Famed iOS hacker and security expert who is better known through his twitter handle @pod2g has uncovered an alarming security flaw in iOS that has been there in the operating system since day one. The flaw Pod2g notes does not involve code execution. What makes this security flaw in iOS dangerous is pirates can use it to change the reply address of the text, without you even noticing. When this has been done, whenever a user replies to the text message, his message will not be delivered to the original number, and will go the one specified by the hacker.
Pod2g explains the flaw on his blog as
In the text payload, a section called UDH (User Data Header) is optional but defines lot of advanced features not all mobiles are compatible with. One of these options enables the user to change the reply address of the text. If the destination mobile is compatible with it, and if the receiver tries to answer to the text, he will not respond to the original number, but to the specified one.Most carriers don’t check this part of the message, which means one can write whatever he wants in this section : a special number like 911, or the number of somebody else.In a good implementation of this feature, the receiver would see the original phone number and the reply-to one. On iPhone, when you see the message, it seems to come from the reply-to number, and you loose track of the origin.
Although this security flaw does not causes immediate danger for you, according to Pod2G it can be used by pirates in many ways causing you to reveal your personal information to strangers that might use it for wrong purposes.
Here are a few scenarios Pod2g has mentioned in his blog post:
Why is it an issue ?
- pirates could send a message that seems to come from the bank of the receiver asking for some private information, or inviting them to go to a dedicated website. [Phishing]
- one could send a spoofed message to your device and use it as a false evidence.
- anything you can imagine that could be utilized to manipulate people, letting them trust somebody or some organization texted them.
Hopefully Apple is listening and will fix this bug in upcoming versions of iOS. Pod2G has pointed out that the bug is still present in iOS 6 beta 4 that was recently released to developers. [Source]
- pod2g demos untethered jailbreak for iPhone 4S (video)
- Sandbox broken. iPhone 4S and iPad 2 jailbreak release now a matter of days
- iPhone Dev-Team releases RedSn0w to jailbreak iPhone 4S and iPad 2 running iOS 5.0.1
- iOS 5.1 gets untethered jailbreak treatment on iPhone 4. Release imminent?
- iPhone Dev-Team releases RedSn0w with ability to backup unlock activation records