Apple reacts to iPhone text message flaw

Texting on iPhone

Apple has hit back at claims that its iPhone smartphones are prone to a vulnerability that allows hackers to spoof messages pretending to be from a bank or credit card company.

A security researcher, dubbed "pod2g" said that the vulnerability bypasses Apple's checks on third-party apps.

As the flaw does not execute code, a hacker doesn't need to get malicious code pass Apple, which has final say on all mobile apps that appear on its App Store.

The security researcher said that the bug is so severe; it affects all current versions of iOS including the latest, unreleased version iOS 6 beta 4.

"I am pretty confident that other security researchers already know about this hole, and I fear some pirates as well," the researcher said on their blog.

The problem involves the header of a text message, which comprises of both the originating number of the message and the reply-to number. When the user writes a message, it is converted to PDU (Protocol Description Unit) by the mobile and passed to the baseband for delivery.

In the text payload, a section called UDH (User Data Header) is optional but defines lot of advanced features not all mobiles are compatible with. One of these options enables the user to change the reply address of the text. If the destination mobile is compatible with it, and if the receiver tries to answer to the text, he will not respond to the original number, but to the specified one.

"Most carriers don't check this part of the message, which means one can write whatever he wants in this section, a special number like 911, or the number of somebody else," said Pod2g.

The researcher said that in good implementation of this feature, the receiver would see the original phone number and the reply-to one. "On iPhone, when you see the message, it seems to come from the reply-to number, and you lose track of the origin," said Pod2g.

Apple released a statement and said that it took "security very seriously".

"When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks."

"One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they're directed to an unknown website or address over SMS," it added.

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.