Pages

Friday, August 17, 2012

Never trust SMS: iOS text spoofing

I mentioned it on twitter a few days ago, I found a flaw in iOS that I consider to be severe, while it does not involve code execution. I am pretty confident that other security researchers already know about this hole, and I fear some pirates as well.

The flaw exists since the beginning of the implementation of SMS in the iPhone, and is still there in iOS 6 beta 4. Apple: please fix before the final release.

A SMS text is basically a few bytes of data exchanged between two mobile phones, with the carrier transporting the information. When the user writes a message, it is converted to PDU (Protocol Description Unit)  by the mobile and passed to the baseband for delivery.

PDU is a protocol that is pretty dense, allowing different types of messages to be emitted. Some examples : SMS, Flash SMS, Voice mail alerts, EMS,  ...
The specification is large and pretty complex. As an example, just to code the data, there are multiple possible choices : 7bit, 8bit, UCS2 (16bit), compressed or not, ...

If you either own a smartphone, or a modem and an account in a SMS gateway, you can send texts in raw PDU format (some services also exist to send a text with an HTTP request in raw PDU format). For the easiest smartphone option, there are different tools available online. I made one for the iPhone 4 that I will publicize soon.

In the text payload, a section called UDH (User Data Header) is optional but defines lot of advanced features not all mobiles are compatible with. One of these options enables the user to change the reply address of the text. If the destination mobile is compatible with it, and if the receiver tries to answer to the text, he will not respond to the original number, but to the specified one.
Most carriers don't check this part of the message, which means one can write whatever he wants in this section : a special number like 911, or the number of somebody else.

In a good implementation of this feature, the receiver would see the original phone number and the reply-to one. On iPhone, when you see the message, it seems to come from the reply-to number, and you loose track of the origin.

Why is it an issue ?
  • pirates could send a message that seems to come from the bank of the receiver asking for some private information, or inviting them to go to a dedicated website. [Phishing]
  • one could send a spoofed message to your device and use it as a false evidence.
  • anything you can imagine that could be utilized to manipulate people, letting them trust somebody or some organization texted them.
 Now you are alerted. Never trust any SMS you received on your iPhone at first sight.