Skip to main content

iOS glitch enables SMS scams to appear legitimate

A French hacker known as pod2g has identified a text-based iOS glitch that allows scammers to spoof their identifies and make it look like text messages are coming from legitimate sources.

In a Friday blog post, pod2g said he considers the flaw to be "severe" even though it doesn't involve code execution. It affects all versions of iOS, even the most recent beta of iOS 6. "Apple: please fix this before the final release," pod2g wrote.

At issue is a section of a text message payload known as User Data Header (UDH), which includes a number of advanced features. One of those features allows the user to change the reply address of the text. You can send a text from your iPhone, for example, but if the person replies, it'll get sent to your Galaxy S3 .

When the option works correctly, pod2g said, the text message recipient will be able to see that they are responding to a different phone number. The recipient phone should either display the secondary number, or "in a good implementation of this feature," pod2g wrote, the original phone number and the new phone number.

"On iPhone, when you see the message, it seems to come from the reply-to number, and you [lose] track of the origin," according to pod2g.

This is problematic because it could allow the scammer to send you a text message that appears to be from your bank with a link that asks you to click and verify account information. If it appears to be coming from a legitimate bank phone number, it's probably OK, no? Not necessarily, it's probably a phishing link that could steal your personal data.

"Now you are alerted. Never trust any SMS you received on your iPhone at first sight," pod2g concluded.

The blog post did not indicate if pod2g had alerted Apple to the flaw. When asked about it, Apple said that it "takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they're directed to an unknown website or address over SMS."