Is the iPhone Vulnerable to SMS Spoofing and Hacks? Yes, but Don't Blame your Wireless Carrier


On August 17 last week, a researcher on the pod2g blog posted a missive claim that the blog writer had discovered a vulnerability within the iPhone's SMS software that, if properly exploited, would allow a phisher or other hacker to be able to gain the trust of a mobile user, by allowing one to spoof who the sender of a text message might be, potentially leading up to further and potentially harmful mischief.

Following the disclosure, various wireless carriers found themselves being blamed for the security hole.

It turns out, however, that no matter how much you may want to blame your carrier for your iPhone's security vulnerability, the truth is there’s only Apple to blame.

The vulnerability itself is both technical in nature, but also exceptionally easy to understand. The SMS protocol provides for an optional "Reply-Address" field, which a knowledgeable person could use to indicate a message was coming from someplace other than where it originated. That is, it could show a message as coming from a "trusted" source (e.g. a phone number or name) although the message was coming from a malicious source.

Why provide such a capability in the first place?

“Historically, the ‘reply-address’ field was introduced to allow users to reply to texts which were ‘broadcast’ from information agencies or marketing firms, for example. These broadcast systems may not be capable of receiving messages, so this system allows for more interaction,” said Cathal McDaid, Security Consultant at AdaptiveMobile.

When not used in this manner, the SMS protocol is very explicit about how the “feature” needs to be treated. The issue that pod2g identified is that an iPhone will display the reply-address as the sending address within the iPhone SMS client, and does not show the real “originating-address.”

“We know conclusively that this is not a wireless carrier network problem because the 3GPP specification – which outlines how modern mobile phones and networks operate today – discusses the security implications of this field in all phones and give recommendations on how to avoid malicious use of this,” continued McDaid. “We have tested this issue on Android, Windows Mobile, BlackBerry and Symbian phones and most of them simply ignore the ‘reply-address’ field or display both the ‘real’ originating address and the reply address - which is what the specification recommendations."

"The use of the Reply-Address is exceptionally rare in mobile networks now," McDaid added. "It is not used due to the fact that it's not supported by many devices and the original scenario that it was addressing never really materialized – it is one of the many extended SMS function fields that didn't get much traction. The simple answer to the problem then is to simply ignore the reply-address field altogether."

And this is exactly what almost all other device manufacturers do. The iPhone, almost as if by magic, is the only smart mobile device that doesn't ignore it, and that simultaneously uses SMS software that does not comply with the SMS protocol security recommendations. Apple is well aware of the issue and the security weakness, but for reasons only Apple is aware of, the company has not provided any stated intention of fixing the rather simple to fix problem.

Apple has suggested using its iMessage service instead to circumvent the problem. That is an interesting approach for Apple to take, but even with Apple extremists there will be times when an iPhone user may want to communicate with someone other than another iPhone user – it's been known to happen.

Of course, Apple will play the contrarian any time it can, but even so, we can't quite figure out why it is the lone agent here supporting a defunct SMS feature that presents a security hole if improperly handled (and Apple handles it improperly).

For those of you waiting to upgrade to iOS6, it won't fix the problem. The beta 4 version of iOS 6 that will likely become the shipping version in a few weeks still has the problem. There is no Apple magic on this particular issue.

Edited by Braden Becker

TechZone360 Senior Editor

Related Articles

Coding and Invention Made Fun

By: Special Guest    10/12/2018

SAM is a series of kits that integrates hardware and software with the Internet. Combining wireless building blocks composed of sensors and actors con…

Read More

Facebook Marketplace Now Leverages AI

By: Paula Bernier    10/3/2018

Artificial intelligence is changing the way businesses interact with customers. Facebook's announcement this week is just another example of how this …

Read More

Oct. 17 Webinar to Address Apache Spark Benefits, Tools

By: Paula Bernier    10/2/2018

In the upcoming webinar "Apache Spark: The New Enterprise Backbone for ETL, Batch and Real-time Streaming," industry experts will offer details on clo…

Read More

It's Black and White: Cybercriminals Are Spending 10x More Than Enterprises to Control, Disrupt and Steal

By: Cynthia S. Artin    9/26/2018

In a stunning new report by Carbon Black, "Hacking, Escalating Attacks and The Role of Threat Hunting" the company revealed that 92% of UK companies s…

Read More

6 Challenges of 5G, and the 9 Pillars of Assurance Strategy

By: Special Guest    9/17/2018

To make 5G possible, everything will change. The 5G network will involve new antennas and chipsets, new architectures, new KPIs, new vendors, cloud di…

Read More