iOS flaw facilitates iPhone SMS spoofing

Published Date
18 - Aug - 2012
| Last Updated
18 - Aug - 2012
iOS flaw facilitates iPhone SMS spoofing

A French hacker known as pod2g has identified a text-based iOS glitch that allows scammers to spoof their identifies and make it look like text messages are coming from legitimate sources.

In a Friday blog post, pod2g said he considers the flaw to be "severe" even though it doesn't involve code execution. It affects all versions of iOS, even the most recent beta of iOS 6. "Apple: please fix this before the final release," pod2g wrote.

At issue is a section of a text message payload known as User Data Header (UDH), which includes a number of advanced features. One of those features allows the user to change the reply address of the text. You can send a text from your iPhone, for example, but if the person replies, it'll get sent to your Galaxy S III .

When the option works correctly, pod2g said, the text message recipient will be able to see that they are responding to a different phone number. The recipient phone should either display the secondary number, or "in a good implementation of this feature," pod2g wrote, the original phone number and the new phone number.
"On iPhone, when you see the message, it seems to come from the reply-to number, and you [lose] track of the origin," according to pod2g.

This is problematic because it could allow the scammer to send you a text message that appears to be from your bank with a link that asks you to click and verify account information. If it appears to be coming from a legitimate Bank of America or Chase phone number, it's probably OK, right? Wrong? It's probably a phishing link that could steal your personal data.

"Now you are alerted. Never trust any SMS you received on your iPhone at first sight," pod2g concluded.

The blog post did not indicate if pod2g had alerted Apple to the flaw. The company did not immediately respond to a request for comment.

Cupertino is expected to unveil its next-gen iPhone - and iOS 6 - at an event on Sept. 12, though the company has not yet made any announcements.

Copyright © 2010 Ziff Davis Publishing Holdings Inc


Chloe AlbanesiusChloe Albanesius