A prominent jailbreaker that goes by the handle Pod2g has exposed a vulnerability in the way iOS interprets key SMS data that could allow scammers to gain sensitive information from iPhone users. Essentially, the flaw makes it possible to change the reply-to number in an SMS, so you might think you’re getting a text from a trusted source -- like a friend or even your bank -- when it’s actually someone else.
There’s no direct risk of code execution, so this is basically for social engineering types of scams. That said, with no way to verify the actual sender, it could be used to extract sensitive information from unsuspecting users or invite them to click on a link that loads a malicious or phishing website.
Pod2g explains the flaw in a blog post titled “Never trust SMS: iOS text spoofing”:
In the text payload, a section called UDH (User Data Header) is optional but defines lot of advanced features not all mobiles are compatible with. One of these options enables the user to change the reply address of the text. […] In a good implementation of this, the receiver would see [both] the original phone number and the reply-to one. On iPhone, when you see the message, it seems to come from the reply-to number, and you lose track of the origin.
To take advantage of the SMS loophole someone would need to be able to send texts in raw PDU format. Apparently, there are several smartphone tools readily available online for this, and Pod2G will be releasing his own soon to prove his findings. The security expert says the flaw has been present since the original iPhone, and still exists in iOS 6 beta 4. He’s asking Apple to correct the problem before the final release.