Take note, iPhone users, as a new security flaw has been discovered that could be used to spoof the reply phone number of a text message. Uncovered by an iOS security researcher known as pod2g, the hole utilizes an option in the Protocol Description Unit (PDU), which is the protocol that allows different messages to be sent on mobile devices. Inside the PDU is a section called the User Data Header (UDH) that allows users to change the reply-to number of a message, among other things. This means that a message could be altered to feature a reply-to number that's different than the actual number that sent the message. The problem is that iOS devices don't show the actual sender's number, just the reply-to number that may be faked. This flaw reportedly exists in all versions of iOS, including the latest beta of iOS 6.
Using this method of SMS spoofing, a sender could try to get the recipient to send personal information by posing as a trusted party or to click on a link to a malicious website. It may seem obvious to some that sensitive information probably shouldn't be shared over a text message, some folks might end up doing it anyway. And while it's interesting to note that this problem has apparently been around since the original iPhone's debut but hasn't been exploited or even noticed until now, it's still something that Apple should probably look into. The company hasn't commented on the matter, but we'll give you a heads-up if it does.
UPDATE: Apple has responded to the issue, explaining that addresses are verified in iMessages to protect against this type of spoofing. The company goes on to say that customers sending messages over SMS rather than iMessage should be "extremely careful" if they're being sent to an unknown address. Apple's full statement, sent to Engadget, is as follows:
"Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they're directed to an unknown website or address over SMS."
- Log in to post comments