Earlier today, pod2g (famed iOS security expert behind the 5.1.1 Untethered Jailbreak exploit) published his findings of a very troublesome iOS security issue. The newly-discovered vulnerability could potentially allow attackers to “spoof SMS messages”, meaning an individual can send a message that appears as if it’s from an authentic source.
The root of this issue resides in the way iOS handles User Data Header (UDH) information, which includes a multitude of advanced features and options – some of which are exclusive to iOS. Unfortunately, one of these options permits changing the number a user’s reply is sent to from the original sending number.
In the text payload, a section called UDH (User Data Header) is optional but defines lot of advanced features not all mobiles are compatible with. One of these options enables the user to change the reply address of the text. If the destination mobile is compatible with it, and if the receiver tries to answer to the text, he will not respond to the original number, but to the specified one.
Most carriers don’t check this part of the message, which means one can write whatever he wants in this section : a special number like 911, or the number of somebody else.
This severe exploit could leave iPhone owners vulnerable to SMS spoofing and other various attacks. Some of which include the following: sensitive data phishing attempts that drive users to harmful sites that collect personal information, the sending of a spoofed message to provide falsified evidence or obtaining information by first gaining the user’s trust under a pseudo-identiy.
In most instances, the attacker would require the name and number of an individual associated with the recipient to execute an effective data mining scheme. However, it’s possible to display virtually any number, leaving the possibility of posing as an authoritative figure or corporation (e.g. a bank) wide open for exploitation.
In his report, pod2g asks that Apple address this issue as quickly as possible and with all of the various applications for this security flaw, how could they refuse? Stay tuned for additional coverage on the situation and other iOS vulnerabilities.
