A prominent jailbreaker that goes by the handle Pod2g has exposed a vulnerability in the way iOS interprets key SMS data that could allow scammers to gain sensitive information from iPhone users. Essentially, the flaw makes it possible to change the reply-to number in an SMS, so you might think you’re getting a text from a trusted source -- like a friend or even your bank -- when it’s actually someone else.
There’s no direct risk of code execution, so this is basically for social engineering types of scams. That said, with no way to verify the actual sender, it could be used to extract sensitive information from unsuspecting users or invite them to click on a link that loads a malicious or phishing website.
Pod2g explains the flaw in a blog post titled “Never trust SMS: iOS text spoofing”:
In the text payload, a section called UDH (User Data Header) is optional but defines lot of advanced features not all mobiles are compatible with. One of these options enables the user to change the reply address of the text. […] In a good implementation of this, the receiver would see [both] the original phone number and the reply-to one. On iPhone, when you see the message, it seems to come from the reply-to number, and you lose track of the origin.
To take advantage of the SMS loophole someone would need to be able to send texts in raw PDU format. Apparently, there are several smartphone tools readily available online for this, and Pod2G will be releasing his own soon to prove his findings. The security expert says the flaw has been present since the original iPhone, and still exists in iOS 6 beta 4. He’s asking Apple to correct the problem before the final release.
The iPhone 4S looks identical to last year's model but comes in a new 64GB flavor and upgrades the camera to include an 8-megapixel sensor with improved low-light performance and 1080p video capture. In terms of performance the new iPhone is reportedly up to 2x faster and is also capable of running on faster HSPA+ networks, reaching theoretical download speeds of up to 14.4Mbps.
Downloads and Drivers
From the Forums
Subscribe to TechSpot
Get free exclusive content, learn about new features and breaking tech news.