A potentially damaging security flaw in Apple’s iOS operating system has been uncovered, with researchers suggesting it could result in SMS spoofing.
Details of the issue were uncovered by an Apple iOS researcher going by the name of pod2g, who described the flaw as "severe," and suggested that other security experts are almost certainly aware of the problem.
According to pod2g, the flaw affects text messages and could results in SMS spoofing, meaning users could be exposing personal data to a cyber criminal. Pod2g said the flaw is in the way iOS displays text messages because it does not clearly state the source of a text.
Using the protocol description unit (PDU) form, the raw format in which a text is sent across a network, it is possible to change certain details of the text.
This is done through the user data header (UDH), pod2g said. This means that if the user replies he or she could be sending the text to any number the attacker wishes, rather than the one displayed at the top of the message.
Pod2g uses the example of a text appearing to be from a bank or even a user’s contact.
"In a good implementation of this feature, the receiver would see the original phone number and the reply-to one," pod2g said. "On the iPhone, when you see the message, it seems to come from the reply-to number, and you lose track of the origin."
In response to the flaw, Apple has suggested that users should send messages through its iMessage platform, rather than by text. "Apple takes security very seriously," said an Apple statement released to Engadget. "When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks."
"One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they’re directed to an unknown website or address over SMS," Apple added.
