Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Apple Shifts Blame for SMS Spoofing Problem

Apple has responded to a French iOS hacker’s discovery of a spoofing problem within iOS’ implementation of SMS. If abused, there is a serious potential for Phishing attacks on the devices, but Apple seems to be passing the buck somewhat.

Apple has responded to a French iOS hacker’s discovery of a spoofing problem within iOS’ implementation of SMS. If abused, there is a serious potential for Phishing attacks on the devices, but Apple seems to be passing the buck somewhat.

iPhone SMS SpoofingSMS is far from secure. However, on iOS, it is possible to spoof the return path of a given SMS message, a hacker who goes by pod2g says. “The flaw exists since the beginning of the implementation of SMS in the iPhone, and is still there in iOS 6 beta 4… I am pretty confident that other security researchers already know about this hole, and I fear some pirates as well,” the hacker’s blog states.  

“In the text payload, a section called UDH (User Data Header) is optional but defines lot of advanced features not all mobiles are compatible with. One of these options enables the user to change the reply address of the text. If the destination mobile is compatible with it, and if the receiver tries to answer to the text, he will not respond to the original number, but to the specified one.”

With that said, the risk is Phishing. An attacker could send a message that looks as if it came from a bank, collecting any information that a victim thinks they are sending securely. Granted, this is an extreme example, and most people would not fall for such scams, but it has happened unfortunately.

For its part Apple said that addresses are verified when using iMessage instead of normal SMS on their devices. But with that, Apple adds, “One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they’re directed to an unknown Web site or address over SMS.”

It isn’t as if it would be hard to add a return field to the SMS display on iOS, but it may be a case of where it is just to costly in development time. So, if you’re not using iMessage, then you need to be careful, and as mentioned avoid random messages asking for sensitive information no matter what the display tells you.

“Now you are alerted. Never trust any SMS you received on your iPhone at first sight,” pod2g concluded.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.