In recent Apple iMessage updates, the way links are handled within an SMS message have changed significantly and this adaptation poses quite a concern for us.
Early 2016 we were the first company in the UK to offer SMShing services, these SMS messages are like phishing emails and contain a pretext alongside a link within the message. When a mark receives an SMS message and clicks the link a host of details are available to us – we then report on this action for clients conscious about their security.
So what’s available to us and why should this be of concern?
Browser Type – OK, so most iPhones are using Safari by default but knowledge of the type of browser can be useful, say if you wanted to ensure a phishing email displayed correctly in their web portal. You might also have some super 0day up your sleeve… but now we are just talking hypotheticals.
Device Type – No real issue here, it’s an iPhone… this can be identified by adding the contact phone number to another iPhone and seeing if FaceTime options pop up in the contacts. So you add the iPhone number to your contacts and it gives you the option to FaceTime? Moving on.
IP Address – So here is where it gets exciting. Revealing the IP Address can disclose their cellular provider (if the device isn’t on WiFi) this leaves the device open for attacks such as SIM Swap Fraud covered by us here and used by Vice Media here.
If the Apple device is on a WiFi network then yet more information gathering is obtainable. Revealing your home IP could be bad enough, but maybe even disclosing your work proxy server could lead to attacks of a more direct nature. Then there is the rough geographical location an IP can provide, the information about your ISP…. again leaving you open for social engineering vishing calls directly to them.
The updated iMessage loads the link preview and in essence, clicks the link for you! That’s what irks us with this, the choice.
OK, we might not stop people clicking links anytime soon but Apple has taken this very choice away from us and facilitate the information leakage.
The very act of receiving an SMS message can leave you open to attacks and we don’t think that’s right. There is no way to disable this too. You can filter messages from unknown senders but then sending the text messages from a spoofed service will just put you back to square one – as observed in this Reddit comment thread.
Edit: Since this blog blew up I have been contacted by @_InfoSecDude_ who guided me to research he did on the 22nd of September, our work wasn’t copied but we definitely had the same idea and bumped heads in the night of the internet! Please check out his blog here: https://protoxin.net/imessage-preview-forging-research-update-1/