A tool for the Apple iPhone has been developed that enables an attacker to send SMS messages with spoofed sender details.
According to hacker pod2g, the ‘sendrawpdu' command-line interface tool allows users to customise the reply number on text messages. In a blog post, pod2g said: “Pirates could send a message that seems to come from the bank of the receiver asking for some private information, or inviting them to go to a dedicated [phishing] website.
“If the destination mobile is compatible with (user data header features), and if the receiver tries to answer the text, he will not respond to the original number, but to the specified one.
“Most carriers don't check this part of the message, which means one can write whatever he wants in this section. In a good implementation of this feature, the receiver would see the original phone number and the reply-to one. On iPhone, when you see the message, it seems to come from the reply-to number, and you lose track of the origin.”
The tool has been released and affects a vulnerability on other mobile devices and all versions of Apple's iOS platform, including the upcoming iOS 6. This discovery led Apple to urge customers to use its iMessage service, which is only available between iOS and OS X devices, as it verifies the address from which messages were sent, unlike its SMS app that displays the vulnerable reply-to address.
An Apple statement said: “When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attack.
“One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they're directed to an unknown website or address over SMS.”
Cathal McDaid, security consultant at AdaptiveMobile, said that it had tested the issue on Android, Windows Mobile, BlackBerry and Symbian phones, and found that most of them simply ignore the ‘reply address' field or display both the ‘real' originating address and the reply address as per the specification recommendations.
“The iPhone, so far, is the only device which does not comply with these security recommendations,” McDaid said.
“Historically, the ‘reply-address' field was introduced to allow users to reply to texts which were ‘broadcast' from information agencies or marketing firms, for example. These broadcast systems may not be capable of receiving messages, so this system allows for more interaction. However, whilst most handsets now ignore this quirk, with the remainder treating the field correctly, Apple has left a significant vulnerability in its handsets that could allow consumers to be fooled and hand over personal details to hackers and criminals.”
Chris Barton, senior director of security research and operations at Cloudmark, said that this demonstrates that the Apple operating system, which was previously considered to be relatively bulletproof, is coming under increasing attack.
He said: “Fraudsters need to ensure that their activity is going to be profitable and, as Apple's products continue to gain market share, targeted abuse of the platform will continue. This ‘bug' is nothing more than a gold plated implementation decision - it's clear that Apple intended to be elegantly helpful with this feature.
“We would urge network operators to reassure their customers that they are taking steps to try and prevent SMS attacks, and that there are means of reporting such as malicious messaging. If users lose trust in SMS as a platform, they could start moving to over-the-top alternatives such as iMessage or the other cross-platform messaging alternatives, which would result in a drop in revenue for the networks.”