We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

iPhone Flaw Allows SMS Spoofing, Says Hacker

Hacker claims iPhone is vulnerable to spoofed text messages that could be used in phishing attacks.

A hacker known for jailbreaking Apple devices claims that the iPhone is vulnerable to text message spoofing, even in the latest beta of iOS 6.

According to pod2g, this issue could allow scammers to send people to phishing Websites under the guise of a financial institution, or allow criminals to plant spoofed messages as false evidence on other peoples' phones. It also opens up other types of manipulation where the recipient thinks a message is coming from a trusted source.

As pod2g explains, all text messages are converted to a format called Protocol Description Unit, which spells out the many types of information an SMS needs to reach its destination. One of these information types is the UDH (User Data Header) indicator, which allows the user to change the reply address of the message.

The problem with the iPhone is that when the sender specifies a reply-to number this way, the recipient doesn't see the original phone number in the text message. That means there's no way to know whether a text message has been spoofed or not.

"In a good implementation of this feature, the receiver would see the original phone number and the reply-to one," pod2g wrote. "On iPhone, when you see the message, it seems to come from the reply-to number, and you loose track of the origin."

Other Handsets No Stranger to Spoofing

In fairness, the iPhone is not the only handset vulnerable to SMS spoofing. Plenty of Websites offer SMS spoofing as a service, one that isn't limited to Apple's handsets. The main issues seem to be that some phones, including the iPhone, are compatible with the UDH indicator that allows for alternative reply-to addresses, and that the iPhone in particular doesn't show the original address. It's not clear how many other phones on the market only show the reply-to number, and not the original.

Also worth noting: This flaw can only trick people into thinking a message comes from a trusted source. Any replies to that message would go to the contact who's being spoofed, so there's no danger of giving up sensitive information to a malicious source solely via text message.

In a blog post, pod2g says he will soon publicize a tool for the iPhone 4 that sends messages in raw PDU format, which will demonstrate the vulnerability. In the meantime--and as always--avoid following Web links from text messages that ask for logins, banking details or other sensitive information.

Follow Jared on Twitter, Facebook or Google+ for even more tech news and commentary.

IDG UK Sites

Best camera phone of 2015: iPhone 6 Plus vs LG G4 vs Galaxy S6 vs One M9 vs Nexus 6

IDG UK Sites

In defence of BlackBerrys

IDG UK Sites

Why we should reserve judgement on Apple ditching Helvetica in OS X/iOS for the Apple Watch's San...

IDG UK Sites

Retina 3.3GHz iMac 27in preview: Apple cuts £400 of price of Retina iMac with new model