A hacker recently discovered a spoofing issue with Apple's iOS that could lead to serious mobile phishing problems. How can enterprise information security teams help iOS users protect themselves from this issue?
Ask the Expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
The spoofing attack identified by iOS security researcher pod2g could be used for phishing mobile device users in general, because the same issue could be found in non-iOS devices. Other researchers have identified vulnerabilities in the SMS functionality of iOS before, such as in 2008, when Charlie Miller and Collin Mulliner discovered that a malformed SMS message could crash the iPhone. In the vulnerability identified by pod2g, a fake phone number is set as the reply-to for the SMS message. The SMS protocol allows the sender to set the reply-to field in a SMS message to any phone number independent of the from field. The receiver would see that the SMS message is from one phone number and have the reply sent to a different phone number. This could allow a SMS message to look more legitimate, which is exactly what a typical phishing email tries to do.
Enterprise information security teams can help protect iOS users from this issue by advising users to keep their iOS devices up to date (which should already be standard advice) and to critically evaluate the messages they receive. Critically evaluating SMS messages, emails and many other communications will help users avoid problems with phishing attacks. To critically examine SMS messages, users should focus on who sent the SMS and the content of the SMS message. Apple could release an update that makes it more apparent who sent a SMS message and where the reply is being sent, but until that happens, enterprises might also want to review this presentation on mobile phishing by Adrienne Porter Felt and David Wagner.
This was first published in February 2013