A hacker recently discovered a spoofing issue with Apple's iOS that could lead to serious mobile phishing problems....
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
How can enterprise information security teams help iOS users protect themselves from this issue?
Ask the Expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
The spoofing attack identified by iOS security researcher pod2g could be used for phishing mobile device users in general, because the same issue could be found in non-iOS devices. Other researchers have identified vulnerabilities in the SMS functionality of iOS before, such as in 2008, when Charlie Miller and Collin Mulliner discovered that a malformed SMS message could crash the iPhone. In the vulnerability identified by pod2g, a fake phone number is set as the reply-to for the SMS message. The SMS protocol allows the sender to set the reply-to field in a SMS message to any phone number independent of the from field. The receiver would see that the SMS message is from one phone number and have the reply sent to a different phone number. This could allow a SMS message to look more legitimate, which is exactly what a typical phishing email tries to do.
Enterprise information security teams can help protect iOS users from this issue by advising users to keep their iOS devices up to date (which should already be standard advice) and to critically evaluate the messages they receive. Critically evaluating SMS messages, emails and many other communications will help users avoid problems with phishing attacks. To critically examine SMS messages, users should focus on who sent the SMS and the content of the SMS message. Apple could release an update that makes it more apparent who sent a SMS message and where the reply is being sent, but until that happens, enterprises might also want to review this presentation on mobile phishing by Adrienne Porter Felt and David Wagner.
Dig Deeper on Handheld and Mobile Device Security Best Practices
Related Q&A from Nick Lewis
When it comes to state-sponsored attacks infecting mobile devices, do users have any chance of tracing the attack? Expert Nick Lewis offers some ...continue reading
Microsoft won't patch certain ASLR bypass flaws, but enterprises still need to protect against them. Expert Nick Lewis explains the threat and how to...continue reading
Threat actors in China are using VPN services to hide and anonymize their attacks. Expert Nick Lewis explains how to get a handle on these ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.