Researchers at the Black Hat security conference in Las Vegas on Thursday showed how an attacker could spoof a type of SMS message that appears to be sent from the carrier or some other trusted source.
This attack on MMS (multimedia messaging service) messages, a type of SMS message, could allow an attacker to trick the recipient into visiting a malicious website or ultimately do something else to harm the phone or steal data.
The attacks work potentially on any type of phone that is MMS-enabled and operating on Global System for Mobile communications (GSM) networks, said Zane Lackey, a senior consultant at ISEC Partners, and independent researcher Luis Miras.
They used a jailbroken iPhone for their demos of their proof-of-concept code that allows for bypassing carrier protections for SMS communications by sending specially crafted MMS messages.
SMS communications are used by carriers to do administration on the phone and contact customers. For example, voicemail notifications are often delivered over SMS, according to Lackey.
As a result, such admin messages are trusted by recipients, despite the fact that typically they do not reveal the source of the message and other details, they said. Spoofed messages could appear to come from any trusted company like a bank or PayPal.
"This is a carrier issue," Miras said. "We disclosed to them and they're working on a fix."
The researchers also have shared information with the GSM Alliance, which is providing details of the exploit to carriers, they said.
In one demo, they sent a victim a message that offered a $20 (£12) credit and included a link to a supposedly malicious site. In other demos the researchers sent a fake voicemail alert and sent an SMS that prompted the recipient to accept or decline unknown new phone settings.
If the recipient accepted the changes believing they were something routine from the carrier, an attacker could be using the permission granted to do something behind the scenes, such as route all the phone's internet traffic through an attacker's server instead of a carrier server, which would allow the attacker to spy on all the communications.
The SMS exploits the researchers showed allow an attacker to "bypass the carrier spoofing protections" including anti-malware filtering, Lackey said. The attacks could also be used to find out which operating system a phone is running, so someone could launch an attack targeted for that software, he said.
Lackey and Miras released a tool called TAFT (There's an Attack For That) that automates the implementation flaws that have been fixed. It does not allow for the spoofing issues, which carriers still need to address, they said.
SMS attacks are getting easier because iPhones and Android devices are easily modified and because SMS functionality has been built at higher layers that provide full access to an attacker, said Lackey.
The researchers also said they uncovered an SMS implementation flaw that they exploited to temporarily crash the phone process of an Android phone so no calls or texts could be sent or received. Google fixed that flaw, they said.
They also discovered a flaw in a third-party iPhone app from SwirlySpace that interfered with the phone and texting capabilities, and that too has been fixed, Miras said.
There is little someone can do to protect against these attacks except be wary of SMS messages in general, he said.
