Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

iPhone Bug Allows SMS Spoofing

Soulskill posted more than 2 years ago | from the working-as-intend-ish dept.

Bug 92

Trailrunner7 writes "The iPhone SMS app contains a quirky bug that could allow someone to send a user a text message that appears to come from any number that the sender specifies. The researcher who discovered the bug said it could be used by attackers to spoof messages from a bank or credit card company and send the victim to a target site controlled by the attacker. The issue lies in the way iOS implements a section of the SMS message called User Data Header, which has a number of options, one of which allows the user to change the phone number that the text message appears to come from. The advent of mobile banking apps, some of which use SMS messages for out-of-band authentication, makes this kind of attack vector perhaps more worrisome and useful for attackers than it would seem at first blush."

cancel ×

92 comments

Sorry! There are no comments related to the filter you selected.

What is old is new again... (2, Insightful)

Anonymous Coward | more than 2 years ago | (#41029889)

Pretty much iOS hides the SMS equivilent of the From: field, and only shows the Reply To: field

Lovely fail there since a lot of sites use SMS for some sort of authentication, Google, and Blizzard among them.

Re:What is old is new again... (4, Interesting)

stephanruby (542433) | more than 2 years ago | (#41030083)

Lovely fail there since a lot of sites use SMS for some sort of authentication, Google, and Blizzard among them.

Yes, but even if you can spoof the sms from header? How are you going to guess the code they send you?

Notice, the same thing can be done with emails and even http requests. It's easy to forge the headers on those, but if a site implements only half of a handshake without sending back a token to the originating address for two-way verification, then it's the web site that is deemed insecure, not the client.

Re:What is old is new again... (1)

Anonymous Coward | more than 2 years ago | (#41030617)

Notice, the same thing can be done with emails and even http requests. It's easy to forge the headers on those, but if a site implements only half of a handshake without sending back a token to the originating address for two-way verification...

E-mail and HTTP requests don't do handshaking in the manner in which you appear to be thinking. There is no two-way verification involved.

HTTP != SSL, and while there are certain things that can be done to help verify identity with e-mail (SPF, reverse DNS, et cetera), these aren't - as much as people would like them to be - part of SMTP itself.

Yes, but even if you can spoof the sms from header? How are you going to guess the code they send you?

Erm, please click this link to log in and change your password?

Re:What is old is new again... (1)

stephanruby (542433) | more than 2 years ago | (#41031093)

Erm, please click this link to log in and change your password?

Ah ok! Now, I get it. I had not thought of that scenario. I was thinking of the account set up process when they first send you an email, or an sms, with a code in there for you to reenter in the web site, or send back to them.

Indeed, you're right. What you're describing is a problem.

Re:What is old is new again... (-1, Offtopic)

tongxili (2710379) | more than 2 years ago | (#41032513)

Sales rolex watches, High-quality rolex watches,Top brand watches,all luxury watches for sale cheap and cheapest only $59 ,Buy cheap watches online at http://www.replicawatches007.com./ [www.replic...hes007.com]

Re:What is old is new again... (2)

SpelledBackwards (587772) | more than 2 years ago | (#41033591)

I wanted to also mod this as offtopic, but then I began to wonder if tongxili knows someone is spoofing his name.

Re:What is old is new again... (2)

ls671 (1122017) | more than 2 years ago | (#41033799)

You can add callerid on phone calls which is funnily trusted enough by banks and others, when you activate your credit card for example. Callerid is easily spoofed if you get a VOIP account for a few cents.

Many VOIP providers even give you a 25 cents credit to try the system for free without verifying your identity. Yet, many people believe callerid as the plain truth when they see a call coming in.

There is so many weak authentication scheme that are trusted by the majority of people and institutions, some other posters could probably add to the list.

Re:What is old is new again... (2)

nedlohs (1335013) | more than 2 years ago | (#41030087)

Sure if you ignore that the From: field is also set entirely by the sender to anything they want.

Re:What is old is new again... (1)

Baloroth (2370816) | more than 2 years ago | (#41030131)

Any authentication that authenticates the user using SMS (which is the only SMS authentication I'm aware of) will be unaffected, since it isn't like sending a fake code that looks like it is from Google will do anything more than a fake code from some random number. No, the only case where it can do real damage is in phishing attacks, by sending the user to a fake site to do a password reset or the like. Which, really, people should have learned not to do anyways, with how often stuff like that happens in email. It's still a problem, since some people will follow a link in an SMS that appears to come from their bank, but they shouldn't.

Re:What is old is new again... (2)

93 Escort Wagon (326346) | more than 2 years ago | (#41030365)

My bank has made a big deal about having an iPhone app, being able to do photo deposits of checks with an iPhone, etc. So I can see both the motivation for exploiting this and how such an exploit might be successful.

Re:What is old is new again... (0)

Anonymous Coward | more than 2 years ago | (#41030843)

Please elaborate on how it might be successful.

Re:What is old is new again... (0)

Anonymous Coward | more than 2 years ago | (#41031309)

Idiots, who as GGP said, shouldn't click links in random SMSes, will click those links, because they're idiots. (Don't give me that lack-of-domain-specific-knowledge-!=-idiot speech; it was valid circa 2000, but anyone who's managed to avoid/ignore everybody preaching the anti-phishing gospel since then is an idiot, and a damned persistent one at that.) And since banks like making money off everyone, idiot or no, they've inadvertently removed the idiots' most effective line of defense: the (mistaken) assumption that banking has nothing to do with your smartphone.

Re:What is old is new again... (1)

morcego (260031) | more than 2 years ago | (#41030165)

Pretty much iOS hides the SMS equivilent of the From: field, and only shows the Reply To: field

Lovely fail there since a lot of sites use SMS for some sort of authentication, Google, and Blizzard among them.

Actually, all e-mail fields can be forged. Which is why digital signatures are so important.

Re:What is old is new again... (1)

Em Adespoton (792954) | more than 2 years ago | (#41030475)

Digital signatures can also be faked and sometimes even forged... it's just a bit more difficult.
Are you really going to suspect a perfectly legit looking email signed as coming from "Blizzard Entertainment Plc."? Unless you happen to already know that all communication from them comes from "Blizzard Entertainment Corp." the signature likely wouldn't help much. Plus, I've seen a LOT of corporate stuff using signatures that are expired or do not belong to them -- and this is legitimate stuff.

Re:What is old is new again... (2)

ethanms (319039) | more than 2 years ago | (#41030629)

Lovely fail there since a lot of sites use SMS for some sort of authentication, Google, and Blizzard among them.

So? This doesn't affect them I don't think--the SMS based authentication I've seen with my bank and Google all involve them sending me a code which I enter on their site. This issue wouldn't cause any problems with that.

Re:What is old is new again... (1)

adolf (21054) | more than 2 years ago | (#41032393)

This doesn't affect them I don't think--the SMS based authentication I've seen with my bank and Google all involve them sending me a code which I enter on their site. This issue wouldn't cause any problems with that.

This being Slashdot, you are probably fairly immune to phishing attacks by virtue of approaching every unexpected communique with a measured level of mistrust. However, the rest of the world is not necessarily so-afflicted.

It will affect folks exactly as much as email-based phishing attacks with forged headers have in the past.

Re:What is old is new again... (3, Insightful)

msauve (701917) | more than 2 years ago | (#41031331)

"a lot of sites use SMS for some sort of authentication, Google, and Blizzard among them"

Their problem. They have poorly designed systems. The spoof mentioned is no different from what anyone can do with email, simply.

There are legitimate reasons to allow a sender to signify a different "from" number. One example might be someone using Google Voice, where they want to send an SMS via the carriers network (where a different phone number is associated), but have it appear as coming from the GV number to the recipient (or same, via an SMS gateway from a PC, etc.).

For security, similar to the common password reset procedures via email, sites might accept a request via SMS, but then return a necessary confirmation code to the "from" number. Even if you can send an SMS which appears to be from an arbitrary number, you can't get the reply (and confirmation code) unless you're actually associated with that number.

Re:What is old is new again... (0)

Anonymous Coward | more than 2 years ago | (#41032389)

You have no idea. The name of the protocol is SS7. The modern one is SIGTRAN (SS7 encapsulated into IP).
Both are basically the equivalent of SMTP when it comes to sending messages: you can specify the sender you want, including any arbitrary alphanumerical string.
The problem is not so much that it's possible - it's that people aren't aware of it.

Beyond that, note that a direct access to a reputable SS7 trunk (which isn't that difficult to obtain - a malicious party could do it by hacking into any number of poorly protected company networks that has such an access) will not only allow you to send such messages: you'll also be able to obtain the IMSI/IMEI of any subscriber, and also to locate (with GPS coordinates) any subscriber based simply on its MSISDN (phone number). The location won't be perfect - basically the same thing as the "network location" feature available on modern smartphones, and it won't work on old networks, but basically any modern one will support it.

I used to work in telecoms and sent several messages from 'GOD' as a trick to friends. There *must* be nefarious people somewhere with the same access, and probably a lot of them.

Re:What is old is new again... (0)

Anonymous Coward | more than 2 years ago | (#41036283)

NO NO NO.

What idiot just clicks on a link in an email or by extension and SMS text? Common sense security tells you that.

Here's a TEDx talk on security that explains why and more. http://www.youtube.com/watch?v=oHg5SJYRHA0

Problem with the iPhone, or the cell system? (5, Insightful)

Bradmont (513167) | more than 2 years ago | (#41029907)

I'm no apple fanboy by any stretch of the imagination, but this seems like a security vulnerability with the cell phone system, not with the app. No client should ever be trusted in a network security context, and this is no different. It may have shown up as a bug in the iPhone software, but it is the cell networks that should have protection against these sorts of things...

Re:Problem with the iPhone, or the cell system? (5, Insightful)

GameboyRMH (1153867) | more than 2 years ago | (#41029995)

It is sort of design flaw in the cell phone system that the phone has any say in the matter, but that's a done deal and now this is a bug in the phone. This is the sort of thing that should be firmware-controlled.

Re:Problem with the iPhone, or the cell system? (3, Funny)

mapsjanhere (1130359) | more than 2 years ago | (#41030067)

Apple doesn't make mistakes, it's not a bug, it's a feature.

Re:Problem with the iPhone, or the cell system? (0)

Anonymous Coward | more than 2 years ago | (#41030189)

well for Cat Facts it is a feature.

Re:Problem with the iPhone, or the cell system? (0)

Anonymous Coward | more than 2 years ago | (#41030375)

This is the sort of thing that should be firmware-controlled.

No it isn't. That would appear to improve security by making spoofing more difficult, but it would be no barrier for the determined.

Re:Problem with the iPhone, or the cell system? (0)

Anonymous Coward | more than 2 years ago | (#41031587)

This is the sort of thing that should be firmware-controlled.

No it isn't. That would appear to improve security by making spoofing more difficult, but it would be no barrier for the determined.

Just like passwords... and we know those are not used anywhere because a "determined" attacker will sooner or later guess it.

Mitigating the issue in firmware should be done, only a -apologist could see it otherwise.

Re:Problem with the iPhone, or the cell system? (2)

starfishsystems (834319) | more than 2 years ago | (#41031107)

I'm more inclined to describe it as an inherent SMS vulnerability that one particular product happened to touch.

Will fixing the iPhone make this vulnerability go away? No. Anyone who wants to exploit it simply has to find a hackable cell phone, or engineer one for themselves.

Re:Problem with the iPhone, or the cell system? (1)

pixelpusher220 (529617) | more than 2 years ago | (#41030079)

Since it's relatively easy to 'spoof' the caller-id that is transmitted when you make a call (so your call appears to come from someone else), it seems rather surprising a similar spoof of the ID on a txt msg would be likewise easy.

Of course I don't know how to do the former but I watched Mitnick do it on Leo Laporte's TechTV show in about 30 seconds...

I also don't know that SMS would be likewise spoofable, but it would seem to follow since both are going over the same network no?

Re:Problem with the iPhone, or the cell system? (1)

bill_mcgonigle (4333) | more than 2 years ago | (#41030321)


Of course I don't know how to do the former but I watched Mitnick do it on Leo Laporte's TechTV show in about 30 seconds...

Ooh, I'll have to find this. I have my work PBX forward calls to my cell and it really sucks that the callerID gets lost.

Re:Problem with the iPhone, or the cell system? (0)

Anonymous Coward | more than 2 years ago | (#41030379)

Mitnick didn't just do it on the fly. He just had access to a phone system that would allow it. I can change the caller ID from my work phone to whatever I want for the name, but only spoof numbers in our DID range. Any comptent voice gateway provider does the same, if they opened it to their whole phone system it would be insane.

Re:Problem with the iPhone, or the cell system? (1)

pixelpusher220 (529617) | more than 2 years ago | (#41030571)

The phone companies claimed you couldn't do it either. Then Mitnick showed them that, yes in fact you could.

Hell he was even in court as an expert witness and flatly refuted the Phone Co. rep who said X couldn't be done and he asked for a short recess and got his documentation and then the Rep had to admit yes X could be done.

I'll take the word of someone who 'owned' the system rather than someone paid by the system to talk about the system.

Did it require a 'special' phone, perhaps, but I've not seen any documentation on that...sources?

Re:Problem with the iPhone, or the cell system? (1)

ls671 (1122017) | more than 2 years ago | (#41033849)

No not that insane, VOIP providers allow you to set the callerid to whatever you want so you can set the callerid to the real callerid on calling card platforms for example. Trusting callerid and using it as an authentication mean is insane although...

http://slashdot.org/comments.pl?sid=3056227&cid=41033799 [slashdot.org]

Re:Problem with the iPhone, or the cell system? (1)

Anonymous Coward | more than 2 years ago | (#41030111)

No, the receiving IPhone is using data that comes from the sending phone rather than the tower. This is definitely an IPhone issue. This is why Apple is pushing for security so hard recently: it was laughable a few years ago, as is trusting data from a remote phone.

Re:Problem with the iPhone, or the cell system? (3, Interesting)

Obfuscant (592200) | more than 2 years ago | (#41030449)

No, the receiving IPhone is using data that comes from the sending phone rather than the tower. This is definitely an IPhone issue.

Not limited to iPhone. I have yet to find an Android SMS app that doesn't discard the sending "number" in favor of anything that looks like an email address in the body of the message.

T-Mobile has an email to SMS gateway that copies the From and Subject headers into the front of the message separated by '/'. They send these SMS from a number in the 3-4 thousand range, and keep a back-mapping so a reply to that SMS number will go back to the email sender. EVERY SMS app I've seen on Android pulls the email address from the body of the SMS message and throws away the reply-to number. That means I can never reply to an email I get via SMS, except through the phone's email app. Which has a different email address associated with it.

Anyone know an SMS app for Android that does NOT do this?

Re:Problem with the iPhone, or the cell system? (1)

mythosaz (572040) | more than 2 years ago | (#41030515)

Google Voice?

Re:Problem with the iPhone, or the cell system? (1)

Obfuscant (592200) | more than 2 years ago | (#41030971)

Not the same thing at all. That appears to be a VOIP app that runs on your phone, creating its own phone number from which you can send text messages (not sure if they're SMS or MMS or what.) I'm talking about being able to send SMS TO the number an SMS came from, and not having that number stripped from the incoming message.

Re:Problem with the iPhone, or the cell system? (1)

sjames (1099) | more than 2 years ago | (#41030127)

It isn't. This is the SMS version of a reply-to field. There is no problem if the actual source AND the reply-to are displayed. The problem comes in when the iPhone shows the reply-to number as the source.

Sorta like if you hang your house key on a hook next to the doorknob on the outside, it isn't the door or the lock that is defective.

Re:Problem with the iPhone, or the cell system? (1)

Obfuscant (592200) | more than 2 years ago | (#41030489)

The problem comes in when the iPhone shows the reply-to number as the source.

No, the problem is when the phone (Android in my case) throws away the reply-to number and displays some email address. That breaks the ability to reply via SMS. If you don't have the number, you don't know what number to use to reply, huh?

Re:Problem with the iPhone, or the cell system? (1)

sjames (1099) | more than 2 years ago | (#41031603)

That is broken, but at least not an opportunity for fraud.

Re:Problem with the iPhone, or the cell system? (1)

Em Adespoton (792954) | more than 2 years ago | (#41030545)

That reminds me: I've got to make myself a bunch of random keys and hang them around my neighbours house.

I wouldn't do it to my own, as anyone attempting to use them might eventually get frustrated and just break the lock or smash a window....

I agree though; the problem isn't that the iPhone can set the originating SMS value, it's that the receiving devices choose to trust the end user over the tower's data (which they also receive as part of the handshake).

Re:Problem with the iPhone, or the cell system? (0)

Anonymous Coward | more than 2 years ago | (#41030205)

Not quite. The problem isn't that the protocol and SMSC (forwarding/post-office) allows an arbitrary=forged sender field. Rather, from a carrier's perspective it's payload. WYSIWTG (What You Type Is What They Get). Not entirely unlike the difference between true SMTP headersr (which was always suscptible to forgery, but that's beside the point), and what 99.9% of mail clients display.

Re:Problem with the iPhone, or the cell system? (1)

guruevi (827432) | more than 2 years ago | (#41032253)

Correct, the SMS specification allows for one to set their own header. All you have to do is write your own app to send SMS'es or use any of the random SMS gateways all which allow you to set your from field. Even Google Voice allows you to do it (although they verify your phone number first)

Why trust everything to these little devices. (3, Insightful)

Anonymous Coward | more than 2 years ago | (#41029941)

I don't understand why people even do banking on a device that is so easily lost. And before people start screaming at me, please know that this is coming from someone who had his bank account broken into from using only legitimate ATMs from actual banks(didn't even know there was such a thing as a card skimmer).

More secure than desktop.. (1)

SuperKendall (25149) | more than 2 years ago | (#41030369)

I don't understand why people even do banking on a device that is so easily lost.

Because it's also more easily wiped.

You'd really be better off banking only on mobile devices with proper passcodes set, and knowing how to remote-wipe on demand.

Your desktop or laptop could easily be stolen too, but is harder for most people to set up a real remote-wipe on.

Re:More secure than desktop.. (1)

Dan541 (1032000) | more than 2 years ago | (#41031599)

If you use whole drive encryption then you don't need to remote wipe your laptop.

Foolhardy (2)

SuperKendall (25149) | more than 2 years ago | (#41031959)

If you use whole drive encryption then you don't need to remote wipe your laptop.

Since the new owner has an infinite amount of time to brute force the login that decrypts the whole drive, why is that really better than being sure?

Re:Foolhardy (1)

Dan541 (1032000) | more than 2 years ago | (#41032153)

Because whole drive encryption guarantees they can't get in. While remote wipe is throwing all caution to the wind and hoping for the best.

Ideally the ability to shut down an encrypted laptop should be in place in case it's stolen while unlocked. But encryption is the only thing that can really protect data that's in the hands of a thief.

One is the same, only better... (1)

SuperKendall (25149) | more than 2 years ago | (#41032737)

Because whole drive encryption guarantees they can't get in. While remote wipe is throwing all caution to the wind and hoping for the best.

No.

iOS remote wipe is based on whole drive encryption. It scrambles the decryption block so nothing can get in, ever.

So you have only whole drive encryption, vs. whole drive encryption where you can ALSO tell the system to toast the whole storage instantly.

Because whole drive encryption guarantees they can't get in.

What part of "infinite time to brute force the password" did I not make clear? A laptop will not wipe the storage after a million tries. Most people's passwords are simple enough (or, hell stored on a sticky note in the laptop bag) that they can be guessed if anyone makes a reasonable attempt.

Whole drive encryption is not enough, real security is defense in depth - not relying on any one thing.

Re:One is the same, only better... (1)

Dan541 (1032000) | more than 2 years ago | (#41032975)

What part of "infinite time to brute force the password" did I not make clear?

It's a moot point to talk about infinite time. You might as talk about an attacker using magic spells because neither exist. If someone want's dedicate thousands of centuries trying to break into my laptop I say let them at it. They are going to run out of time, which is certainly not infinite.

In the statistically impossible event that they did decrypt my drive what they now have is.... an encrypted drive. In total they need to decrypt it three times to get at the data.

Re:One is the same, only better... (1)

mjwx (966435) | more than 2 years ago | (#41033333)

What part of "infinite time to brute force the password" did I not make clear?

It's a moot point to talk about infinite time. You might as talk about an attacker using magic spells because neither exist. If someone want's dedicate thousands of centuries trying to break into my laptop I say let them at it. They are going to run out of time, which is certainly not infinite.

In the statistically impossible event that they did decrypt my drive what they now have is.... an encrypted drive. In total they need to decrypt it three times to get at the data.

Actually, time is infinite.

You are finite, I am finite, the entire planet is finite. Time is infinite.

But I don't ever buy into something that is "uncrackable". We've had claims about "uncrackable" encryption before and every time technology improves or some flaw is found that allows the encryption to be cracked in short order. So to claim any encryption is "uncrackable" is foolish because it assumes that cracking technology and methods will not improve in the future.

Also when it comes to iphones, most people have a short 4 digit passcode using numbers only, off the top of my head that's about 5000 ish permutations. Modern cracking software will have that done in an hour.

People arguing that "encryption is safe" need to learn security is a process, not a technology. Being secure is more about limiting exposure and knowing what to do when compromised. If my work laptop gets stolen, I'd immediately notify the IT dept (which just happens to be me) and change my passwords. The same is true for any mobile device.

Re:One is the same, only better... (0)

Anonymous Coward | more than 2 years ago | (#41033829)

Also when it comes to iphones, most people have a short 4 digit passcode using numbers only, off the top of my head that's about 5000 ish permutations. Modern cracking software will have that done in an hour.

The iPhone like Windows Mobile introduces an increasing delay between incorrect attemps so guessing even a four digit passcode is unlikely. Local wipe after 10 attempts seals the deal. I did recently hear about a claim that somone got around the delays but it's too late to look for a link...

Re:One is the same, only better... (1)

mjwx (966435) | more than 2 years ago | (#41044381)

Also when it comes to iphones, most people have a short 4 digit passcode using numbers only, off the top of my head that's about 5000 ish permutations. Modern cracking software will have that done in an hour.

The iPhone like Windows Mobile introduces an increasing delay between incorrect attemps so guessing even a four digit passcode is unlikely. Local wipe after 10 attempts seals the deal. I did recently hear about a claim that somone got around the delays but it's too late to look for a link...

So ridiculously easy to get around it's not funny.

First off, if you have physical access to the device (which was assumed by the GP, the phone was stolen) then you simply make a copy of it and crack the copy in an emulator, actually you crack the copy of the copy so if it gets wiped you just start a new copy and continue cracking. So at worse, this increases the crack time to a few hours as disk IO becomes a problem.

Never crack the original copy is computer forensics 101.

Far less secure than desktop. (1)

mjwx (966435) | more than 2 years ago | (#41033279)

Because it's also more easily wiped.

Wrong.

So very wrong.

Once I have your device, I simply disconnect it from the network. Plug it into a machine I control, copy the data wholesale (bit by bit) and take my time on reading it. Both Android and Iphone have a bootloader that allows this. As all the Jailbreaking groups have shown us, it's trivial to break Apple's security.

Phones are emphatically not safe, any data you store on there is much easier for an attacker to get to simply because an attacker can get a phone easier than your laptop.

Your only defence against this is to _NOT_ store sensitive data on any mobile device (phone or laptop). So using banking applications that store data on the device itself are inherently insecure. The secure way to do banking (or any high security transaction) on a mobile device is to use a web site, then you only have to worry about your banks servers being stolen (or your end point being compromised, but for the purposes of this argument I'll assume you know how to keep that secure).

Re:Why trust everything to these little devices. (1)

stephanruby (542433) | more than 2 years ago | (#41030389)

I don't understand why people even do banking on a device that is so easily lost.

So we avoid situations like yours below.

And before people start screaming at me, please know that this is coming from someone who had his bank account broken into from using only legitimate ATMs from actual banks(didn't even know there was such a thing as a card skimmer).

Assuming I don't lose my phone, if someone ever makes an unauthorized transaction on my account -- I'll know it within 5 to 10 seconds.

What about you?

How long did it take *you* to find out someone was using your account? And if I do lose my phone, I'm assuming that my pin isn't a good means of security either, but usually if my phone is missing, I'll notice that it is missing within the hour.

Now I'm not saying my set up is secure by any means, it's not, but then again nothing is really secure. And in my opinion, doing security by obscurity doesn't work, security by obscurity will only make banking less convenient for me and it will make the system more obscure to me as well -- thus nullifying my ability to rectify the situation quickly should something unexpected happen.

Re:Why trust everything to these little devices. (1)

Zarian (797222) | more than 2 years ago | (#41030777)

Not sure why it posted as AC. It took me a day. When I tried to use atm card and found that my entire bank account was emptied out. The bank was supposed to call me, it then took over 1 month to get my money back, thank goodness I had friends and family to help me out. I made damn well sure to never use that bank again. I'm not talking about security through obscurity, where did I talk about that? All I asked was why do people trust doing banking on their cell phone or any electronic device? I don't use my computer for banking. I actually go to the bank. Is convenience worth having your life completely turned upside down or ruined? These are just questions I would like to understand the answers to. Let me rephrase the question Why do we trust things that are so easily compromised?

Re:Why trust everything to these little devices. (1)

Zarian (797222) | more than 2 years ago | (#41030785)

Damn mean to not post as AC

Re:Why trust everything to these little devices. (1)

mjwx (966435) | more than 2 years ago | (#41033257)

I don't understand why people even do banking on a device that is so easily lost. And before people start screaming at me, please know that this is coming from someone who had his bank account broken into from using only legitimate ATMs from actual banks(didn't even know there was such a thing as a card skimmer).

This is why I don't use "apps" for banking on my mobile.

I do use my mobile for banking but I use the banks website and never, ever store my username or password in the device itself (this is true for all devices I bank on). This way they never have a complete picture of my account number, let alone my password. They may know I bank with NAB from my bookmarks and browser history but that's it.
 
  With a decent mobile site, which my bank has a dedicated banking application is completely superfluous and as you pointed out, a huge risk if the device is lost. If you use the site rather than the app, you're in effect not using the device for banking, you're using the device to access a server that does your banking.

That's not news (5, Informative)

psergiu (67614) | more than 2 years ago | (#41030149)

As long as you are allowed to mess with the SMS message header, you can do this on ANY phone - it's part of the GSM standard - Small Message Service was intended for testing & internal use, nowhere is stated that the "Sender" field must be the actual sending phone number. In fact, that field is alphanumerical, you can put anything in there, not just numbers. Also, there's nothing in the GSM network to prevent this, the message is routed by destination, not by sender.

I was sending "faked" messages like those over 10 years ago using the "service" menus on old Nokia & Motorola GSM phones.

Anyone relying on those SMS headers for authentication is either stupid or malicious.

Re:That's not news (1)

Anonymous Coward | more than 2 years ago | (#41030451)

So why can't the networks stuff in the true sender's ph# when passing the sms?

Re:That's not news (1)

guruevi (827432) | more than 2 years ago | (#41032263)

Why bother? Does your e-mail provider modify your e-mail headers?

Re:That's not news (1)

KZigurs (638781) | more than 2 years ago | (#41059747)

Because SMS is a store and forward system. There is no way to authenticate origin, only destination (well, implicitly, by it being reachable).

Re:That's not news (1)

ethanms (319039) | more than 2 years ago | (#41030569)

Mod this one up... def. is not anything new.

Re:That's not news (1)

Anonymous Coward | more than 2 years ago | (#41030691)

Actually, there is something the GSM network can do. All messages are routed through an SMSC, and that knows who you are, so there is nothing stopping the network from ignoring what you say and set what it knows about you as the sender instead.
Infact, most sane networks do this.

Not that it makes any difference though, since any network that has an agreement with your network can send any sender it wants, and there are hundreds of networks out there you should never trust what the sender of an SMS says.

Re:That's not news (0)

Anonymous Coward | more than 2 years ago | (#41031563)

It isn't anything new at all.

My company recently completed a portal for a medium sized telephone company, and part of the website we developed has a small SMS application. The messages are sent to the phone company via SMPP, which is then sent out to the phones as SMS. There's zero authentication or security in these data packets. None. I can "send" a message from any phone number I choose.

SMTP is similar. Do you want to send a message from "god@heaven.com"? Cool, just telnet to your favorite SMTP server and send away. I was doing that stuff back in middle school.

The telcos are very much like the old Internet - there's very little security because when all this stuff was developed people just didn't expect people to be doing anything malicious.

Re:That's not news (1)

silas_moeckel (234313) | more than 2 years ago | (#41031711)

This is no different that faking caller id info been able to do that since i first got access to a isdn line (caller id info is send as part of call setup on pretty much any digital phone system) that does not mean it's untraceable.

As to security if you bank is doing more than sending you a one time pin to your cellphone they have issues. Granted a shared secret pin generator is probably a better idea but sending a sms works to nearly everything now no app required on the client side.

Re:That's not news (1)

anethema (99553) | more than 2 years ago | (#41033151)

It is news, because you are misunderstanding what the bug is.

The "sender" is not what is being spoofed here. What the bug is, is the "reply-to" field, if filled in, will be displayed as the sender.

So say 555-555-5555 sends a text, but fills in reply-to as 444-444-4444. On any sane phone, the phone would show the source, AND the reply to, and prob give you the option of who to actually reply to.

Instead the iPhone simply discards the source if it sees a reply-to and shows the reply-to field AS the source in your conversation.

It is not a problem with someone faking SMS headers to show a different source. Anyone with an account on an SMS gateway could make one of these messages in theory, without breaking the GSM standard. It is definitely an iPhone bug, not a GSM one.

Re:That's not news (0)

Anonymous Coward | more than 2 years ago | (#41033541)

ANd I assme writing an SMS client that can exploit this on any phone platform is actually easy, and I also had a 2G car on my windows laptop that could send SMS messages. As I wanted replies to come to my call, I was able to change the sender number there too. Nothing to see here, move along..

Re:That's not news (0)

Anonymous Coward | more than 2 years ago | (#41034737)

"Small Message Service..."

1) It's short message service, not small message service

"... was intended for testing & internal use"

2) I don't know where you get this twaddle from, but that's utter nonsense. It was specced from the start for widescale deployment.

So what? (1)

nedlohs (1335013) | more than 2 years ago | (#41030175)

The only thing SMS authentication stuff is used for is for the bank/etc to send you an SMS with a code in it that you need to enter to login. How does someone else being send you a non-working code at a time you likely aren't trying to login to your bank/etc anyway possibly matter in the slightest?

Sure some people probably though they could trust the sender information on an SMS, and it not being might enable some shenanigans (sending X a rude/etc message that seems to be from Y), but I can't see how it damages two factor authentication via SMS.

Re:So what? (0)

Anonymous Coward | more than 2 years ago | (#41030297)

They send you a working code on a malicious site and ask to update you personal login, passw ....

Re:So what? (2)

nedlohs (1335013) | more than 2 years ago | (#41031257)

Which won't help them because they still don't have the SMS from the bank for the other half of the tweo factor authentication.

Re:So what? (4, Insightful)

Em Adespoton (792954) | more than 2 years ago | (#41030619)

The method is:
1) send you a fake email telling you to log into your account to update your settings/read the policy change/etc.
2) link to a phishing site, which pulls all the assets from the legit bank, but redirects the password form
3) trigger an SMS event just like the real bank, to send you the token needed to log in to the phishing site
4) harvest your account info.
5) Profit!

However, it'd make more sense to just make the phishing site a proxy and let the actual bank send the SMS token to the customer. That way, the customer logs in for them, and they can then do whatever they want....

Re:So what? (0)

Anonymous Coward | more than 2 years ago | (#41030837)

You still won't be able to get the real token the bank sends the customer as an SMS, which is the whole point of the SMS token system.

Re:So what? (0)

Anonymous Coward | more than 2 years ago | (#41031119)

As you log into the malicious site, the site attempts to login to your real bank which will send a real code via SMS. The malicious site says "sorry wrong code, sending you another one please try again." You enter the new, real code and they use it to login to your account and transfer your money away.

Re:So what? (2)

nedlohs (1335013) | more than 2 years ago | (#41031279)

And why do they need the fake SMS code step in the first place? They can just do the "site attempts to login to your real bank which will send a real code via SMS" step without bothering with it.

It's part of user data,not phone system data. (1)

Animats (122034) | more than 2 years ago | (#41030229)

The cell phone system itself doesn't look in the user data header. It's in the text area, and an in-band extension to SMS. Many programmable phones let applications send whatever they want in the user data header.

This is only a problem for phones and SMS gateways dumb enough to believe any ID information in the user data header. Now if Apple displays the source in the user data header in place of the telco-provided source, they're doing it wrong.

Re:It's part of user data,not phone system data. (1)

ark1 (873448) | more than 2 years ago | (#41030267)

Exactly, complaining about spoofing of an SMS orginator phone number from iPhone is similar to complaining about spoofing of the "From" field of an email address.

Much easier ways to do this. (0)

Anonymous Coward | more than 2 years ago | (#41030309)

Sign up online for txt messaging service. Said service asks you what number you want txts to appear to come from.

Send txt messages to your hearts content.

Burner app (1)

bhlowe (1803290) | more than 2 years ago | (#41030355)

The dude who tracked down his stolen bike in Seattle used "Burner" app to spoof his CallerID... http://www.engadget.com/2012/08/09/burner-iphone-app-disposable-number/ [engadget.com] http://www.youtube.com/watch?v=9-GVpIaPEGM [youtube.com]

Re:Burner app (1)

EkriirkE (1075937) | more than 2 years ago | (#41030637)

That wasn't spoofing, that was just a secondary texting/phone app. Like google voice.

Standard Safety procedures (1)

fermion (181285) | more than 2 years ago | (#41030497)

It sounds like following standard practices are in order. You should have all secure sites you visit bookmarked. Safari and chrome synchs the bookmarks between devices. One should never go to a secure site from an email or text. I can't tell you how may emails I get trying to get me to log into ebay or paypal or a bank using a almost legitimate URL.

The one thing I use SMS for is as a one time pad. A code is sent to me, which I enter as a secondary login credential. Nothing in the text leads me to the site. I have never assumed that SMS is any more secure than email, and I don't think there is any reason to do so.

Of course, if this is a real bug, it needs to be fixed. There are a lot of people out there who depend on a relatively secure SMS system to carry on affairs. It is also worthy to note that an iPhone does not use SMS by default, but messaging if possible.

Walled garden (0, Troll)

Dunbal (464142) | more than 2 years ago | (#41030565)

Aren't you glad you're in the walled garden? Look who you've been walled in with...

Re:Walled garden (1)

jo_ham (604554) | more than 2 years ago | (#41034661)

Aren't you glad you're in the walled garden? Look who you've been walled in with...

Yes, I am worried we're walled in with the GSM standard...

That's the issue here, of course.

But mentioning the iPhone in relation to stuff like this is this season's "on a computer!!!!" appended to the end of a "new" patent that was all the rage a few years ago.

Spoofed headers in SMS messages have been possible since the adoption of the GSM standard - the SMS system was simply never designed with its eventual use in mind in the first place. No one imagined users would be using it to send messages to each other.

Not unique to iPhone (0)

Anonymous Coward | more than 2 years ago | (#41030567)

There are android apps which are designed to do just this. No glitch required, just install the app. With the plethora of no contract and inexpensive android phones available this would be a much better option for a would-be fraudster.

email or SMS, nothing to see here... (1)

pbjones (315127) | more than 2 years ago | (#41030663)

It isn't new, and it isn't an iPone app bug, it's the way the SMS system was built. The process that most SMS pin things work is that you are accessing the bank via another means and the bank sends you a pin via SMS, faking the sender serves no purpose. Sending an SMS requesting your details should be ignored, like similar emails. The researcher who 'discovered' the bug needs to learn about GSM and SMS.

and we're not using the apple icon for this... (0)

Anonymous Coward | more than 2 years ago | (#41030907)

why?...

captcha: fascism

Re:and we're not using the apple icon for this... (0)

Anonymous Coward | more than 2 years ago | (#41033807)

Who the fuck cares what your captcha is? Idiot!

iOS shows the recipient if you reply (1)

rabtech (223758) | more than 2 years ago | (#41031215)

iOS shows you who will actually receive the message if you reply, which given the choices is probably the best option.

This hole is not unique to iOS, nor new. In fact it is only a hole insofar as you open a hyperlink from the message.

The real bug is that the carrier gateways don't validate the messages.

Breaking news! (1)

wamatt (782485) | more than 2 years ago | (#41032643)

This just in, a flaw has been discovered in Email, allowing an attacker to arbitrarily spoof the From: address.

All hell is bound to break loose.

wtf? (0)

slashmydots (2189826) | more than 2 years ago | (#41032723)

"The issue lies in the way iOS implements a section of the SMS message called User Data Header, which has a number of options, one of which allows the user to change the phone number that the text message appears to come from."

That's not a security flaw, that's just unbelievably stupid design. Didn't they learn how big of a problem caller ID spoofing was? It should never have been put in there. I guess Apple really is sincerely bad at security.

Epic facepalm (2)

dackroyd (468778) | more than 2 years ago | (#41032885)

Totally non-authenticated communication method found to be not authenticated ! More details at 11.

I can't believe that this is news to anyone. Do you really think that people who send marketing, information or run 'adult' services via SMS have a huge bank of mobile handsets with people sitting typing messages into them?

No - they have computers that connect to a bulk SMS supplier (e.g. the company I used to work for http://www.dialogue.net/sms_toolkit/ [dialogue.net] ) that allows them to send SMS with any Originating Address that they choose whether that's someone's phone, a shortcode or the name of the company.

Mobile phone operators do sometimes implement limits on what can be set for the O.A. for messages entering their network but there just isn't the infrastructure in place to authenticate what is set for the O.A. within the network.

And it's already being exploited (0)

Anonymous Coward | more than 2 years ago | (#41040035)

Received this SMS today:
"Congratulations, your number made you Apple's winner! Go to http://www.apple.ca.freebie.cc and enter code 0000 to claim your free Apple product!"
Lots of people report receiving the same SMS from different numbers. All the reports are from yesterday or today.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>