iOS SMS spoofing flaw revealed by security researcher

17 Aug 2012

A French security researcher called Pod2G has claimed to have discovered a new flaw that lets hackers spoof their identities via SMS messages and ask for private information by pretending to be the victim’s bank.

Pod2G pointed out in his blog that when a user sends a text message it is converted to PDU (Protocol Description Unit) as it travels through the telecoms networks. PDU allows different types of files to be transported via the network, such as text messages, Flash SMS and voice mail alerts.

Anyone who owns a smartphone or a modem and an account in an SMS gateway can send texts in raw PDU format.

Pod2G claims to have discovered a flaw in the iPhone that provides the option of altering the reply address of the text.

“In the text payload, a section called UDH (User Data Header) is optional but defines lot of advanced features not all mobiles are compatible with. One of these options enables the user to change the reply address of the text.

“If the destination mobile is compatible with it, and if the receiver tries to answer to the text, he will not respond to the original number, but to the specified one.

“Most carriers don’t check this part of the message, which means one can write whatever he wants in this section: a special number like 911, or the number of somebody else.

“In a good implementation of this feature, the receiver would see the original phone number and the reply-to one. On iPhone, when you see the message, it seems to come from the reply-to number, and you loose track of the origin,” he said in the blog.

Pod2G warns that pirates could send a message that appears to come from the iPhone owner’s bank asking for private information or inviting them to a dedicated website, send a spoof message to the user’s device that could be used as false evidence or be used in general to manipulate people.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years