AdaptiveMobile (http://www.adaptivemobile.com/), which specializes in mobile security, says it wants to dispel some of the myths regarding the recent iPhone SMS vulnerability which could allow scammers to “spoof” the sender of a text message, allowing them to pose as a known friend or contact.
While mobile operators have recently come under fire for this exploit, AdaptiveMobile argues that the source of the problem is the handset, not the network.
“Device manufacturers, like all members of the mobile ecosystem should aim to take security seriously and ensure their devices comply with a wide range of standards and technical recommendations,” says Cathal McDaid, security consultant, AdaptiveMobile. “For SMS to remain a trusted, clean channel, companies need to be vigilant that their products both properly conform to standards and don’t inadvertently expose flaws that can compromise their customers.”
The exploit was first revealed by a researcher on the pod2g blog and the exploit misuses an optional “Reply Address” field within the SMS protocol upper-layers. If misused, the iPhone SMS client displays a different address/phone number as the sending address rather than the actual originating address. This could be used to show recipients that text messages are from someone familiar, when they originate from a hacker or external party.
“We know conclusively that this is not a network problem because the 3GPP specification — which outlines how modern mobile phones and networks operate today — discusses the security implications of this field in all phones and give recommendations on how to avoid malicious use of this,” says McDaid. “We have tested this issue on Android, Windows Mobile, BlackBerry and Symbian phones and most of them simply ignore the ‘reply address’ field or display both the ‘real’ originating address and the reply address as per the specification recommendations. The iPhone, so far, is the only device which does not comply with these security recommendations.”
He says that Apple has responded to these claims, acknowledging the weakness, but without any stated intention of remedying the situation.
“Historically, the ‘reply-address’ field was introduced to allow users to reply to texts which were ‘broadcast’ from information agencies or marketing firms, for example. These broadcast systems may not be capable of receiving messages, so this system allows for more interaction,” continues McDaid. “However, whilst most handsets now ignore this quirk, with the remainder treating the field correctly, Apple has left a significant vulnerability in its handsets which could allow consumers to be fooled and hand over personal details to hackers and criminals. This reinforces the importance of handset manufacturers, operators and security providers collaborating and helping to keep SMS as a secure, reliable and trusted channel.”