A hacker recently discovered a spoofing issue with Apple's iOS that could lead to serious mobile phishing problems....
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
How can enterprise information security teams help iOS users protect themselves from this issue?
Ask the Expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
The spoofing attack identified by iOS security researcher pod2g could be used for phishing mobile device users in general, because the same issue could be found in non-iOS devices. Other researchers have identified vulnerabilities in the SMS functionality of iOS before, such as in 2008, when Charlie Miller and Collin Mulliner discovered that a malformed SMS message could crash the iPhone. In the vulnerability identified by pod2g, a fake phone number is set as the reply-to for the SMS message. The SMS protocol allows the sender to set the reply-to field in a SMS message to any phone number independent of the from field. The receiver would see that the SMS message is from one phone number and have the reply sent to a different phone number. This could allow a SMS message to look more legitimate, which is exactly what a typical phishing email tries to do.
Enterprise information security teams can help protect iOS users from this issue by advising users to keep their iOS devices up to date (which should already be standard advice) and to critically evaluate the messages they receive. Critically evaluating SMS messages, emails and many other communications will help users avoid problems with phishing attacks. To critically examine SMS messages, users should focus on who sent the SMS and the content of the SMS message. Apple could release an update that makes it more apparent who sent a SMS message and where the reply is being sent, but until that happens, enterprises might also want to review this presentation on mobile phishing by Adrienne Porter Felt and David Wagner.
Dig Deeper on BYOD and mobile device security best practices
Related Q&A from Nick Lewis
DoubleAgent malware is a proof of concept for a zero-day vulnerability that can turn antivirus tools into attack vectors. Expert Nick Lewis explains ...continue reading
A new POS malware downloads a RAM scraper to avoid detection. Expert Nick Lewis explains the tricks MajikPOS uses to target retail terminals and how ...continue reading
An Apache Struts vulnerability is still being exploited, even though it has already been patched. Expert Nick Lewis explains why the Struts platform ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.