Forgot your password?
typodupeerror
Bug Communications IOS Iphone Security Apple

iPhone Bug Allows SMS Spoofing 92

Posted by Soulskill
from the working-as-intend-ish dept.
Trailrunner7 writes "The iPhone SMS app contains a quirky bug that could allow someone to send a user a text message that appears to come from any number that the sender specifies. The researcher who discovered the bug said it could be used by attackers to spoof messages from a bank or credit card company and send the victim to a target site controlled by the attacker. The issue lies in the way iOS implements a section of the SMS message called User Data Header, which has a number of options, one of which allows the user to change the phone number that the text message appears to come from. The advent of mobile banking apps, some of which use SMS messages for out-of-band authentication, makes this kind of attack vector perhaps more worrisome and useful for attackers than it would seem at first blush."
This discussion has been archived. No new comments can be posted.

iPhone Bug Allows SMS Spoofing

Comments Filter:
  • by stephanruby (542433) on Friday August 17, 2012 @05:27PM (#41030083)

    Lovely fail there since a lot of sites use SMS for some sort of authentication, Google, and Blizzard among them.

    Yes, but even if you can spoof the sms from header? How are you going to guess the code they send you?

    Notice, the same thing can be done with emails and even http requests. It's easy to forge the headers on those, but if a site implements only half of a handshake without sending back a token to the originating address for two-way verification, then it's the web site that is deemed insecure, not the client.

  • by Obfuscant (592200) on Friday August 17, 2012 @05:54PM (#41030449)

    No, the receiving IPhone is using data that comes from the sending phone rather than the tower. This is definitely an IPhone issue.

    Not limited to iPhone. I have yet to find an Android SMS app that doesn't discard the sending "number" in favor of anything that looks like an email address in the body of the message.

    T-Mobile has an email to SMS gateway that copies the From and Subject headers into the front of the message separated by '/'. They send these SMS from a number in the 3-4 thousand range, and keep a back-mapping so a reply to that SMS number will go back to the email sender. EVERY SMS app I've seen on Android pulls the email address from the body of the SMS message and throws away the reply-to number. That means I can never reply to an email I get via SMS, except through the phone's email app. Which has a different email address associated with it.

    Anyone know an SMS app for Android that does NOT do this?

When in doubt, mumble; when in trouble, delegate; when in charge, ponder. -- James H. Boren

Working...