Menu
iPhone SMS bug said to be serious threat

iPhone SMS bug said to be serious threat

Security on the iPhone is heavily dependent on Apple's ability to vet all third-party apps before users download them. But a French hacker claims he has found a flaw in the smartphone's text messaging service that bypasses the safeguard.

The hacker, who calls himself "pod2g" and is best known for jailbreaking iPhones, said Friday that the vulnerability could let an attacker send a message pretending to be from a bank, credit card company or other trusted source.

Because the flaw does not involve code execution, an attacker does not need to get malware pass Apple, which approves all mobile apps before they are sold on the App Store, the only legitimate site for downloading software for Apple mobile devices.

Pod2g, a self-professed iPhone security researcher, said the flaw is "severe" and affects all current versions of iOS and iOS 6 beta 4. IOS is the iPhone and iPad operating system.

"I am pretty confident that other security researchers already know about this hole, and I fear some pirates as well," he said in a blog post.Ã'Â

Ã'Â Apple did not respond to a request for comment.

Tyler Shields, a senior security researcher at Veracode, told the Kaspersky Lab blog that the flaw needs attention.

"At first glance, this type of flaw seems tame, but in reality it can be used very effectively in spoofing and social engineering based threat models," Shields said. "I would rate this attack a medium severity because it relies on tricking the user into doing something specific based on a falsified level of trust."

[In depth: Which smartphone is the most secure?]

When a text message is sent through the iPhone SMS (short messaging service), the phone typically converts it to a protocol called Protocol Description Unit (PDU) before the carrier ships it to the telephone number of the recipient.

Within the text payload is a section called User Data Header (UDH) that enables someone to change the reply address of the text, pod2g said. An attacker could use this flaw to show a reply number that is different from where the responding text would actually go.

"In a good implementation of this feature, the receiver would see the original phone number and the reply-to one," pod2g said. "On iPhone, when you see the message, it seems to come from the reply-to number, and you loose track of the origin."

As a result, an attacker could send a message that seems to come from a bank or other trusted source. This would enable the criminal to either seek personal information or direct the recipient to a phishing website.

Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

Meet the leading female front runners of the Kiwi channel

Meet the leading female front runners of the Kiwi channel

Reseller News honoured the leading female front runners of the New Zealand channel at the 2018 Women in ICT Awards (WIICTA) in Auckland. The awards honoured standout individuals across seven categories, spanning Entrepreneur; Innovation; Rising Star; Shining Star; Community; Technical and Achievement.

Meet the leading female front runners of the Kiwi channel
Meet the top performing customer-centric Microsoft channel partners

Meet the top performing customer-centric Microsoft channel partners

Microsoft honoured leading partners across the channel following a year of customer innovation and market growth in New Zealand. The 2018 Microsoft Partner Awards recognised excellence within the context of the end-user, spanning a host of emerging and established providers.

Meet the top performing customer-centric Microsoft channel partners
Reseller News launches new-look Awards at 2018 Judges’ Lunch

Reseller News launches new-look Awards at 2018 Judges’ Lunch

Introducing the Reseller News Innovation Awards, launched to the channel at the 2018 Judges’ Lunch in Auckland. With more than 70 judges now part of the voting panel, the new-look awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors.

Reseller News launches new-look Awards at 2018 Judges’ Lunch
Show Comments