A French hacker claims he has found a flaw in the commonly used Short Messaging Service (SMS) that lets people send text messages from accounts not their own, similar to how emails are often purportedly sent from a user's email account even though they were not, in a technique known as spoofing. The hacker, who calls himself "pod2g" and is best known for jailbreaking iPhones, said Friday that the vulnerability could let an attacker send a phishing message pretending to be from a bank, credit card company, or other trusted source.
[ Prevent corporate data leaks with Roger Grimes' "Data Loss Prevention Deep Dive" PDF expert guide, only from InfoWorld. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
The hacker demonstrated the flaw on an iPhone. Because the flaw does not involve code execution, an attacker does not need to get malware pass Apple, which approves all mobile apps before they are sold on the App Store, the only legitimate site for downloading software for Apple mobile devices.
Apple released a statement saying the flaw was in the SMS protocol itself, not in iOS, and that SMS messages could be spoofed on any carrier service or from or to any mobile device.
Tyler Shields, a senior security researcher at Veracode, told the Kaspersky Lab blog that the flaw needs attention. "At first glance, this type of flaw seems tame, but in reality it can be used very effectively in spoofing and social engineering based threat models," Shields said. "I would rate this attack a medium severity because it relies on tricking the user into doing something specific based on a falsified level of trust."
When a text message is sent through SMS, the sending phone typically converts it to a protocol called Protocol Description Unit (PDU) before the carrier ships it to the telephone number of the recipient.
Within the text payload is a section called User Data Header (UDH) that enables someone to change the reply address of the text, pod2g said. An attacker could use this flaw to show a reply number that is different from where the responding text would actually go. "In a good implementation of this feature, the receiver would see the original phone number and the reply-to one," pod2g said. "When you see the message, it seems to come from the reply-to number, and you loose track of the origin."
As a result, an attacker could send a message that seems to come from a bank or other trusted source. This would enable the criminal to either seek personal information or direct the recipient to a phishing website.