iOS SMS Text Security Bug
Bug Allows SMS Text To Appear To Be Sent From Different Number
If you have an iPhone, the text that you just received from your boss could actually be from a hacker. A recently discovered bug affecting every version of the iPhone allows someone sending an SMS text to manipulate the optional User Data Header (UDH) to make it appear that the text came from another number.
Typically, iOS security is based on Apple’s ability to examine all third-party apps before they are downloaded. This security flaw is different since it doesn’t involve malware. A hacker can change the Reply To number in the optional UDH, confusing the receiver because the number that shows up on their phone will be the Reply To number instead of the originating number. Hackers can use this to take advantage of the trust that you have towards texts from friends, family and co-workers. The hacker would have to know a phone number that you recognize for this to apply, but these numbers are often easy to find online.
This bug does not affect most other smartphones, including Andriod and Blackberry, because their platforms allow the receiver to see both the number that a message is sent from and the Reply To number.
Apple’s Response: How To Protect Yourself
Apple’s response to Engadget was that iMessage is not vulnerable to this attack and that users should use iMessage instead when they can.
“Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they’re directed to an unknown website or address over SMS.”
If everyone that you know owns an iPhone, you’re in luck. If you send text messages to anyone with another device though, you must use SMS text messaging. The hacker that recently discovered the bug, says that currently the only solution is to be cautious of any SMS text that you receive over iOS — as it’s security may have been breached. This advice reinforces the idea that you should not give out personal information over an unsecured mobile device and should not click on untrusted links.
PC World advised its readers to use common sense saying that it if a text you receive isn’t something that your friend, family, co-worker or bank would normally send you, don’t click on links and don’t respond with personal information.