An iOS security researcher has discovered a significant flaw in Apple’s operating system, detailing a vulnerability that has apparently existed in the platform since the launch of the first iPhone in 2007 through to the latest beta release of iOS 6.
The fault effects the way iPhones handle SMS messages, making it possible to send a text to someone with a false return number on it. According to the researcher (known publicly as pod2g) malicious attackers can exploit this feature to send messages that appear to be from a trusted source, while in truth any replies to the SMS would be routed to a separate phone number without the sender’s knowledge.
For instance, if someone receives a text that appears to be from their bank, and sends a response that they believe is going to their bank, it could potentially go to a completely different number, if the message has been compromised.
Not Just the iPhone
Yet, pod2g warns that the iPhone is not the only device susceptible to this unfortunate feature, explaining that if the destination mobile is compatible with the option for users to change the reply address of a text, then those handsets are at risk as well.
“In the text payload, a section called UDH (User Data Header) is optional, but defines a lot of advanced features not all mobiles are compatible with,” the jailbreaker explained. “One of these options enables the user to change the reply address of the text. If the destination mobile is compatible with it, and if the receiver tries to answer to the text, he will not respond to the original number, but to the specified one.”
Pod2g has urged Apple to fix this flaw before releasing the final version of iOS 6 this fall and has cautioned users to be suspicious of any SMS messages asking for sensitive information, even if it’s from your mom!
An Apple spokesperson responded to pod2g’s comments in a statement sent to Engadget:
Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they’re directed to an unknown website or address over SMS.
Essentially, the company echoes pod2g’s warning: SMS is an inherently unsafe method of communication, no matter what type of phone is being used.