A security researcher specializing in Apple’s iOS platform today outlined a method to spoof SMS messages on the iPhone. This could allow text messages to be sent that appear to be from another source, meaning the exploit is ripe for phishing scams. For example, a message could be sent, appearing to be from a customers’ bank, asking for private account information.
The researcher, called pod2g, stated in his blog post that the security flaw runs through every version of iOS, including the latest beta of iOS 6. He implored Apple to patch the exploit, fearing that some pirates already know of the exploit.
Pod2g explained that SMS messages are converted into Protocol Description Unit (PDU) before being sent. The exploit involves having an account in an SMS gateway and sending texts in raw PDU format. He stated that there are already tools online that can do this, and that he has created one for the iPhone 4 himself. Pod2g explains the next step in his blog post:
In the text payload, a section called UDH (User Data Header) is optional but defines lot of advanced features not all mobiles are compatible with. One of these options enables the user to change the reply address of the text. If the destination mobile is compatible with it, and if the receiver tries to answer to the text, he will not respond to the original number, but to the specified one. Most carriers don’t check this part of the message, which means one can write whatever he wants in this section : a special number like 911, or the number of somebody else.
The reason this exploit works on an iPhone, pod2g states, is that the iPhone shows a text as coming from the reply-to number. He suggests that Apple change the implementation of its SMS messaging to show both the original number and the reply-to number.