"Please send money" —

Flaw allowing SMS spoofing still present in latest iOS 6 beta (Updated)

That SMS wasn't from your bank after all.

Thought you received a text from your beloved ex wanting to get back together? It could be one of your friends pranking you, at least if you use an iPhone. An iOS "hacker" going by pod2g is drawing fresh attention to a long-extant SMS spoofing flaw within iOS that allows a prankster to pose as someone else when sending an SMS to your device—a flaw that is still present in the latest beta of iOS 6.

First things first: this loophole reportedly does not involve any kind of code execution, so a dedicated hacker won't be able to use it to take over your iPhone. But there could still be potential privacy breaches as a result—a hacker could make use of a tool in order to send a specially crafted SMS to your phone claiming to be from someone else that you actually trust, such as your bank asking for verification information, or a "friend" asking for your home address.

As pod2g noted in his blog post on Friday, practically anyone can do this with a smartphone or a modem and an SMS gateway, sending SMSes in raw Protocol Description Unit (PDU) format with a User Data Header (UDH) that specifies a different reply address than the one that's actually sending the message. (Like sending an e-mail that claims to be coming from a different address than the one you're sending it from.) "If the destination mobile is compatible with it, and if the receiver tries to answer the text, he will not respond to the original number, but to the specified one. Most carriers don't check this part of the message, which means one can write whatever he wants in this section: a special number like 911, or the number of somebody else," pod2g wrote. "On iPhone, when you see the message, it seems to come from the reply-to number, and you lose track of the origin."

Security researcher Charlie Miller doesn't have access to prerelease builds of iOS 6—Apple yanked access to his developer account last year after he submitted a proof-of-concept exploit to the App Store—but did say he was familiar with the ability to spoof SMSes using tweaked UDH headers. "Want an SMS from the White House? No problem!" Miller told Ars.

It's worth noting that SMS spoofing isn't unique to the iPhone, as security researcher Jon Oberheide pointed out. "SMS spoofing isn't difficult and often occurs independent of what phone/platform the user is using," he told Ars.

Apple did not respond to our questions regarding whether it would be addressed before the final release of iOS 6.

Update: Apple said on Saturday that part of the reason it uses iMessage now is to prevent these kind of SMS spoofing attacks:

"Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attack," Apple told Ars. "One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they're directed to an unknown website or address over SMS."

Listing image by TextFromDog

Channel Ars Technica