A hacker with the handle “pod2g” has uncovered an SMS text message flaw with the iPhone iOS. The issue involves the User Data Header (UDH) (See Bootnote), where there is an option to swap out a different reply-to-number which allows hackers to spoof SMS text messages. Pod2g* is a well known hacker come jailbreak developer. So what has pod2g found?
In normal situations, the receiver would see the original phone number and the reply-to-one, but on the iPhone, when you see the message, it seems to come from the reply-to-number, and you lose track of the origin number. This makes it easier to spoof and phish, similar to the problem we see with email spoofing and phishing.
*These types of hackers certainly have their place in our security world, so long as they do not share their detailed findings with the online and offline public community.
Pod2g has proved that this proof of concept (POC) / potential flaw (you can look at this either way) can indeed be exploited by hackers if they so wish. It’s important to note right now, that there are no reported instances of hackers exploiting this flaw appearing in the wild. Given these findings, Apple suggests using iMessage instead of SMS, because addresses are verified against spoofing attacks. Apple is correct when it says it is easy to spoof an SMS. It’s also important to note that this flaw is specific to the SMS protocol – not only with iOS. It affects the entire SMS platform.
For those that use iMessage, you will already know that you can only use iMessage when a 3G or Wi-Fi connection is available, otherwise the message you send will default to SMS. So Apple’s statement that users should only use iMessage isn’t always going to be be possible. In some instances you can send an iMessage and although it sends as an iMessage you next look at your message threads and notice the original message sent has been converted into an SMS text.
This isn’t just an Apple problem. Right now, I’d suggest you carry on using iMessage regardless. In the meantime iO6 may well come with a fix for this security flaw.
Are all the other vendors i.e. BlackBerry, Android etc listening? UPDATE: It does appear that Android, Nokia, Windows and BlackBerry devices handle the reply-to-address field correctly, so will be unaffected by this SMS security flaw.
Safe surfing folks!
Bootnote: This is a device specific rather than a network issue.