According to pod2g, this issue could allow scammers to send people to phishing Websites under the guise of a financial institution, or allow criminals to plant spoofed messages as false evidence on other peoples’ phones. It also opens up other types of manipulation where the recipient thinks a message is coming from a trusted source.
As pod2g explains, all text messages are converted to a format called Protocol Description Unit, which spells out the many types of information an SMS needs to reach its destination. One of these information types is the UDH (User Data Header) indicator, which allows the user to change the reply address of the message.
The problem with the iPhone is that when the sender specifies a reply-to number this way, the recipient doesn’t see the original phone number in the text message. That means there’s no way to know whether a text message has been spoofed or not.
“In a good implementation of this feature, the receiver would see the original phone number and the reply-to one,” pod2g wrote. “On iPhone, when you see the message, it seems to come from the reply-to number, and you loose track of the origin.”
Other Handsets No Stranger to Spoofing
In fairness, the iPhone is not the only handset vulnerable to SMS spoofing. Plenty of Websites offer SMS spoofing as a service, one that isn’t limited to Apple’s handsets. The main issues seem to be that some phones, including the iPhone, are compatible with the UDH indicator that allows for alternative reply-to addresses, and that the iPhone in particular doesn’t show the original address. It’s not clear how many other phones on the market only show the reply-to number, and not the original.
Also worth noting: This flaw can only trick people into thinking a message comes from a trusted source. Any replies to that message would go to the contact who’s being spoofed, so there’s no danger of giving up sensitive information to a malicious source solely via text message.
In a blog post, pod2g says he will soon publicize a tool for the iPhone 4 that sends messages in raw PDU format, which will demonstrate the vulnerability. In the meantime–and as always–avoid following Web links from text messages that ask for logins, banking details or other sensitive information.
Follow Jared on Twitter, Facebook or Google+ for even more tech news and commentary.