View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Software
August 20, 2012

Researcher exposes iOS SMS flaw

Careful what you say on texts, you may not be replying to the correct person...

By Steve Evans

A potentially damaging security flaw in Apple’s iOS operating system has been uncovered, with researchers suggesting it could result in SMS spoofing.

Details of the issue were uncovered by an Apple iOS researcher going by the name of pod2g, who described the flaw as "severe," and suggested that other security experts are almost certainly aware of the problem.

According to pod2g, the flaw affects text messages and could results in SMS spoofing, meaning users could be exposing personal data to a cyber criminal. Pod2g said the flaw is in the way iOS displays text messages because it does not clearly state the source of a text.

Using the protocol description unit (PDU) form, the raw format in which a text is sent across a network, it is possible to change certain details of the text.

This is done through the user data header (UDH), pod2g said. This means that if the user replies he or she could be sending the text to any number the attacker wishes, rather than the one displayed at the top of the message.

Pod2g uses the example of a text appearing to be from a bank or even a user’s contact.

"In a good implementation of this feature, the receiver would see the original phone number and the reply-to one," pod2g said. "On the iPhone, when you see the message, it seems to come from the reply-to number, and you lose track of the origin."

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

In response to the flaw, Apple has suggested that users should send messages through its iMessage platform, rather than by text. "Apple takes security very seriously," said an Apple statement released to Engadget. "When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks."

"One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they’re directed to an unknown website or address over SMS," Apple added.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.