iPhone bug allows sms phishing, tech security blogger warns

Users of Apple's iPhone who get a suspicious text message may have to double-check it with the sender, as a bug in the iPhone's SMS app can allow SMS spoofing and phishing, a security blogger has warned.

 

Researcher "pod2g" said the flaw is present even in the latest beta of iOS 6, Apple's upcoming operating system for the iPhone, iPad and iPod Touch.

 

"Pirates could send a message that seems to come from the bank of the receiver asking for some private information, or inviting them to go to a dedicated website (phishing). (Or) one could send a spoofed message to your device and use it as a false evidence," blogger "pod2g" said in a blog post.

 

Worse, "pod2g" said the flaw can be used to send messages "that could be utilized to manipulate people, letting them trust somebody or some organization texted them."

 

The researcher said the flaw involves advanced features in the user data header (UDH) that allows a user to change the reply-to address or number of the SMS.

 

"If the destination mobile is compatible with it, and if the receiver tries to answer to the text, he will not respond to the original number, but to the specified one.  

Most carriers don't check this part of the message, which means one can write whatever he wants in this section: a special number like 911, or the number of somebody else," pod2g said.

 

In effect, pod2g said a text message on the iPhone may appear to come from the reply-to number, without displaying the real sender's message.

 

Phishing scenario

 

Kaspersky Labs said an attacker could send a text message to a victim, impersonating the victim's bank and then directing the victim to a phishing site.

 

"The advent of mobile banking apps, some of which use SMS messages for out-of-band authentication, makes this kind of attack vector perhaps more worrisome and useful for attackers than it would seem at first blush," it said.

 

Medium severity

 

"This new attack is similar to the PSTN spoofing in concept in that all the attack allows you to do is hide your real identity and look like a different source," Kaspersky quoted Tyler Shields, a senior security researcher at Veracode, as saying.

 

"At first glance, this type of flaw seems tame, but in reality it can be used very effectively in spoofing and social engineering based threat models. I would rate this attack a medium severity because it relies on 'tricking' the user into doing something specific based on a falsified level of trust," Shields said.

 

Kaspersky noted that on mobile phones, people still tend to have a higher level of trust in the messages they receive, especially SMS messages that typically come from friends.