French hacker Pod2g has discovered a significant flaw in the way Apple’s iOS handles SMS messages.
“Using the flaw, hackers could spoof their identities via text and send messages asking for private information (by pretending to be from a users’ bank, for example), or direct users to phishing sites,” writes VentureBeat’s Devindra Hardawar. “As Pod2g explains it, an SMS text message is converted to Protocol Description Unit (PDU) when sent from a phone, a dense protocol that also handles things like voice mail alerts and emergency medical systems. If a hacker was able to send a message in raw PDU format, they could take advantage of the User Data Header section to alter the reply number for a text.”
“While all devices are capable of receiving these messages, iOS does not allow you to view the number that you’re replying to,” writes The Verge’s Zenonas Kyprianou. “This enables a malicious sender to fake his identity, making you think that a trusted number is sending the SMS. Because the ‘reply-to’ number is different to the number displayed, iOS would send your message to a hidden number without you realizing.”
“Pod2g said it’s not a flaw that’s exclusive to iOS 6,” writes Gizmodo’s Leslie Horn. “In fact, it’s been a problem since the iPhone first came out five years ago. The takeaway here is that you should be skeptical of any texts asking for private info.”
“Apple said on Saturday that part of the reason it uses iMessage now is to prevent these kind of SMS spoofing attacks,” writes Ars Technica’s Jacqui Cheng. “‘Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attack,’ Apple told Ars. ‘One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they’re directed to an unknown website or address over SMS.'”