Hacker discovers iPhone SMS spoofing issue, asks Apple to fix for iOS 6An independent security researcher in the UK has publicized an iPhone SMS spoofing issue that he hopes Apple will address in iOS 6.
According to a blog posting by "pod2g" the way iOS handles SMS messages supports transmission of optional, advanced features in the SMS specification's User Data Header, including a "reply to" address.
Not all phones support these features, and "most carriers don't check this part of the message, which means one can write whatever he wants in this section," the hacker writes. This would apparently limit the audience of SMS spoofing largely to iPhone users.
Because the iPhone only displays the "reply to" address of incoming SMS messages, there's no way for users to verify the identity of the depicted sender, or to determine if it has been sent from someone other than the displayed phone number (unless the message is delivered via Apple's iMessage, which is both encrypted and unaffected by the SMS flaw because it is not an SMS).
In describing the SMS issue, Pod2g says "I consider [the flaw] to be severe, while it does not involve code execution."
A malicious user could send "spoofed" SMS messages that appear to come from another source (which is routinely done with email spam, as the standard email specification does not authenticate parties in header data either), falsely appearing to come from a friend or trusted source (such as a bank) for example.
The hacker asks Apple to address this issue before releasing iOS 6, noting that this behavior is still present in the latest, fourth developer beta of iOS 6.
On Topic: iPhone
- 'iPhone 7' might replace 3.5mm headphone jack with second speaker, analysts say
- AT&T lays plans to begin testing 5G data in 2016, brings back 2-for-1 iPhone deal
- Apple captured 21% of smartphone processors, 31% of tablet CPUs in 2015
- TestFlight gets support for iOS 9.3, watchOS 2.2 betas
- FBI complains it can't break encryption on phone used by San Bernardino terrorists