Apple has hit back at claims that its iPhone smartphones are prone to a vulnerability that allows hackers to spoof messages pretending to be from a bank or credit card company.
A security researcher, dubbed "pod2g" said that the vulnerability bypasses Apple's checks on third-party apps.
As the flaw does not execute code, a hacker doesn't need to get malicious code pass Apple, which has final say on all mobile apps that appear on its App Store.
The security researcher said that the bug is so severe; it affects all current versions of iOS including the latest, unreleased version iOS 6 beta 4.
"I am pretty confident that other security researchers already know about this hole, and I fear some pirates as well," the researcher said on their blog.
The problem involves the header of a text message, which comprises of both the originating number of the message and the reply-to number. When the user writes a message, it is converted to PDU (Protocol Description Unit) by the mobile and passed to the baseband for delivery.
In the text payload, a section called UDH (User Data Header) is optional but defines lot of advanced features not all mobiles are compatible with. One of these options enables the user to change the reply address of the text. If the destination mobile is compatible with it, and if the receiver tries to answer to the text, he will not respond to the original number, but to the specified one.
"Most carriers don't check this part of the message, which means one can write whatever he wants in this section, a special number like 911, or the number of somebody else," said Pod2g.
The researcher said that in good implementation of this feature, the receiver would see the original phone number and the reply-to one. "On iPhone, when you see the message, it seems to come from the reply-to number, and you lose track of the origin," said Pod2g.
Apple released a statement and said that it took "security very seriously".
"When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks."
"One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they're directed to an unknown website or address over SMS," it added.
-
HPE and Nvidia launch first EU AI factory lab in FranceThe facility will let customers test and validate their sovereign AI factories
-
AWS CEO Matt Garman says AI agents will have 'as much impact on your business as the internet or cloud'News Garman told attendees at AWS re:Invent that AI agents represent a paradigm shift in the trajectory of AI and will finally unlock returns on investment for enterprises.
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
-
Critical Dell Storage Manager flaws could let hackers access sensitive data – patch nowNews A trio of flaws in Dell Storage Manager has prompted a customer alert
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
