Join gaming leaders, alongside GamesBeat and Facebook Gaming, for their 2nd Annual GamesBeat & Facebook Gaming Summit | GamesBeat: Into the Metaverse 2 this upcoming January 25-27, 2022. Learn more about the event.
While dedicated hackers can be an annoyance to companies like Apple, they can sometimes be helpful when it comes to digging up potentially devastating security vulnerabilities.
That’s certainly the case this morning, as Pod2G, a French iOS hacker/security researcher known for discovering jailbreaking techniques, has revealed an SMS spoofing flaw that affects every version of Apple’s mobile OS. Using the flaw, hackers could spoof their identities via text and send messages asking for private information (by pretending to be from a users’ bank, for example), or direct users to phishing sites.
As Pod2g explains it, an SMS text message is converted to Protocol Description Unit (PDU) when sent from a phone, a dense protocol that also handles things like voice mail alerts and emergency medical systems. If a hacker was able to send a message in raw PDU format, they could take advantage of the User Data Header section to alter the reply number for a text.
If properly implemented, you should see both the original texting address and the altered reply number. But on the iPhone, you only see the altered reply number. For whatever reason, the original sender gets hidden. The flaw only relates to texts on the iPhone, and not messages sent through Apple’s iMessage network (those don’t hit the SMS protocol at all).
Pod2G said he’ll be releasing an iPhone tool for raw PDU messaging soon, which should prove his findings. He thinks other security researchers are already aware of the SMS flaw, and he’s worried that hackers have caught wind as well.
We’ve asked Apple for further comment on this exploit, and we’ll report when we hear back.
Apple last year knocked security researcher Charlie Miller out of its developer program after he discovered a flaw allowing unapproved code to run in iOS.
Photo: Devindra Hardawar/VentureBeat
VentureBeatVentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact. Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:
- up-to-date information on the subjects of interest to you
- our newsletters
- gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
- networking features, and more