iPhone Vulnerability Revealed
Posted on 22nd Aug 2012 @ 10:39 AM
It seems like with every day that goes by, a new kind of hack attack reveals itself to the world. Int his case, a security researcher has found another big vulnerability in your Apple iPhone.
Text messaging is nothing new. We were doing it well before the first smart phone hit the market. But according to an iOS security researcher, the Apple iPhone uses a unique format to deliver text messages that could potentially open the door to hacking.
The researcher posted details about his discovery in his blog. According to the blog, when a text message is sent from an iPhone, the header of the message will say who the message came from, as all phones do. However, Apple iPhones also have an optional header called the User Data Header which allows a person to enter in a different Reply To address.
So what is the problem? The problem is that if a hacker knows the phone number of someone close to you, like a friend or family member, they can actually send a message to your phone and make it appear as though it came from another person. On the iPhone, the message appears so believable that anyone could be fooled into giving away sensitive information.
When Apple heard about the discovery, they responded to the blog with the following official statement:
“Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they’re directed to an unknown website or address over SMS.”
The problem with that “solution” is that iMessage only works between iOS devices. So, unless everyone you might send or receive text messages from is also using an iPhone, iPad, or Mac OS X to communicate with you, iMessage isn’t actually a feasible fix.
The security researcher who revealed the flaw summed his blog post up with, “Now you are alerted. Never trust any SMS you received on your iPhone at first sight.”
That seems fair, but there are some other elements you can use to determine if the message is legitimate or not. First of all, if you receive a message from someone who is not in your iPhone contacts, it generally shows up as the originating phone number as opposed to “Mom”. As mentioned above, an attacker who knows your mom’s mobile number may be able to send a spoofed message that appears to be from your mom, but a spoofed message from another number should appear as the number itself even if the message claims to be from your mom.
Second, common sense should play a role here as well. If you and your best friend text regularly about the sports, or politics, or what the plans are for the coming weekend, and you receive a text that just says “click this link”, you should be suspicious. If your Mom barely knows what text messaging is, and never really uses SMS, it should alert you that something isn’t right if you get a message out of the blue asking for money.
SMS text messaging is a great tool, but it’s certainly not the most secure. Apple’s implementation of SMS may be more prone to spoofing than other mobile platforms, but you should think twice about clicking links or sharing sensitive information via SMS messaging on any platform.