iPhone SMS bug poses serious threat
Text messaging flaw bypasses Apple security says researcher
By Antone Gonsalves | CSO | Published: 09:41, 20 August 2012
A French hacker claims he has found a flaw in the iPhone text messaging service that bypasses Apple safeguards that check third-party apps.
The hacker, who calls himself "pod2g" and is best known for jailbreaking iPhones, said last week that the vulnerability could let an attacker send a message pretending to be from a bank, credit card company or other trusted source.
Because the flaw does not involve code execution, an attacker does not need to get malware pass Apple, which approves all mobile apps before they are sold on the App Store, the only legitimate site for downloading software for Apple mobile devices.
Related Articles on Techworld
Pod2g, a self-professed iPhone security researcher, said the flaw is "severe" and affects all current versions of iOS and iOS 6 beta 4. IOS is the iPhone and iPad operating system.
"I am pretty confident that other security researchers already know about this hole, and I fear some pirates as well," he said.
Tyler Shields, a senior security researcher at Veracode, told Kaspersky Lab that the flaw needs attention.
"At first glance, this type of flaw seems tame, but in reality it can be used very effectively in spoofing and social engineering based threat models," Shields said. "I would rate this attack a medium severity because it relies on tricking the user into doing something specific based on a falsified level of trust."
When a text message is sent through the iPhone SMS, the phone typically converts it to a protocol called Protocol Description Unit (PDU) before the carrier ships it to the telephone number of the recipient.
Within the text payload is a section called User Data Header (UDH) that enables someone to change the reply address of the text, pod2g said. An attacker could use this flaw to show a reply number that is different from where the responding text would actually go.
"In a good implementation of this feature, the receiver would see the original phone number and the reply-to one," pod2g said. "On iPhone, when you see the message, it seems to come from the reply-to number, and you loose track of the origin."
As a result, an attacker could send a message that seems to come from a bank or other trusted source. This would enable the criminal to either seek personal information or direct the recipient to a phishing website.