Apple Responds To iOS SMS Security Flaw
August 19, 2012

iOS Security Flaw Found In SMS Text Messages

redOrbit Staff & Wire Reports - Your Universe Online

Apple officials responded Saturday to a hacker's discovery that text messages could be spoofed on the iPhone thanks to a serious security flaw, and urged people to use iMessage instead of SMS to protect themselves from potential attacks.

According to BGR Executive Editor Zach Epstein, the flaw was revealed by an iOS security researcher on Friday and affects all versions of the operating system, including the most recent beta version of iOS 6. The hacker, known only under the pseudonym "pod2g," says that the flaw has been present in the software since the release of the original iPhone back in 2007.

In his report, pod2g said that the reply-to number displayed when a user views an SMS can be altered to display a different number than the one from which the message originated, Epstein said. Through a simple procedure, cybercriminals can use the exploit to make it seem as though a message was sent by a trustworthy source, but any message sent in reply to the original could be sent to a different destination number.

“In the text payload, a section called UDH (User Data Header) is optional but defines lot of advanced features not all mobiles are compatible with,” pod2g explained to BGR. “One of these options enables the user to change the reply address of the text. If the destination mobile is compatible with it, and if the receiver tries to answer to the text, he will not respond to the original number, but to the specified one.”

Those spoofed SMS messages could be used to facilitate a phishing scheme in order to access a person's private information, including credit card or bank account numbers, warns AppleInsider writer Katie Marsal. Like email, SMS messages do not authenticate names and addresses in header data, she added.

"Apple takes security very seriously," representatives from the Cupertino, California-based tech giant told Bryan Bishop of The Verge on Saturday. "When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks."

"One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they're directed to an unknown website or address over SMS," they added, according to PCMag's David Murphy.

Murphy adds that it is currently not known what steps, if any, Apple will take to correct the flaw in future iOS versions.