iOS flaw allows SMS spoofing

A well-known hacker claims to have found a significant security flaw in iOS, allowing SMS messages to be spoofed.

Pod2g says that the flaw allows a person to send an SMS with a different address on the ‘reply’ line to that which appears on the ‘from’ line. It means that a fraudster could, for example, send a message purporting to come from your mom and asking to check your bank details.

“Pirates could send a message that seems to come from the bank of the receiver asking for some private information, or inviting them to go to a dedicated website,” says Pod2g.

“One could send a spoofed message to your device and use it as a false evidence… anything you can imagine that could be utilized to manipulate people, letting them trust somebody or some organization [that] texted them.”

Normally, when a user sends a text, it’s converted to Protocol Description Unit (PDU) for delivery. And, says Pod2g, it’s possible to send the message in raw PDU text format, while changing the User Data Header so that the message appears to come from someone else.

“In a good implementation of this feature, the receiver would see the original phone number and the reply-to one. On iPhone, when you see the message, it seems to come from the reply-to number, and you loose track of the origin,” he says.

The flaw’s been present in every version of iOS so far, says Pod2g – including the upcoming version 6.0 beta 4. He’s alerted Apple – which has so far responded by suggesting that its users should just use iMessage instead.