Skip to main content
  2. News
  3. 2012
  4. August
  5. iPhone SMS spoofing bug uncovered – Apple warns users to be careful

iPhone SMS spoofing bug uncovered – Apple warns users to be careful

iPhone SMS spoofing bug uncovered – Apple warns users to be careful

A security flaw has been discovered in iOS that could potentially leave iPhone users vulnerable to phishing attacks.

Unearthed by jailbreaking-cum-security expert ‘pod2g’ – or Cyril, as he’s known to his mum – the bug enables malicious users to send messages to affected handsets using a false identity. This is reportedly due to a vulnerability in the ‘UDH (Use Data Header)’ section of an SMS.

Apparently, SMS allows the sender of a message to quite easily change the reply address of the text. By default, modern smartphones such as the iPhone only display the name of the sender when you open a message. However, this information can be modified in the UDH, which means you could receive messages from people pretending to be your banking organisation, or worse, your wife or girlfriend.

By replying to the message or following a link it might contain, you could be giving away sensitive information, charged premium rates or just very easily pranked.

In a blog post, pod2g wrote: "Most carriers don't check this part of the message, which means one can write whatever he wants in this section: a special number like 911, or the number of somebody else.

“In a good implementation of this feature, the receiver would see the original phone number and the reply-to one. On iPhone, when you see the message, it seems to come from the reply-to number, and you lose track of the origin."

Apple has already responded to the issue, which it claims is a flaw of the way SMS works rather than a fault of iOS and has warned users to pay extra attention to messages that seem a bit fishy.

"One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone.

"We urge customers to be extremely careful if they're directed to an unknown website or address over SMS."

Pod2g has called on Apple to fix the bug, still present in iOS 6 beta 4, before the latest operating system is officially rolled out. Ideally Apple will allow users to at least see the number of the sender along with their name when opening messages.

If you're receiving suspicious text messages or have been duped by one, you might like to let your network know.

You can also report unwanted texts by forwarding them to 7726, which spells spam on most phones. If it gets reported enough, the sender should be blocked.

back to top