InformationWeek: The Business Value of Technology

InformationWeek: The Business Value of Technology
e2 Conference & Expo - Boston 2013
= Member Content
Facebook Twitter Share

E-mail | Print | Permalink | LinkedIn | RSS

Security Researcher Uncovers Apple iOS SMS Bug


Vulnerability in Apple's iOS platform could allow hackers to send phishing messages via text, but there's no need to panic. Yet.


By Eric Zeman
InformationWeek
August 17, 2012 12:03 PM

Apple iPhone 5 Vs. Samsung Galaxy S III: What We Know
Apple iPhone 5 Vs. Samsung Galaxy S III: What We Know
(click image for larger view and for slideshow)
An Apple iOS security researcher who goes by the handle pod2g has unearthed a bug in Apple's iOS platform. The bug, which pod2g says others should know about, is present in all versions of iOS up to and including iOS 6 beta 4. The bug essentially allows hackers to spoof the reply-to number in a text message.

Text messages are of course bits of text sent between cellphones. Americans send billions and billions of them to one another each month. They're such a common form of communication that most people probably never stop to think that they might be insecure.

In a post on his blog, pod2g explains that text message are converted from the original text to PDUs (protocol description units), which are sent to the baseband and then fired off across the network.

"In the text payload, a section called UDH (user data header) is optional but defines [a] lot of advanced features not all mobiles are compatible with," wrote pod2g. "One of these options enables the user to change the reply address of the text. If the destination mobile is compatible with it, and if the receiver tries to answer to the text, he will not respond to the original number, but to the specified one. Most carriers don't check this part of the message, which means one can write whatever he wants in this section: a special number like 911, or the number of somebody else."

Why is this particular bug cause for concern?

Pod2g believes that ne'er-do-wells could send phishing messages via SMS. In one case, a person could receive a message that would appear to come from their bank, requesting information or sending them to a website. If they respond to the message, the reply wouldn't go to the bank, but instead to the phisher. If you're fool enough to send personal information via SMS, then you could be in a bit of trouble.

[ So much for Apple's walled-garden security approach. Apple Security Talk Suggests iOS Limits. ]

For the CSI lovers out there, pod2G also explains that bad guys could send spoofed messages to your device that would appear to have come from you. In other words, pirates or other nefarious types could plant false evidence on someone's iPhone.

Apple hasn't acknowledged the bug, but there's little reason to worry right now. Most financial or other businesses that might send a text message to an iPhone are delivering information, not requesting it. As long as you don't respond to such messages, you'll be fine.

Federal agencies must eliminate 800 data centers over the next five years. Find how they plan to do it in the new all-digital issue of InformationWeek Government. Download it now (registration required).

One of the biggest challenges facing IT today is risk assessment. Risk measurement and impact assessment aren't exact sciences, but there are tools, processes, and principles that can be leveraged to ensure that organizations are well-protected and that senior management is well-informed. In our Measuring Risk: A Security Pro's Guide report, we recommend tools for evaluating security risks and provide some ideas for effectively putting the resulting data into business context. (Free registration required.)




InformationWeek encourages readers to engage in spirited, healthy debate, including taking us to task. However, InformationWeek moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. InformationWeek further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
Subscribe to RSS


Advertisement

InformationWeek Reports

report Mobility's Next Challenge: 8 Steps to a Secure Environment
Taking your company's mobile capabilities to the next level--whether on personally or company-owned devices-requires a lifecycle management plan that encompasses application security, development, distribution, support and enhancement. We show you how to get there and provide insight into five mobile application development options.

report Buyer's Guide: Mobile Device Management
Want the lowdown on nine top MDM products? Our InformationWeek Buyer's Guide is your one-stop guide for choosing an MDM system that match your requirements. ZIP file includes: Detailed comparison charts on security, administration, and platform and reporting features; our full questionnaire; and responses from Absolute Software, AirWatch, Fiberlink Communications, JAMF Software, MobileIron, Odyssey Software, Symantec, Tangoe, and Zenprise.

report Dark Side of Mobile Apps
Companies are rushing headlong to develop applications for Android, Apple and BlackBerry devices. But IT must maintain its secure development lifecycle process or risk a black eye.

report Reducing Mobile Device Risks to Enterprise Data
Innovative IT shops are turning the mobile device management challenge into a business opportunity--and showing that we can help people be more connected and collaborative, regardless of location. We offer a framework of four possible strategies to secure the mobile environment.