Newly Exposed iOS SMS Vulnerability Could Lead To Spoofing

Pod2G is a prominent iOS hacker and security expert, who just revealed on his blog a major and long-standing security flaw in iOS. This flaw has apparently existed since iOS implemented SMS, and still exists in the current iOS 6 beta, and Pod2G has implored Apple to fix it.

What he’s unearthed is a way of changing the UDH (User Data Header) so that it looks like the SMS is coming from a known and legitimate number. In the UDH you can select what the “reply to” number is, even if it doesn’t actually get replied to that, and that number is all that iOS displays. So you get a text message from a number you recognize and trust (say, your carrier, bank, or loved one), and when you reply, it gets redirected to the spammer. It would look legit, and you’d have no idea that it was coming from a fake source.

Pod2G explains it:

In the text payload, a section called UDH (User Data Header) is optional but defines lot of advanced features not all mobiles are compatible with. One of these options enables the user to change the reply address of the text. If the destination mobile is compatible with it, and if the receiver tries to answer to the text, he will not respond to the original number, but to the specified one.

Most carriers don’t check this part of the message, which means one can write whatever he wants in this section : a special number like 911, or the number of somebody else.

In a good implementation of this feature, the receiver would see the original phone number and the reply-to one. On iPhone, when you see the message, it seems to come from the reply-to number, and you loose track of the origin.

Here’s hoping Apple picks up on this, and is able to patch the flaw — because now that Pod2G has described it (even without technical details), you know someone will be trying to replicate it.[via BGR]