Answer

Mitigations for mobile phishing problems on the iOS platform

A hacker recently discovered a spoofing issue with Apple's iOS that could lead to serious mobile phishing problems. How can enterprise information security teams help iOS users protect themselves from this issue?

    Requires Free Membership to View

Ask the Expert

Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)

The spoofing attack identified by iOS security researcher pod2g could be used for phishing mobile device users in general, because the same issue could be found in non-iOS devices. Other researchers have identified vulnerabilities in the SMS functionality of iOS before, such as in 2008, when Charlie Miller and Collin Mulliner discovered that a malformed SMS message could crash the iPhone. In the vulnerability identified by pod2g, a fake phone number is set as the reply-to for the SMS message. The SMS protocol allows the sender to set the reply-to field in a SMS message to any phone number independent of the from field. The receiver would see that the SMS message is from one phone number and have the reply sent to a different phone number. This could allow a SMS message to look more legitimate, which is exactly what a typical phishing email tries to do.

Enterprise information security teams can help protect iOS users from this issue by advising users to keep their iOS devices up to date (which should already be standard advice) and to critically evaluate the messages they receive. Critically evaluating SMS messages, emails and many other communications will help users avoid problems with phishing attacks. To critically examine SMS messages, users should focus on who sent the SMS and the content of the SMS message. Apple could release an update that makes it more apparent who sent a SMS message and where the reply is being sent, but until that happens, enterprises might also want to review this presentation on mobile phishing by Adrienne Porter Felt and David Wagner.

This was first published in February 2013

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: