The well-known jailbreak hacker @pod2g has revealed an ideal iPhone SMS software vulnerability. Pod2g explains in a blog posting where the problem lies. The vulnerability makes it easy to send phishing messages, which it seems as if the message comes from your bank. According pod2g is likely that security experts are already aware of the problem. Perhaps this also applies to attackers.

A Sent message is often called "User Data Header", not supported by any mobile phone. and contains important information about the message. Within these data, it is possible for the phone number you respond to change. Cellular Providers would rarely see this information, so you can put what you want. For smartphones that support this function properly, you see the reply to address regardless of the number of the sender. The iPhone only shows you a message to return. This seems like an SMS message is completed.

A SMS text is basically a few bytes of data exchanged between two mobile phones, with the carrier transporting the information. When the user writes a message, it is converted to PDU (Protocol Description Unit)  by the mobile and passed to the baseband for delivery.

[…] In the text payload, a section called UDH (User Data Header) is optional but defines lot of advanced features not all mobiles are compatible with. One of these options enables the user to change the reply address of the text. If the destination mobile is compatible with it, and if the receiver tries to answer to the text, he will not respond to the original number, but to the specified one.

Most carriers don’t check this part of the message, which means one can write whatever he wants in this section : a special number like 911, or the number of somebody else.

The problem could have been played since the first versions of IOS and would still exist in the latest beta of iOS 6. Pod2g calls Apple therefore on the issue to be solved with an update. Apple would issue this Fall, the iOS 6 to fix it, but chances are that Apple is serious about the issue so that even interim iOS 5.1.2 is released.

However, the iPhone does not support this feature, and when you change the sender's number indicates the number is changed, not the one from which the sms is sent from. It is possible to substitu
te numbers, misleading the recipient of such communication and steal personal informations.

It is not known how easily hackers are able to "intercept" SMS and replace them but he promises to release pod2g utility of this case, if Apple does not fix the vulnerability in the near future.


If you still have questions regarding, Pod2g discovered in iOS vulnerabilities associated with SMS,  you can either leave us a comment on our  Facebook page, Follow us on twitteradd us on your Google+ circle to Keep up to date.

Follow us on Twitter, subscribe to our Facebook Page, find us on LinkedIn