Security researcher exposes a five-year-old SMS flaw in iOS

By (Spork)
in Back Page News

 Share

Recommended Posts

Grand Master

(Spork)

Posted
Posted

Security researcher and iOS hacker pod2g has detailed a "serious" security flaw affecting all iPhones that he says could facilitate hackers or thieves to access your personal information. The flaw involves a malicious party spoofing the "reply" to number, essentially forcing you to send an SMS to a different number than the one you initially intended. According to pod2g, this flaw is present in all versions of iOS up to and including the latest iOS 6 beta 4.

The SMS flaw takes advantage of a feature in the PDU (Protocol Description Unit) ? the protocol handles the sending and receiving of various types of messages in mobile devices. Included in the message header ? similar to an email header ? are various pieces of information regarding the message, including the sender details. This feature, commonly utilized for automated messages from companies and carriers, can be exploited since carriers don?t check for the validity of this information when used by third-parties. While all devices are capable of receiving these messages, iOS does not allow you to view the number that you're replying to. This enables a malicious sender to fake his identity, making you think that a trusted number is sending the SMS. Because the "reply-to" number is different to the number displayed, iOS would send your message to a hidden number without you realizing.

While this is an issue Apple should address, there isn't any immediate danger, as companies and financial institutions would never encourage sharing sensitive data over SMS. The researcher states that this could be used to impersonate your bank or incriminate you, but it's difficult to imagine a situation where a user would start divulging sensitive information through a text message. The fact that this flaw has been around since the dawn of iOS but wasn't exploited in a large enough scale to raise eyebrows, speaks volumes.

http://www.theverge.com/2012/8/17/3249192/ios-sms-security-flaw-phishing-pod2g

Grand Master

ichi

Posted
Posted

You'd have to target a specific user (unless you find a way to spam a whole range of numbers for free) so I don't see it going widespread. It that was easy you'd be getting loads of SMS spam already, even without any kind of vulnerability.

Considering you can fake the "reply-to" number I'd think about a exploit using premium SMS services rather than trying to get any valuable info anyway.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Can't access the forum on mobile

      By FloatingFatMan · Posted

      Then why are you still here?  
    • Glary Utilities 6.44.0.48

      By Copernic · Posted

      Glary Utilities 6.44.0.48 by Razvan Serea Glary Utilities offers numerous powerful and easy-to-use system tools and utilities to fix, speed up, maintain and protect your PC. Glary Utilities allow you to clean common system junk files, as well as invalid registry entries and Internet traces. You can manage and delete browser add-ons, analyze disk space usage and find duplicate files. You can also view and manage installed shell extensions, encrypt your files from unauthorized access and use, split large files into smaller manageable files and then rejoin them. Furthermore, Glary Utilities includes the options to find, fix, or remove broken Windows shortcuts, manage the programs that start at Windows startup and uninstall software. All Glary Utilities tools can be accessed through an eye-pleasing and totally simplistic interface. Glary Utilities 6.44.0.48 changelog: Optimized Context Menu Manager: Improved features based on user feedback. Optimized Wipe Free Space: Optimized the interface display for a better user experience. Minor GUI improvements. Minor bug fixes. Download: Glary Utilities 6.44.0.48 | 27.0 MB (Freeware) Download: Portable Glary Utilities | 32.3 MB View: Glary Utilities Homepage | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • WACUP 1.99.51.24568 Preview

      By WITHOUT-ME · Posted

      why to touch this audio corpse? use aimp
    • My external monitor suddenly isn't working and found out on my device manager that AMD radeon graphics has a "code 43"

      By WITHOUT-ME · Posted

      reinstall drivers again
    • Samsung, Amazon extend 990 PRO 2TB NVMe SSD deal beyond Prime Day 2026

      By WITHOUT-ME · Posted

      i got a better prices on reddit /homelabsales. same drives for $80 less

  • Recent Achievements

    • Reacting Well
      Juan Dela earned a badge
      Reacting Well
    • Week One Done
      Collagen Project earned a badge
      Week One Done
    • Reacting Well
      Wakeen1966 earned a badge
      Reacting Well
    • Rookie
      Almohandis went up a rank
      Rookie
    • Apprentice
      jahara21 went up a rank
      Apprentice

  • Popular Contributors

    1. 1
      +primortal
      514
    2. 2
      +Edouard
      266
    3. 3
      PsYcHoKiLLa
      146
    4. 4
      Steven P.
      96
    5. 5
      macoman
      54
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!