back to article White hat warns against iPhone SMS spoofing bug

Security researchers have discovered an iPhone bug that allows for spoofed SMSes with bogus return addresses to be sent to fanbois. The bug creates a means for interested parties to send SMS messages to affected handsets that appear to come from any (arbitrary) number that the sender specifies. The issue specifically affects …


This topic is closed for new posts.
  1. Steve Todd

    Not the risk that its being made out to be

    With SMS there's a FROM and a REPLY TO field. The issue was supposed to be that you could spoof the REPLY TO fields and users would end up sending to a premium number without realising it. The iPhone shows ONLY the REPLY TO number so that won't happen.

    The SMS standard allows to to spoof either sender field, so you're no more secure if you see the FROM number, and a number of bulk SMS systems will show you their internal ID, not the correct ID of the system to contact so that it isn't work using that field instead.

    Conclusion: SMS isn't secure and isn't likely ever to be. Treat with caution.

    1. Ben Tasker

      Re: Not the risk that its being made out to be

      Using the flaw, an attacker might be used to spoof messages from either banks or credit card firms, perhaps inviting potential marks to visit websites under the control of hackers. As such it poses a phishing risk, especially with the increased use of mobile banking, to say nothing about the use of text messages to mobiles for out-of-band online banking authentication.

      That block seems to make it quite clear what the risk is. If I receive a text/email from the bank saying "Please call us on..." I tend to wait for them to contact me, or verify the number first, a lot of people don't. Hell, I can imagine there must be a suitable percentage of people who wouldn't think it odd that a bank was using an 0907 number.

      So, yeah, it's still a big risk for some, though as you say the SMS standard shouldn't be considered nearly as secure as some seem to think it is (usually those who don't get why email isn't either )

      1. Andy Fletcher

        Re: Not the risk that its being made out to be

        You wait for the bank to call you? I always call the bank. I'd never reveal any personal info on an incoming call.

        1. Vic

          Re: Not the risk that its being made out to be

          > I'd never reveal any personal info on an incoming call.

          Some years ago, I got a call purportedly from my bank. They said they wanted to speak to me, and wanted me to verify who I was before they would.

          "No chance", says I.

          "Well, if we can't verify who you are, we can't continue the call" the other guy replied.

          "You're calling me. You need to authenticate yourself to me..."

          He didn't get it.


          1. Synonymous Howard

            Re: Not the risk that its being made out to be

            I had one of those calls from my credit card company saying they wanted to check some transactions to confirm I had made them ... I asked for them to prove who they were when they asked me and they said, no problem just ring us on the published freephone card security number and say you have been called. So I did that instead after checking that the freephone number was the correct one.

            The most freeky calls I get though are from NS&I who have an automated service which rings you up when you want to reset your password ... you get to a point on the website with some random numbers on it and then immediately the phone rings and an automated lady asks you to read out the numbers currently on the screen .. only after you give the correct numbers will the new password be set. It's a net two-factor authentication approach but its just a pity the rest of the NS&I website logon and interface is such a pain to use 8-(

          2. Tom 13

            Re: He didn't get it.

            I've had a similar conversation with someone claiming to be from one of the big banks (one of the American/International banks that is still on the 'too big to fail' list). I'm reasonably sure he was legitimate*, but I still wouldn't give him the info. I don't actually blame him; he was just the phone monkey. The people I do blame are the people who make the decisions about the scripts the phone monkey's read. Yes, I recognize the problem of a bank needing to identify itself to a user, it is still a problem which needs to be solved. I think the first step is recognizing that whoever initiates the call is the one responsible for confirming their ID to the recipient of the call.

            *Because I wouldn't confirm my ID, he wouldn't even tell me vaguely what it was about. And when I first called the main number, they couldn't help me because I had no idea what I was calling about so they had issues getting me to the right department. But eventually I managed to figure out what it was and get it straightened out. I think it was verifying an international internet purchase.

    2. Anonymous Coward
      Anonymous Coward

      The story is what here?

      You get an SMS message that says ' please text back you bank details password and date of birth immediately, please include you mothers maiden name and if you have forgotten you password please yet immediately or call this number.'

      And there are those that do!

      Amazing but not confined to iOS.

  2. Only me!

    is iSO open source now?

    Must have missed the article where Apple made iSO open that is the only reason for "security holes / viruses"

    I get all my Tech news from Disney now!

  3. Anonymous Coward

    So much nonsense about this

    SMS is a relatively open system, if you have access to a SMSC (like most bulk SMS sending companies do) you can spoof From addresses. There's a plethora of websites that let you do it to any phone, not just iPhones.

    I pulled pranks like this on friends years ago, well before the iPhone, and it hasn't changed yet, just like people can fake e-mail addresses.

    Even if Apple showed the numbers as the jailbreaker-cum-security-expert says it would offer no improvement since it all fields can be faked. Probably why I don't know of any phone that shows both numbers.

  4. Anonymous Coward
    Anonymous Coward

    What a load of bull. This has been possible way way before IOS was even dreamed up. Using a gateway service, like for example you are able to set the number people see on the receiving end.

    It's been possible for years now, and suddenly it's a security risk?

  5. Anonymous Coward
    Anonymous Coward

    SMS has its flaws, it;s a bit old hat and limited. But every replacement would use the data connection like MMS and be a pig to set up. So we're stuck with it.

    1. Anonymous Coward
      Anonymous Coward

      MMS is susceptible to spoofing as well.

  6. Anonymous Coward

    Not new, not iPhone specific - it's a SMS/carrier issue

    From back in 2009, almost exactly the same language:

    "Researchers at the Black Hat security conference on Thursday showed how an attacker could spoof a type of SMS message that appears to be sent from the carrier or some other trusted source. This attack on MMS (multimedia messaging service) messages, a type of SMS message, could allow an attacker to trick the recipient into visiting a malicious Web site"

    "The attacks work potentially on any type of phone that is MMS-enabled and operating on Global System for Mobile communications (GSM) networks

    "This is a carrier issue" Miras said. "We disclosed to them and they're working on a fix."

  7. Anonymous Coward


    As others have said, this has existed for almost as long as SMS, it's not iPhone specific. You can go and buy a £50 USB modem(or use an old nokia phone of course) and spoof till the late hours.

    I'm sure I heard that Samsung invented it though....

    1. VinceH

      Re: duh...

      "I'm sure I heard that Samsung invented it though..."

      But Apple's logic is that if they're doing something similar to what someone else is already doing, then the other party must be copying them.

      Therefore, by their own logic, Apple are to blame for this.

  8. Anonymous Coward
    Anonymous Coward

    > Specifically, iPhones don’t display the phone number of the indivdual who sent you a message, just whatever name they choose to type in.

    Nothing specific about the iPhone, my Samsung Galaxy S3 does exactly the same. Although it wouldn't surprise me if they also copied this from Apple as I think AOSP does it differently.

  9. A Non e-mouse Silver badge


    So you can set a fake reply to address in a text message, and iOS shows that. So what ?

    You do know you can fake the From & Reply-To addresses on e-mail, and ALL clients will use them ?

    And what about phone numbers ? You can fake the "from" number on ordinary phone calls. How else do you think you get phone calls from 0800 numbers ?

    1. JOKM
      Paris Hilton

      Re: *Yawn*

      I regularly put my enemies addresses on the backs of my envelopes.

      Totally agree, I in fact have, legally and ethically, changed both sms and email headers.

      Most dangerous ones are service indication messages, which can trick users into installing all sorts of nasty things on their mobile devices, and pretend its a network pushed update.

  10. Kevin (Just Kevin)

    Only Smartphones?

    " User Data Header component of SMS text messages, which defines advanced features only used in smartphones"

    WHAT? UDH is used to do multipart messages and Nokia picture messages and operator logos which worked back in the previous century! The entire mobile content industry was later built in the 2000's based on UDH - Nokia pictures and operator logos and ringtones primarily.

  11. Anonymous Coward

    ""Apple takes security very seriously," the firm said in a statement"

This topic is closed for new posts.

Other stories you might like