Make in-app payments easy and secure with Apple Pay. Click here to see how.
Welcome Guest | Sign In

Security Sleuths Lay Blame on Apple for SMS Vulnerability

Security Sleuths Lay Blame on Apple for SMS Vulnerability

A recently discovered flaw in the way iOS handles SMS messages gives hackers the ability to spoof identities, and one security outfit has placed blame for the vulnerability squarely on Apple's shoulders. "It's quite unusual for the iPhone to react in this manner," said Cathal McDaid, head of security for AdaptiveMobile. "This makes spoofing much easier."

By John P. Mello Jr.
08/27/12 6:00 AM PT

Research released last week fingered the iPhone as the source of a text messaging exploit that could be used to steal sensitive information from smartphone users or work mischief on their hardware.

The flaw, revealed by a well-known security researcher and jailbreaker of iPhones, involves the "reply to" line in SMS messages.

In its analysis of the SMS flaw, AdaptiveMobile, a mobile security company, found that Android, Windows Mobile, BlackBerry and Symbian phones either ignore the "reply address" field or display both the originating and the reply addresses in the message. In all cases, it isn't possible to automatically reply to a message using "reply to."

The iPhone displays only the "reply to" address. So a text message can be sent from one address but appear to be sent from another.

Most handsets now ignore "reply to," but Apple has left a significant vulnerability in its handsets which could allow consumers to be fooled and hand over personal details to hackers and criminals, AdaptiveMobile's researchers maintained.

"It's quite unusual for the iPhone to react in this manner," Cathal McDaid, head of security for AdaptiveMobile, told TechNewsWorld. "This makes spoofing much easier."

Apple's response the situation was to advise its customers to use its texting service, iMessage. When using iMessage instead of SMS, addresses are verified, which protects against spoofing attacks, it explained.

"That defeats the purpose of having a mobile phone," declared McDaid. "It's to communicate with other people, not just other people with iPhones."

Defending Against DDoS Attacks

Distributed denial of service attacks are a popular weapon used by hacker groups to cripple the websites of those they dislike. While the DDoS attacks that typically grab headlines are launched by hacktivist groups like Anonymous against corporate and government sites, nonprofits and human rights sites are often targets, too. That's why the Electronic Frontier Foundation (EFF) released last week a guide to "Keeping Your Site Alive" in the face of a DDoS assault.

The idea for the free guide occurred to Jillian York, the EFF's Director for International Freedom of Expression, while she was working on a study of the effects of DDoS attacks on human rights and independent media websites. Realizing how vulnerable those sites were, she began thinking about ways to help those organizations fend off such attacks.

"It's not easy to prevent the attacks, but there are things people can do to protect their information so they have it after an attack," she told TechNewsWorld. "Backing up and mirroring are simple techniques that anyone can do to protect their data."

While the targets of DDoS attacks can be varied, sites dealing with contemporary events are often a target. "Right now, Syrian opposition websites get attacked all the time," she said.

Honan's Lesson

If the unfortunate attack on journalist Mat Honan's digital life earlier this month revealed anything about the times we live in, it's the cavalier attitude toward data taken by many consumers. They just don't know what their data is worth until it's gone, according to Stewart Irvine, CEO of Imogo Mobile Technologies, a provider of secure mobile cloud services.

"When I ask people, 'What's your data worth to you?' I usually get a blank expression," he told TechNewsWorld. "Then I ask them, 'What would happen if your smartphone was lost or stolen? A look of shock and dismay comes on their face, and they say, 'That would be disastrous.'"

Honan acknowledged many security sins in a piece he wrote about his experience, not the least of which was failure to backup the data of his digital life. The journalist isn't alone in that boat. "People don't backup their data because they just don't take their data that seriously," Irvine said. "They think, 'It'll never happen to me.'"

Mat Honan probably thought that, too.

Breach Diary

  • Aug. 17: Air Force officials at Wright-Patterson Medical Center in Ohio alerted 3,800 individuals of possible data breach when a notebook containing their names and Social Security numbers was temporarily misplaced after a blood drive. There is no evidence that the information was misused, and it was misplaced for only a short amount of time, the officials said.
  • Aug. 17: The University of Texas M.D. Cancer Center revealed that health information for 2,200 patents was missing after student lost USB thumb drive with the data on it while traveling on a shuttle bus. No Social Security or financial information was on the device, the university said.
  • Aug. 19: The UK newspaper The Telegraph reported sensitive information of 1,367 school children snatched by hackers from education evaluation firm Gabbitas and posted to the Internet. Information included details about personalities, strengths, weaknesses, illnesses and learning difficulties.
  • Aug. 20: Chipmaker AMD took down its blog site after weekend attack in which a group called "r00tBeerSec" defaced a Web page and robbed the SQL file used to manage the site. The site is now back online.
  • Aug. 21: Colorado State University in Pueblo notified 19,000 students and applicants that their personal information may have been exposed when several students accidentally gained access to the information. The students immediately alerted the university to the breach and no records were changed or stolen, according to the letter.
  • Aug. 21: A letter to customers from Bellacor posted to a California breach reporting site stated an unauthorized third-party gained access to some temporary files on the company's website containing customer name, address, phone number and encrypted credit card information. The company did not reveal how many customers were affected, but the breach could affect anyone doing business with the firm from June 7 to July 26. The company noted that it had no evidence that any data had been compromised but was alerting its customers as a precautionary measure.
  • Aug. 22: The University of South Carolina began notifying 34,000 people associated with its College of Education that their personal information may have been compromised in a computer intrusion that occurred three months ago. Information exposed includes names, addresses and Social Security numbers of students, staff and researchers associated with college since 2005. In the last six years, six data breaches have been reported at the university compromising 81,000 records belonging to students and employees at the school.

Calendar


John Mello is a freelance technology writer and former special correspondent for Government Security News.


Facebook Twitter LinkedIn Google+ RSS