Last week, jailbreak developer “pod2g” announced the discovery of a “severe” security flaw in SMS text messages on iOS. A vulnerability inherent to the legacy messaging format allows nefarious users to spoof the message’s sender and possibly trick recipients into responding with personal or financial information.
The flaw takes advantage of the ability to modify an SMS data header, a small piece of text that is optionally included with an SMS message that includes, among other information, a reply-to number. Hackers can easily modify the header to include a different reply-to number and make it appear to recipients that the message was sent by someone else, be it a financial institution, government, or business colleague.
Some SMS software shows the user the header information, including both the number that originally sent the message and the reply-to number. However, on every iPhone since the product’s launch, and persisting through the latest betas of iOS 6, only the reply-to number is visible to the end user.
“In a good implementation of this feature, the receiver would see the original phone number and the reply-to one. On iPhone, when you see the message, it seems to come from the reply-to number, and you loose track of the origin,” pod2g wrote in describing the flaw.
For its part, Apple responded to the announcement of the flaw, suggesting that users switch to its iMessage protocol, something that mobile carriers, which derive a significant amount of revenue from overpriced SMS fees, surely failed to appreciate. An Apple spokesperson gave the following statement to Engadget Saturday:
Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they’re directed to an unknown website or address over SMS.
While Apple is happy to refer SMS users to its free iMessage alternative, the reality is that iOS users still need to communicate with SMS users on other platforms and that moving exclusively to iMessage is not a viable solution for most iOS owners. It is in this context that pod2g and others are imploring Apple to fix the way iOS handles SMS messaging.
Until Apple does so, iPhone owners should exercise caution in responding to SMS messages that request personal or financial information.
Teaser graphic via Shutterstock.