Text spoofing: it isn’t a new concept. In fact, hackers have been taking advantage of spoofing anything from IPs and phone numbers to emails and, yes, even text messages to trick the receiving party into believing the originating source is legitimate. Get a phone call from a number that looks like it’s your wireless carrier? You could be getting scammed into giving away valuable information. Now, it appears that there’s a major iOS security flaw, which is even prevalent in the latest iOS 6 beta builds, that enables the same sort of deception.
According to iOS security researcher pod2g, the flaw has existed in iOS since it’s initial release. It allows the would-be hacker to change the User Data Header (UDH) section in an SMS payload so that the reply address of the text message can be customized. “If the destination mobile is compatible with it, and if the receiver tries to answer to the text, he will not respond to the original number, but to the specific one,” pod2g explained in a recent report. “Most carriers don’t check this part of the message, which means one can write whatever he wants in this section: a special number like 911, or the number of somebody else.” Imagine receiving a text message from, what appears to be, a trusted source asking for your bank account information and replying. Instead of going to, what you thought was the trusted receiver, the information would end up in the hands of a pirate.
If UDH is implemented properly, the original number is shown next to the reply-to phone number. That would be a dead giveaway that a potential attack is underway. However, pod2g said that on the iPhone, “when you see the message, it seems to come from the reply-to number, and you lose track of the origin.” The final warning? “Never trust any SMS you received on your iPhone at first sight.”
pod2g said he doesn’t think he’s the only one aware of the bug and that he plans to publish additional information. Hopefully Apple addresses the issue in a future update, especially since the Department of Justice and MIT have suggested the iPhone is super secure.
Scammers exist; in fact, we just dealt with one at our own office. Be careful out there.