A hacker recently discovered a spoofing issue with Apple's iOS that could lead to serious mobile phishing problems. How can enterprise information security teams help iOS users protect themselves from this issue?
Ask the Expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
The spoofing attack identified by iOS security researcher pod2g could be used for phishing mobile device users in general, because the same issue could be found in non-iOS devices. Other researchers have identified vulnerabilities in the SMS functionality of iOS before, such as in 2008, when Charlie Miller and Collin Mulliner discovered that a malformed SMS message could crash the iPhone. In the vulnerability identified by pod2g, a fake phone number is set as the reply-to for the SMS message. The SMS protocol allows the sender to set the reply-to field in a SMS message to any phone number independent of the from field. The receiver would see that the SMS message is from one phone number and have the reply sent to a different phone number. This could allow a SMS message to look more legitimate, which is exactly what a typical phishing email tries to do.
Enterprise information security teams can help protect iOS users from this issue by advising users to keep their iOS devices up to date (which should already be standard advice) and to critically evaluate the messages they receive. Critically evaluating SMS messages, emails and many other communications will help users avoid problems with phishing attacks. To critically examine SMS messages, users should focus on who sent the SMS and the content of the SMS message. Apple could release an update that makes it more apparent who sent a SMS message and where the reply is being sent, but until that happens, enterprises might also want to review this presentation on mobile phishing by Adrienne Porter Felt and David Wagner.
Related Q&A from Nick Lewis, Enterprise Threats
The Zeus malware is threatening RTF security by embedding itself in the file, which is commonly seen as safer than other file formats such as PDFs. ...continue reading
Enterprise threats expert Nick Lewis explains how to detect and avoid one of the most advanced malware threats: The Mask.continue reading
Hybrid threats are becoming an increasing issue for mobile devices. Enterprise threats expert Nick Lewis explains how to mitigate the risk.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.