Security researcher Pod2g has discovered a flaw in the way iOS handles SMS messages that could conceivably allow for malicious texters to disguise messages as being from a known or trusted source, potentially getting users to reveal information they normally would not, or rack up inadvertent charges on their bill. Pod2g refers to the flaw as “severe” and plans on releasing a tool to allow iPhone 4 users to send messages in “raw” PDU format until the vulnerability is fixed.
While there are as yet no reports of the problem appearing “in the wild,” and the flaw does not allow for code execution or other malware, Pod2g says he suspects that other iOS security researchers know about the flaw and perhaps some pirates as well. The flaw has existed right the way through all the various iterations of iOS and is still present in the latest beta of iOS 6, he adds, urging Apple to fix the issue before final release.
In brief, the flaw involves a set of header information options that ride along with the actual message body that contain additional information not all smartphones are compatible with. One of the options allows the sender to change the number that the message appears to be sent from and the number the receiver would reply to. “In a good implementation of this, the receiver would see [both] the original phone number and the reply-to one,” the semi-anonymous researcher writes. “On iPhone, when you see the message, it seems to come from the reply-to number, and you lose track of the origin.”
The flaw could aid pirates by allowing them to sent messages that appear, for example, to be coming from the user’s bank asking them to call and verify information, or inviting them to click to visit a malicious webpage. Many other possibilities for phishing or criminal activity are also available through social manipulation.
Pod2g says that for now, users should simply be suspicious of any SMS that includes a reply-to number from an institution or relative stranger. The workaround is to use either a tool he is developing for the iPhone or to utilize a third-party SMS gateway that lets users send and receive messages with the extra header information stripped out (ie, raw PDU format) so that the true originating number of the SMS message is preserved.