The iPhone SMS app contains a quirky bug that could allow someone to send a user a text message that appears to come from any number that the sender specifies. The researcher who discovered the bug said that it could be used by attackers to spoof messages from a bank or credit card company and send the victim to a target site controlled by the attacker.
The issue lies in the way that Apple iOS implements a section of the SMS message called User Data Header (UDH), which has a number of options, one of which allows the user to change the phone number that the text message appears to come from.
“If the destination mobile is compatible with it, and if the receiver tries to answer to the text, he will not respond to the original number, but to the specified one,” the researcher who uses the name Pod2g wrote in a blog post.
“Most carriers don’t check this part of the message, which means one can write whatever he wants in this section : a special number like 911, or the number of somebody else.”
So for example, an attacker could send a text message to a victim, impersonating the victim’s bank and then directing the victim to a phishing site. The advent of mobile banking apps, some of which use SMS messages for out-of-band authentication, makes this kind of attack vector perhaps more worrisome and useful for attackers than it would seem at first blush.
“This new attack is similar to the PSTN spoofing in concept in that all the attack allows you to do is hide your real identity and look like a different source,” said Tyler Shields, a senior security researcher at Veracode.
“At first glance, this type of flaw seems tame, but in reality it can be used very effectively in spoofing and social engineering based threat models. I would rate this attack a medium severity because it relies on ‘tricking’ the user into doing something specific based on a falsified level of trust.”
That false sense of trust is the thing that attackers count on and hope for, especially in phishing attacks. If the victim doesn’t buy what the attacker is selling, the gambit fails. But on mobile phones, people still tend to have a higher level of trust in the messages they receive, especially SMS messages, which typically come from friends.
The researcher known as Pod2g said in the analysis of the bug that a better implementation of the UDH feature would prevent the attack from succeeding.
“In a good implementation of this feature, the receiver would see the original phone number and the reply-to one. On iPhone, when you see the message, it seems to come from the reply-to number, and you loose [sic] track of the origin,” the analysis says.