iPhone Security Issue Opens Door to SMS Spoofing

MacRumors

macrumors bot
Original poster
Apr 12, 2001
46,812
8,970





Jailbreak hacker and security researcher pod2g today revealed a newly-discovered security issue in all versions of iOS that could allow malicious parties to spoof SMS messages, making a recipient think that a message came from a trusted sender when it in fact came from the malicious party.

The issue is related to iOS's handling of User Data Header (UDH) information, an optional section of a text payload that allows users to specify certain information such as changing the reply-to number on a message to something other than the sending number. The iPhone's handling of this optional information could leave recipients open to targeted SMS spoofing attacks.
In the text payload, a section called UDH (User Data Header) is optional but defines lot of advanced features not all mobiles are compatible with. One of these options enables the user to change the reply address of the text. If the destination mobile is compatible with it, and if the receiver tries to answer to the text, he will not respond to the original number, but to the specified one.

Most carriers don't check this part of the message, which means one can write whatever he wants in this section : a special number like 911, or the number of somebody else.

In a good implementation of this feature, the receiver would see the original phone number and the reply-to one. On iPhone, when you see the message, it seems to come from the reply-to number, and you [lose] track of the origin.
pod2g highlights several ways in which malicious parties could take advantage of this flaw, including phishing attempts linking users to sites collecting personal information or spoofing messages for the purposes of creating false evidence or gaining a recipient's trust to enable further nefarious action.

In many cases the malicious party would need to know the name and number of a trusted contact of the recipient in order for their efforts to be effective, but the phishing example shows how malicious parties could cast broad nets hoping to snare users by pretending to be a common bank or other institution. But with the issue resulting in recipients being shown the reply-to address, an attack could be discovered or thwarted simply by replying to the message, as the return message would go to the familiar contact rather than the malicious one.

Article Link: iPhone Security Issue Opens Door to SMS Spoofing
 

RichieB

macrumors newbie
Mar 15, 2011
9
0
SMS sender spoofing is possible anyway. If you have the tools mentioned, just change the sender field. No need to fiddle with the reply-to field. Everyone using SMS knows about this.
 

bse3

macrumors member
Dec 27, 2011
55
0
Uhm. With lots of short message services on the internet you can specify a sender ID anyway… so while this is definitely a bug in the iOS implementation, there are way more ground-breaking issues here that affect any type of phone.
 

mactmaster

macrumors 6502
Jun 16, 2010
390
0
This needs to be closed but it's not such a big deal; this information is not easily modified.

There are already services that allow you to spoof sms and do not require this security hole. Even after this is closed if you want to spoof sms there are a few ways to do it.
 
Last edited:

theBB

macrumors 68020
Jan 3, 2006
2,453
3
It is easy to spoof caller ID and fool every phone on earth. How is this any more dangerous?
 

BC2009

macrumors 68000
Jul 1, 2009
1,929
236
This is such a non-issue. Its not like anybody unwise enough to send their personal info over SMS is going to be wise enough to verify the 10-digit phone number below the name of their supposed financial institution before hitting send. The financial institutions I deal with all have plethora of phone numbers they use. Do we really see somebody foolish enough to type in their account number then tapping on the name of the SMS recipient jotting down the phone number and then going to the financial institution website to verify the recipient is the one they expect it to be?

This is no different than getting SPAM SMS supposedly from Target stores with a link to go to "target.scamu.cn". Its the same as getting an email from "yahoo@195.23.3.1" asking you to verify your Yahoo password with an embedded link. Its simple phishing. If you are careless enough to fall for phishing then there is no reason to believe you would be careful enough to double-check that unrecognized 10-digit phone number associated with the SMS reply-to recipient even if Apple provided access to it in iOS.

Moral of the story: don't send your sensitive/confidential information over SMS (includes credit card numbers, social security numbers, bank accounts).

UPDATE: What Apple should do is warn you whenever the "reply-to" of an SMS does not match the sender. In fact even Android (which shows the reply-to) should be warning you that the reply-to does not match the sender. That is the only deterrent I could think of that might actually work.
 

JAT

macrumors 603
Dec 31, 2001
6,473
123
Mpls, MN
I think we could use a slight rewrite of the article. It didn't say "malicious party" nearly often enough for me.
 

miniConvert

macrumors 68040
This makes no sense. You don't need to use UDH tricks to 'spoof' the sender ID on a text message, you just set whatever sender ID you want to use. Any text message can contain up to 16 digits or 11 alphanumeric characters of sender ID, and there's absolutely nothing that ensures this data is somehow verified or official.

Just as with an email you can, technically, originate it from wherever the hell you like, so can you with a text message.

This 'discovery' is not a discovery at all. In fact, it doesn't seem to be a problem at all. It would only be a problem if the sender ID displayed on the iPhone could be one thing, but the destination of the reply text messages could actually be something else that the user had no knowledge of. Correct me if I'm wrong, but in this instance the user is fully aware of the number they're texting. So no problem.

And yes, I know SMS.
 

theBB

macrumors 68020
Jan 3, 2006
2,453
3
so while this is definitely a bug in the iOS implementation, there are way more ground-breaking issues here that affect any type of phone.
Why is it a bug? Emails can have different sender and reply-to addresses. Obviously SMS system was set up to allow such capability and iOS has actually implemented it. It does not become a bug, just because other phones were ignoring that capability.
 

mactmaster

macrumors 6502
Jun 16, 2010
390
0
It would only be a problem if the sender ID displayed on the iPhone could be one thing, but the destination of the reply text messages could actually be something else that the user had no knowledge of.
Agree with this. You are correct, this is not possible. When a reply-to address is specified iOS displays that and ignores the sender.
 

Rodimus Prime

macrumors G4
Oct 9, 2006
10,136
4
Why is it a bug? Emails can have different sender and reply-to addresses. Obviously SMS system was set up to allow such capability and iOS has actually implemented it. It does not become a bug, just because other phones were ignoring that capability.
while true it is not hard to go threw the full header information and see if it has been spoofed. A lot of places will quickly kill a message if some of the servers it goes threw do not line up right no matter who the from address is.
 

theanimaster

macrumors 6502
Oct 7, 2005
313
12
Not new at all. I got this on my phone a couple months back. Or so I think -- but it does sound related:

First I got a message -- with a link -- from an unknown number. Because it appeared on my lockscreen I swiped to see what it was, but I didn't activate the link. I deleted the message.

Later in the morning, I noticed a blank sms in iMessage. Good thing I had cleared all my sms's the other day, else I wouldn't have seen it! I opened it, and the header said it was sent to about a hundred other numbers NOT in my address book! I called my service provider but they said my number didn't send out a hundred sms's and that there wasn't anything abnormal with my usage.

Still, I was concerned.

So I wiped the phone clean (again). TWICE. Furthermore, I deleted all my backups and started fresh... and this time, WITHOUT any jailbreaks.

This is a clever virus/worm. I figured it takes the contacts from your addressbook and then has the NEXT person's phone (or the next next next person's phone) send itself to your contacts (with the exception of the originating number). Sure makes it more difficult to track down and warn people... or ask them if they received any funny messages from you.
 

OldSchoolMacGuy

Suspended
Jul 10, 2008
4,197
8,906
Been exploiting this for fun for some time now. Always fun to send messages to a friend that appear to come from another friend.
 

Tech198

macrumors G5
Mar 21, 2011
14,272
1,723
Australia, Perth
...

This is not news to me...

It happens in with mobile carriers as well. It was only time, before it happened from Apples messaging app.

One could say, the amount of this stuff going round would be far less since its only between IOS devices, thus less wide spread, but its still messaging.

I actually blame, not only Apple here, but all mobile carriers, since they don't check this payload, and allow this to happen.

Its one thing mobile carriers doing this.... Its another with Apple/

I just thought Apple would have learnt a lesson from their books.

----------

would you really believe such a thing from a jailbreaker? :eek:
Nope. :apple:

But i'm not surprised it didn't come from someone legit.
 

gkpm

macrumors 6502
Jul 15, 2010
481
4
I can't believe this is hitting all the news sites. Like many others already said, SMS spoofing is possible on every phone, no need to mess around with the UDH. So many sites out there that do it for you.

If the iPhone shows the reply-to number it's doing the right thing.

Is this aiming to be a hoax article like the screw 'news'? Well it's working, again. No one checks anything these days.
 

faroZ06

macrumors 68040
Apr 3, 2009
3,387
1
Not sure if this is related, but I get plenty of phone calls from spoofed numbers like "0000" and such. Calling back, of course, takes me to the "this number does not exist" message.

Good thing I have a calling whitelist. My ringtone is just a blank audio file, and my contacts have ringtones set to them that I can actually hear. Some idiot spammer called me in math class, and nobody heard anything.
 

BornAgainApple

macrumors 6502a
Jun 9, 2009
558
84
Massachusetts
So is this occurring with iMessage as well? I have an text opt-out with my carrier because I don't text very much and don't want to pay for it. I use iMessage mainly with the wife, and a free third party service (Heywire) for everyone else I know who doesn't own an iPhone. Thanks!