Got a tip for us? Share it...

New in OS X: Get MacRumors Push Notifications on your Mac

Resubscribe Now Close

iPhone Security Issue Opens Door to SMS Spoofing

Jailbreak hacker and security researcher pod2g today revealed a newly-discovered security issue in all versions of iOS that could allow malicious parties to spoof SMS messages, making a recipient think that a message came from a trusted sender when it in fact came from the malicious party.

The issue is related to iOS's handling of User Data Header (UDH) information, an optional section of a text payload that allows users to specify certain information such as changing the reply-to number on a message to something other than the sending number. The iPhone's handling of this optional information could leave recipients open to targeted SMS spoofing attacks.
In the text payload, a section called UDH (User Data Header) is optional but defines lot of advanced features not all mobiles are compatible with. One of these options enables the user to change the reply address of the text. If the destination mobile is compatible with it, and if the receiver tries to answer to the text, he will not respond to the original number, but to the specified one.

Most carriers don't check this part of the message, which means one can write whatever he wants in this section : a special number like 911, or the number of somebody else.

In a good implementation of this feature, the receiver would see the original phone number and the reply-to one. On iPhone, when you see the message, it seems to come from the reply-to number, and you [lose] track of the origin.
pod2g highlights several ways in which malicious parties could take advantage of this flaw, including phishing attempts linking users to sites collecting personal information or spoofing messages for the purposes of creating false evidence or gaining a recipient's trust to enable further nefarious action.

In many cases the malicious party would need to know the name and number of a trusted contact of the recipient in order for their efforts to be effective, but the phishing example shows how malicious parties could cast broad nets hoping to snare users by pretending to be a common bank or other institution. But with the issue resulting in recipients being shown the reply-to address, an attack could be discovered or thwarted simply by replying to the message, as the return message would go to the familiar contact rather than the malicious one.

Related roundups: iPhone 5c, iPhone 5s, iPhone 6

Top Rated Comments

(View all)

27 months ago
I think we could use a slight rewrite of the article. It didn't say "malicious party" nearly often enough for me.
Rating: 9 Votes
27 months ago
Apple get you act together.

Uncle Ruckus no relations.
Rating: 6 Votes
27 months ago
This makes no sense. You don't need to use UDH tricks to 'spoof' the sender ID on a text message, you just set whatever sender ID you want to use. Any text message can contain up to 16 digits or 11 alphanumeric characters of sender ID, and there's absolutely nothing that ensures this data is somehow verified or official.

Just as with an email you can, technically, originate it from wherever the hell you like, so can you with a text message.

This 'discovery' is not a discovery at all. In fact, it doesn't seem to be a problem at all. It would only be a problem if the sender ID displayed on the iPhone could be one thing, but the destination of the reply text messages could actually be something else that the user had no knowledge of. Correct me if I'm wrong, but in this instance the user is fully aware of the number they're texting. So no problem.

And yes, I know SMS.
Rating: 6 Votes
27 months ago



Nope. :apple:

But i'm not surprised it didn't come from someone legit.


Pod2g is quite legit in my book.
Rating: 6 Votes
27 months ago

Agree with this. You are correct, this is not possible. When a reply-to address is specified iOS displays that and ignores the sender.

Yeah, I'm pretty sure this story is without merit and should be taken down. Simply a misunderstanding/lack of understanding about how SMS works.
Rating: 5 Votes
27 months ago
It is easy to spoof caller ID and fool every phone on earth. How is this any more dangerous?
Rating: 5 Votes
27 months ago
This isn't new...
it can be done for all phones, it's a paid service.
http://www.spoofcard.com/sms
Rating: 5 Votes
27 months ago
SMS sender spoofing is possible anyway. If you have the tools mentioned, just change the sender field. No need to fiddle with the reply-to field. Everyone using SMS knows about this.
Rating: 5 Votes
27 months ago
Surprised there is no "Steve would never let this happen" post yet... oh well I'm not complaining ;)
Rating: 4 Votes
27 months ago
This is rather ridiculous. If any of my friends asked me for my credit card # or social security # in a text message, I wouldn't even reply. Use common sense people.

What about all of those websites where you can send text messages, and you type in the number you want it to be from? It gets received and shows that number that you typed in. No level of security can prevent that from happening. The carriers need to crack down on these kind of web-based text messaging services - Apple should not be the fall guy for it.

Apple has done a stellar job at making their OS (iOS and OS X) safe, secure, and reliable. Could they do a better job? Sure - there is always room for improvement. Do they do a better job than competitors - my opinion is yes, they do.


What Apple cannot do though, is fix stupid.
Rating: 4 Votes

[ Read All Comments ]