SecureState Blog

Read SecureState's award winning blog.

An SMS spoofing flaw that affects every version of Apple’s iOS has recently been uncovered by security researcher “pod2g” who has claimed this flaw has existed since the first iPhone was launched in 2007. Using this flaw an attacker could potentially spoof their identities via text messages. By impersonating a trusted user, the attacker could then send a message asking for private information.

The victim would then think they were simply replying to the sender that is displayed; however, the text would then be routed to a different number without the victim’s knowledge. This attack exists because within the User Data Header (UDH) there is an option that enables the user to change the reply address of the text. In order for this attack to be successful, the malicious party would need to know the name of a contact that exists within the victim’s phone book.

Below is Apple’s response:

“Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they’re directed to an unknown website or address over SMS.”

Two immediate fixes Apple could push out would be to display the originating number, or at least alert if the reply-to number does not match the originating number. With no immediate fix or update coming in the near future, the SecureState Research and Innovation Team recommends that iPhone users exercise caution when sending/receiving text messages and install new security updates from Apple.