pod2g – iOS hacker who is famous for discovering vulnerabilities used in the Absinthe jailbreak for iOS 5.1.1, has discovered a major security flaw in the iPhone that can be used to spoof SMS messages and make them appear to come from other person’s mobile phone.
pod2g has provided the following details about the flaw on his blog:
A SMS text is basically a few bytes of data exchanged between two mobile phones, with the carrier transporting the information. When the user writes a message, it is converted to PDU (Protocol Description Unit) by the mobile and passed to the baseband for delivery.
PDU is a protocol that is pretty dense, allowing different types of messages to be emitted. Some examples : SMS, Flash SMS, Voice mail alerts, EMS, …
The specification is large and pretty complex. As an example, just to code the data, there are multiple possible choices : 7bit, 8bit, UCS2 (16bit), compressed or not, … [..]
[..] In the text payload, a section called UDH (User Data Header) is optional but defines lot of advanced features not all mobiles are compatible with. One of these options enables the user to change the reply address of the text. If the destination mobile is compatible with it, and if the receiver tries to answer to the text, he will not respond to the original number, but to the specified one.
Most carriers don’t check this part of the message, which means one can write whatever he wants in this section : a special number like 911, or the number of somebody else.
pod2g believes that this security flaw has been present ever since Apple launched the iPhone and is present even in the latest beta version of iOS 6
that was seeded to developers last week.
pod2g goes on to add that the best way to address this issue is to display the original phone number along with the reply-to number.
He hopes that Apple will fix this security flaw before iOS 6 is released later this fall as he is pretty confident that “some pirates” know about this security flaw and could misuse it.
Until the security flaw is fixed, pod2g advices users to “never trust any SMS you received on your iPhone at first sight.”