Back to Mobile View

Skip to Content

TUAW Deals

SMS sender spoofing possible on iOS, what you need to know

There's a big security story blowing through the leaves today, and it affects your iPhone. Uncovered by iPhone hacker Pod2G, the issue involves SMS spoofing and shows up in every version of iOS for the iPhone -- and it's in the current beta of iOS 6.

What is this security problem? Some details follow, and Pod2G shares additional detail on his post as well. Essentially someone could send you a text that appears to be from a trusted source, when in fact the response will be routed to someone else's device. If you thought a text came from your bank, for instance, you could be tricked into handing over sensitive data.

While it's not something particularly simple to do (you'll need to set up an SMS gateway), I will say the consequences of spoofing SMS can be dire, as courts have used SMS messages as evidence. Harassment by messaging is a real crime, and messaging can be a violation of restraining orders. So aside from the social engineering risk (getting your password by someone pretending to be an authority), the legal consequences could be very real as well.

I spoke with security expert Seth Bromberger, a principal at NCI Security. He noted that while Apple can fix this on their end, the inherent issues with SMS authentication are beyond their scope to fix permanently.

Nevertheless, here are some steps Apple, the industry at large and law enforcement could take, according to Bromberger:

  1. Apple should display the originating number, not trust what the sender has said was the originating number (or at least alert if reply-to != original).
  2. The carriers should ensure that "forging" (I'm using this word but it's not really forgery -- all the person is doing is setting a reply-to that differs from the originating number, apparently in full conformance with the protocol) the originating number is detected (Note: not prevented -- there are legitimate uses for this feature). This may ultimately require protocol changes, but for the majority of the cases, it seems to me a simple ingress check would suffice. (Again, this may have other implications for mass-SMS services like those used during emergency notification, though).
  3. Law enforcement and the judicial system should not rely on the presence of a text message as evidence of a particular activity. They're now exposed (at least on Apple devices) as being as forgeable as unsigned email.

I agree with Seth, and hope that Apple will evaluate how it handles SMS going forward. I also hope law enforcement and carriers take these ideas to heart.