October 24, 2014

Will Apple fix SMS spoofing flaw before iOS 6 is released?

(LiveHacking.Com) – As demonstrated many times, social engineering is a key method used by hackers to solicit personal information from victims and now, due to a new SMS spoofing flaw which has been discovered on the iPhone, users need to be extra careful about trusting text messages they receive on their phones.

Security researcher “pod2g” has found a serious flaw in the way iOS processes SMS messages that leaves iPhone users open to spoofing.

This means that an attacker can spoof messages from a victim’s bank asking them for some private information, or linking to phishing website and, because of the flaw, the message look genuine. Also false messages can be sent to a device and used as false evidence. In fact, pod2g writes that the spoofing can be use to do “anything you can imagine that could be utilized to manipulate people, letting them trust somebody or some organization [that] texted them.”

This flaw has existed since 2007, when the first iPhone was released, and still hasn’t been addressed with iOS 6  beta 4.

SMS messages are converted to complex PDU (Protocol Description Unit) packets  for delivery. As part of the payload, a section called UDH (User Data Header) allows the sender to add a reply-to number. If included, any replies written by the receiver will be sent to that number rather than the original number.

The problem with the iPhone SMS app is that the reply-to address is displayed rather than the genuine originator number. This means a message can be sent from one device and made to look like it came from another. What should happen is that if the reply-to and originator numbers are different both should be shown or a warning displayed.

Tools exist for smartphones and even online for sending raw PDU messages meaning that these fake messages are relatively easy to generate.

“Apple takes security very seriously,” representatives from the Cupertino, Calif.-based company told The Verge on Saturday. “When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks.”

“Now you are alerted. Never trust any SMS you received on your iPhone at first sight,” wrote pod2g.

The question now remains, will Apple fix this before iOS 6 is released?