEXT person's phone (or the next next next person's phone) send itself to your contacts (with the exception of the originating number). Sure makes it more difficult to track down and warn people... or ask them if they received any funny messages from you.
 
Been exploiting this for fun for some time now. Always fun to send messages to a friend that appear to come from another friend.
 
...

This is not news to me...

It happens in with mobile carriers as well. It was only time, before it happened from Apples messaging app.

One could say, the amount of this stuff going round would be far less since its only between IOS devices, thus less wide spread, but its still messaging.

I actually blame, not only Apple here, but all mobile carriers, since they don't check this payload, and allow this to happen.

Its one thing mobile carriers doing this.... Its another with Apple/

I just thought Apple would have learnt a lesson from their books.

----------
macmastersam said:
would you really believe such a thing from a jailbreaker? :eek:
Click to expand...

Nope. :apple:

But i'm not surprised it didn't come from someone legit.
 
I can't believe this is hitting all the news sites. Like many others already said, SMS spoofing is possible on every phone, no need to mess around with the UDH. So many sites out there that do it for you.

If the iPhone shows the reply-to number it's doing the right thing.

Is this aiming to be a hoax article like the screw 'news'? Well it's working, again. No one checks anything these days.
 
Not sure if this is related, but I get plenty of phone calls from spoofed numbers like "0000" and such. Calling back, of course, takes me to the "this number does not exist" message.

Good thing I have a calling whitelist. My ringtone is just a blank audio file, and my contacts have ringtones set to them that I can actually hear. Some idiot spammer called me in math class, and nobody heard anything.
 
So is this occurring with iMessage as well? I have an text opt-out with my carrier because I don't text very much and don't want to pay for it. I use iMessage mainly with the wife, and a free third party service (Heywire) for everyone else I know who doesn't own an iPhone. Thanks!
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back