Earlier this week, an iPhone jailbreaking guru called pod2g revealed how even the very latest beta versions of iOS 6 cannot prevent the iPhone from being vulnerable to SMS text message spoofing. This technique is often employed by spammers and scammers alike when targeting the smartphone user in order to get them to click on a link or otherwise responds to what appears to be a message from a trusted source.

dweb-imessage01 Technically it's about as simple as it gets: all the would-be spoofer needs to do is change the User Data Header indicator within the Protocol Description Unit format that text messages get converted to. By changing the reply to field of the message, the recipient will end up (obviously) replying to that number but has no way of knowing it as the number from the original SMS text isn't displayed on the iPhone. Writing about the exploit, pod2g argues that the ideal solution would be for the recipient to "see the original phone number and the reply-to one" but that doesn't happen on the iPhone.

This, as is always the case when Apple or iPhone is mentioned in such a story, kicked off a huge number of follow-on stories about how insecure the iPhone is. The inevitable comment threads then appeared either suggesting that people switch to Android handsets instead or that the original story was a big pile of pants, depending upon the fanboy status of the poster of course.

The truth of the matter is that this is not an Apple, an iPhone or an iOS issue at all: it's a SMS issue. The entire SMS text message system has pretty much nothing by way of useful authenticity checking along the way built in, it was never developed as a 'secure' messaging system. You only have to go Google for SMS spoofing sites on the web to discover that there are plenty which provide the service, either for free or for a fee, and the recipient phone handset matters not one jot. As long as the handset itself allows that UDH indicator for the alternative reply-to address to be changed then all bets are off.

Now I have not always been the most supportive of Apple when they reply to stories surrounding security holes within their products or services, as all too often that response tends to consist of either an ostrich impression, a straight denial or silence. On this occasion, however, Apple has not been silent and not denied that SMS on an iPhone can be spoofed. It has, instead, via a response posted to Engadget quite clearly stated that: dweb-imessage02

So there you have it, use iMessage instead of SMS on an iPhone if you want to avoid the spoofing issue. Even the jailbreaker who kicked this whole shebang off, pod2g, agrees and has Tweeted "iMessage is certainly far more secure than SMS. I've no doubt about it". Of course, Apple could do something about the way the iPhone displays originating and reply-to numbers in text messages, but spoofing has been around since the dawn of email and the dawn of SMS truth be told. It's nothing new, and the best way to protect against it is user vigilance. Either that, or buy all your mates an iPhone so they can start using iMessage as well...

143 Views
About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to Forbes.com, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...

Member Avatar
LastMitch

So there you have it, use iMessage instead of SMS on an iPhone if you want to avoid the spoofing issue.

This has to be the worst fault in any mobile device.