Friday, August 17, 2012

Huge iOS text message security hole found, dating back to original iPhone

Apple likes to trumpet its "walled-garden" approach to software installations on its iOS operating system as creating a secure platform, but no software is bug-free. French iOS security researcher Pod2g has discovered a serious security hole, one that has existed on the device since its introduction in 2007.

The report, posted to his Blogger blog (ironically, since Blogger is a Google service and Google, of course, offers the Android mobile platform), indicates that spoofing of the the reply-to number that is displayed when an iPhone user views an SMS is easily done. That means that the viewer of the text message might believe that the message they are reading comes from a person other than the actual sender.

You can imagine how risky this is. It's for this same reason that users are warned not to click on links purporting to lead to their banks or other financial institutions in email, but instead to directly go to a known URL; it's easy to spoof the sending address in an email.

Just as with a spoofed email, in which any reply would go to an alternative address, any replies to such a malicious text message would be routed to a different phone number without the your knowledge.

Here's how he explained the issue:

"In the text payload, a section called UDH (User Data Header) is optional but defines lot of advanced features not all mobiles are compatible with. One of these options enables the user to change the reply address of the text. If the destination mobile is compatible with it, and if the receiver tries to answer to the text, he will not respond to the original number, but to the specified one.

"Most carriers don't check this part of the message, which means one can write whatever he wants in this section : a special number like 911, or the number of somebody else.

"In a good implementation of this feature, the receiver would see the original phone number and the reply-to one. On iPhone, when you see the message, it seems to come from the reply-to number, and you loose (sic) track of the origin."

Inspiron Switch Lids Laptops 120x90
Pod2g's analysis of the problem seems to indicate that the issue may not necessarily be isolated to the iOS platform. It depends, it would seem, on the implementation of the SMS client. His analysis also points to the possibility that a third-party client (such as Google Voice or ChompSMS) could either have the same problem, or no problem at all.

Since iOS 6 is still in beta (beta 4), Pod2g encouraged Apple to fix the issue before it reaches release. He also warned iOS users:

"Now you are alerted. Never trust any SMS you received (sic) on your iPhone at first sight."

No comments: