Mobile network security solutions company AdaptiveMobile investigated claims of iPhone SMS vulnerability which could allow scammers to “spoof” the sender of a text message, allowing them to pose as a known friend or contact in order to send out false and potentially dangerous SMS messages. After investigating, AdaptiveMobile argues that the source of the problem is the handset, not the network.
“Device manufacturers, like all members of the mobile ecosystem, should aim to take security seriously and ensure their devices comply with a wide range of standards and technical recommendations,” says Cathal McDaid, security consultant at AdaptiveMobile. “For SMS to remain a trusted, clean channel, companies need to be vigilant that their products both properly conform to standards and don’t inadvertently expose flaws that can compromise their customers.”
The activity was first revealed in “pod2g’s iOS blog” and it misuses an optional “reply address” field within the SMS protocol upper-layers. If misused, the iPhone SMS client displays a different address or phone number as the sending address from the actual originating address. This could be used to show recipients that text messages are from someone familiar, which the blogger explained could result in potentially-damaging manipulation, such as the creation of false evidence or the unintentional surrender of private information to phishing scammers. This, the blogger said, is cause to be suspicious of any SMS message received on an iOS device.
“We know conclusively that this is not a network problem because the 3GPP specification – which outlines how modern mobile phones and networks operate today – discusses the security implications of this field in all phones and gives recommendations on how to avoid malicious use of this,” continues McDaid. “We have tested this issue on Android, Windows Mobile, BlackBerry and Symbian phones and most of them simply ignore the ‘reply address’ field or display both the ‘real’ originating address and the reply address as per the specification recommendations. The iPhone, so far, is the only device which does not comply with these security recommendations.”
Apple has responded to these claims, acknowledging the weakness without indicating a forthcoming remedy to the issue. According to AdaptiveMobile, Apple did suggest that users switch to using iMessage as their messaging solution, but did not offer a patch or solution to repair the breach in security itself.
“Historically, the ‘reply address’ field was introduced to allow users to reply to texts which were ‘broadcast’ from information agencies or marketing firms, for example. These broadcast systems may not be capable of receiving messages, so this system allows for more interaction,” continues McDaid. “However, while most handsets now ignore this quirk, with the remainder treating the field correctly, Apple has left a significant vulnerability in its handsets which could allow consumers to be fooled and hand over personal details to hackers and criminals. This reinforces the importance of handset manufacturers, operators and security providers collaborating and helping to keep SMS as a secure, reliable and trusted channel.”