Sign up for a new account or log in here:
also @ TechSpot: IBM's Watson conquers Jeopardy, cancer and now customer service
A prominent jailbreaker that goes by the handle Pod2g has exposed a vulnerability in the way iOS interprets key SMS data that could allow scammers to gain sensitive information from iPhone users. Essentially, the flaw makes it possible to change the reply-to number in an SMS, so you might think you’re getting a text from a trusted source -- like a friend or even your bank -- when it’s actually someone else.
There’s no direct risk of code execution, so this is basically for social engineering types of scams. That said, with no way to verify the actual sender, it could be used to extract sensitive information from unsuspecting users or invite them to click on a link that loads a malicious or phishing website.
Pod2g explains the flaw in a blog post titled “Never trust SMS: iOS text spoofing”:
In the text payload, a section called UDH (User Data Header) is optional but defines lot of advanced features not all mobiles are compatible with. One of these options enables the user to change the reply address of the text. […] In a good implementation of this, the receiver would see [both] the original phone number and the reply-to one. On iPhone, when you see the message, it seems to come from the reply-to number, and you lose track of the origin.
To take advantage of the SMS loophole someone would need to be able to send texts in raw PDU format. Apparently, there are several smartphone tools readily available online for this, and Pod2G will be releasing his own soon to prove his findings. The security expert says the flaw has been present since the original iPhone, and still exists in iOS 6 beta 4. He’s asking Apple to correct the problem before the final release.
Related Products from Product Finder
Apple iPhone 4S
The iPhone 4S looks identical to last year's model but comes in a new 64GB flavor and upgrades the camera to include an 8-megapixel sensor with improved low-light performance and 1080p video capture. In terms of performance the new iPhone is reportedly up to 2x faster and is also capable of running on faster HSPA+ networks, reaching theoretical download speeds of up to 14.4Mbps.
Apple iPhone 4
Read expert reviews, pros & cons, and product information about Apple iPhone 4. There are 192 reviews available so far.
User Comments: 4
Got something to say? Post a comment-
lol theirs been an app cydia which allowed this for years
I sent a text to a friend and the number showed it as his gf,
nothing new, easy to do, just pirate that app. lol
-
I'm sure by the time it's released it'll be fixed.
-
Not everyone updates there phone so this is definitely a problem. How about people who don't have a plan that covers internet? hell one of my old providers got me to pay $150 because an app tried to update the day I bought the phone before I could deny internet access. it downloaded about 2mb
-
princeton said:
Not everyone updates there phone so this is definitely a problem. How about people who don't have a plan that covers internet? hell one of my old providers got me to pay $150 because an app tried to update the day I bought the phone before I could deny internet access. it downloaded about 2mbYes they do. The only people who do not update their version of iOS are people who don't want to lose their jailbreak. You don't have to do an OTA update through mobile internet, you can do it through iTunes or over WiFi
Most Popular
| Trending | Featured |
Subscribe to TechSpot
Get free exclusive content, learn about new features and breaking tech news.