Other smartphone platforms offer more secure SMS than iPhone, says mobile security firm.
11 Security Sights Seen Only At Black Hat
(click image for larger view and for slideshow)
A flaw discovered recently in Apple's iPhone could allow nefarious people to hack SMS messages. According to AdaptiveMobile, the iPhone stands alone with this security hole. AdaptiveMobile tested the exploit in the iPhone and compared it to Android, BlackBery, Symbian, and Windows Mobile. All the other platforms remained secure in their treatment of SMS messages.
The bug, unearthed by researcher pod2g, essentially allows hackers to spoof the reply-to number in a text message. Doing this could let unsavory types send messages that appear to come from one entity (such as your bank), but that direct the responses elsewhere. The security researcher warned that such spoofing could be used to trick iPhone users into revealing personal information via text message that could then be used to gain access to personal accounts.
"Historically, the 'reply-address' field was introduced to allow users to reply to texts which were 'broadcast' from information agencies or marketing firms," said Cathal McDaid, security consultant at AdaptiveMobile. "These broadcast systems may not be capable of receiving messages, so this system allows for more interaction."
AdaptiveMobile says that most handsets now ignore this quirk in the system and treat the reply-address field correctly. Its research confirms this to be true with Google's Android, RIM's BlackBerry, Nokia's Symbian, and Microsoft's Windows Mobile platforms.
"Apple has left a significant vulnerability in its handsets [that] could allow consumers to be fooled and hand over personal details to hackers and criminals," noted McDaid. "This reinforces the importance of handset manufacturers, operators, and security providers collaborating and helping to keep SMS as a secure, reliable, and trusted channel."
Apple responded to the issue, but didn't offer much of a fix.
"Apple takes security very seriously," said Apple in a statement. "When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they're directed to an unknown website or address over SMS."
In other words, Apple suggests that users concerned with the security of their smartphone should trust iMessage instead of SMS. iMessage is available only on the iPhone, iPad, iPod Touch, and Apple computers.
Apple has not indicated if it plans to fix the security hole.
Android and Apple devices make backup a challenge for IT. Look to smart policy, cloud services, and MDM for answers. Also in the new, all-digital Mobile Device Backup issue of InformationWeek: Take advantage of advances that simplify the process of backing up virtual machines. (Free with registration.)
InformationWeek Elite 100Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
The UC Infrastructure TrapWorries about subpar networks tanking unified communications programs could be valid: Thirty-one percent of respondents have rolled capabilities out to less than 10% of users vs. 21% delivering UC to 76% or more. Is low uptake a result of strained infrastructures delivering poor performance?
InformationWeek Must Reads Oct. 21, 2014InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.