Apple has responded to a French iOS hacker’s discovery of a spoofing problem within iOS’ implementation of SMS. If abused, there is a serious potential for Phishing attacks on the devices, but Apple seems to be passing the buck somewhat.
SMS is far from secure. However, on iOS, it is possible to spoof the return path of a given SMS message, a hacker who goes by pod2g says. “The flaw exists since the beginning of the implementation of SMS in the iPhone, and is still there in iOS 6 beta 4… I am pretty confident that other security researchers already know about this hole, and I fear some pirates as well,” the hacker’s blog states.
“In the text payload, a section called UDH (User Data Header) is optional but defines lot of advanced features not all mobiles are compatible with. One of these options enables the user to change the reply address of the text. If the destination mobile is compatible with it, and if the receiver tries to answer to the text, he will not respond to the original number, but to the specified one.”
With that said, the risk is Phishing. An attacker could send a message that looks as if it came from a bank, collecting any information that a victim thinks they are sending securely. Granted, this is an extreme example, and most people would not fall for such scams, but it has happened unfortunately.
For its part Apple said that addresses are verified when using iMessage instead of normal SMS on their devices. But with that, Apple adds, “One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they’re directed to an unknown Web site or address over SMS.”
It isn’t as if it would be hard to add a return field to the SMS display on iOS, but it may be a case of where it is just to costly in development time. So, if you’re not using iMessage, then you need to be careful, and as mentioned avoid random messages asking for sensitive information no matter what the display tells you.
“Now you are alerted. Never trust any SMS you received on your iPhone at first sight,” pod2g concluded.
