iOS bug allows for spoofed text messages, creating a huge phishing security risk

If you own an iPhone, you may not be able to trust the text messages you are receiving. An iOS hacker going by the handle pod2g has pointed out a bug in iOS that allows for text messaging spoofing. In other words, it allows hackers — and what not — to make a text message appear from someone whom it actually isn’t from.

What happens with this bug is a message is sent in raw Protocol Description Unit (PDU) format with a modified User Data Header (UDH) that contains a different “reply” number than the number actually sending the message. The iPhone then shows the manually added “reply” number as the number that is sending the text message as opposed to marking the message to whom it really comes from, the number that is actually sending the message. In other words, someone can send a text message to an iPhone from number 555-555-5555 but set the UDH to display number 666-555-555 and the iPhone will display the text message as being from 666-555-5555 instead of 555-555-5555.

According to pod2g, this bug can be exploited by anyone with smartphone or a modem and an SMS gateway. pod2g says he/she will release an iPhone 4 app soon that allows users to spoof text messages using this exploit.

The most significant concern with this bug relates to phishing. Malicious scumbags could potentially spoof a text message to appear as if it is coming from a trusted contact and in that message ask for the person reading the text message to visit a URL or contact a number and provide confidential information. Since this number would appear to be from a trusted contact, or potentially even a law enforcement agency, many people are likely to be fooled into complying with the request. Other potential consequences of this bug are pranks or manufactured evidence.

As security researcher Jon Oberheide told ArsTechnica, this bug isn’t necessarily unique to the iPhone — it is platform independent, for the most part:

SMS spoofing isn’t difficult and often occurs independent of what phone/platform the user is using.

The issue with iOS and iPhone, however, is what is mentioned above — the iPhone does not properly differentiate between the real “from” number and the manually added “reply” number; the iPhone shows the manually added “reply” number as the “from” number. To add salt to the wound, this bug has been around in iOS for a while and is still present in iOS 6 Beta 4, the latest version of iOS at the time of this writing.

On the bright side, as ArsTechnica points out, this bug doesn’t appear to have any code execution exploits so it likely doesn’t allow hackers to remotely access, modify, or control iPhones. Still, though, if a person can’t trust his or her text messages…

[via ArsTechnica]

Related Posts