On August 17 last week, a researcher on the pod2g blog posted a missive claim that the blog writer had discovered a vulnerability within the iPhone's (News - Alert) SMS software that, if properly exploited, would allow a phisher or other hacker to be able to gain the trust of a mobile user, by allowing one to spoof who the sender of a text message might be, potentially leading up to further and potentially harmful mischief.
Following the disclosure, various wireless carriers found themselves being blamed for the security hole.
It turns out, however, that no matter how much you may want to blame your carrier for your iPhone's security vulnerability, the truth is there’s only Apple (News - Alert) to blame.
The vulnerability itself is both technical in nature, but also exceptionally easy to understand. The SMS protocol provides for an optional "Reply-Address" field, which a knowledgeable person could use to indicate a message was coming from someplace other than where it originated. That is, it could show a message as coming from a "trusted" source (e.g. a phone number or name) although the message was coming from a malicious source.
Why provide such a capability in the first place?
“Historically, the ‘reply-address’ field was introduced to allow users to reply to texts which were ‘broadcast’ from information agencies or marketing firms, for example. These broadcast systems may not be capable of receiving messages, so this system allows for more interaction,” said Cathal McDaid, Security Consultant at AdaptiveMobile (News - Alert).
When not used in this manner, the SMS protocol is very explicit about how the “feature” needs to be treated. The issue that pod2g identified is that an iPhone will display the reply-address as the sending address within the iPhone SMS client, and does not show the real “originating-address.”
“We know conclusively that this is not a wireless carrier network problem because the 3GPP specification – which outlines how modern mobile phones and networks operate today – discusses the security implications of this field in all phones and give recommendations on how to avoid malicious use of this,” continued McDaid. “We have tested this issue on Android, Windows Mobile, BlackBerry (News - Alert) and Symbian phones and most of them simply ignore the ‘reply-address’ field or display both the ‘real’ originating address and the reply address - which is what the specification recommendations."
"The use of the Reply-Address is exceptionally rare in mobile networks now," McDaid added. "It is not used due to the fact that it's not supported by many devices and the original scenario that it was addressing never really materialized – it is one of the many extended SMS function fields that didn't get much traction. The simple answer to the problem then is to simply ignore the reply-address field altogether."
And this is exactly what almost all other device manufacturers do. The iPhone, almost as if by magic, is the only smart mobile device that doesn't ignore it, and that simultaneously uses SMS software that does not comply with the SMS protocol security recommendations. Apple is well aware of the issue and the security weakness, but for reasons only Apple is aware of, the company has not provided any stated intention of fixing the rather simple to fix problem.
Apple has suggested using its iMessage service instead to circumvent the problem. That is an interesting approach for Apple to take, but even with Apple extremists there will be times when an iPhone user may want to communicate with someone other than another iPhone user – it's been known to happen.
Of course, Apple will play the contrarian any time it can, but even so, we can't quite figure out why it is the lone agent here supporting a defunct SMS feature that presents a security hole if improperly handled (and Apple handles it improperly).
For those of you waiting to upgrade to iOS6, it won't fix the problem. The beta 4 version of iOS 6 that will likely become the shipping version in a few weeks still has the problem. There is no Apple magic on this particular issue.