Mark Bridge writes:
Last week, French iOS security researcher pod2g revealed a potential security risk with the Apple iPhone’s handling of SMS text messages.
All text messages can be sent with an optional ‘reply to’ telephone number that’s different from the sender’s number. It’s not a standard option with most mobile phones and is most likely to be used by SMS gateways sending large volumes of promotional or service messages.
The majority of text messages don’t use this feature - and many phones either ignore the extra data or display both numbers - but Apple’s iOS seems to handle it in a potentially risky way. Customers with an iPhone are shown SMS messages that appear to have been sent from the ‘reply to’ number... which isn’t necessarily the actual sender.
Apple responded to tech news site Engadget with a recommendation to use its own Apple-only iMessage service instead. “When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they’re directed to an unknown website or address over SMS.”
However, mobile security company AdaptiveMobile says blame should be directed at Apple, not at mobile network operators.
Cathal McDaid, a security consultant at AdaptiveMobile, said “Device manufacturers, like all members of the mobile ecosystem should aim to take security seriously and ensure their devices comply with a wide range of standards and technical recommendations. For SMS to remain a trusted, clean channel, companies need to be vigilant that their products both properly conform to standards and don’t inadvertently expose flaws that can compromise their customers.”
“We know conclusively that this is not a network problem because the 3GPP specification - which outlines how modern mobile phones and networks operate today - discusses the security implications of this field in all phones and give recommendations on how to avoid malicious use of this. We have tested this issue on Android, Windows Mobile, BlackBerry and Symbian phones and most of them simply ignore the ‘reply address’ field or display both the ‘real’ originating address and the reply address as per the specification recommendations. The iPhone, so far, is the only device which does not comply with these security recommendations.”
The iPhone’s SMS handling could be used in a number of malicious ways. Criminals could send a message that appears to come from the customer’s bank or credit card company, inviting the users to reply with personal information or submit security information via a fraudulent web site. Alternatively, a spoof message could be used for social engineering to manipulate a customer’s behaviour - perhaps appearing to be from a trusted friend or a colleague.
It’s certainly not inappropriate to highlight Apple’s handling of SMS messages - but it’s also important to realise that spoofed SMS messages could affect other devices as well. Spam email messages often appear to be from legitimate addresses, requiring a combination of common sense and filtering software to determine whether or not they’re genuine. How long before SMS filtering becomes as much of a necessity... or will network operators and handset manufacturers solve the problem first?