There was a report earlier this month about a security flaw in iPhones where one could easily make the iPhone vulnerable to text message cheating. The flaw has existed since the iPhone was first launched back in 2007, and the flaw still hasn’t been fixed as of the beta for iOS 6. According to a report by CNET, the flaw doesn’t exist in smartphones that run on other operating systems.
“We have tested this issue on Android, Windows Mobile, BlackBerry, and Symbian phones and most of them simply ignore the 'reply address' field or display both the 'real' originating address and the reply address as per the specification recommendations,” Cathal McDaid, security consultant at AdaptiveMobile, said in a statement to CNET. “The iPhone, so far, is the only device which does not comply with these security recommendations.“
According to McDaid, the “reply to” field was there to provide a way to respond to texts from marketing firms or other agencies that may not be capable of receiving messages. These days, most handsets ignore the field. “Apple has left a significant vulnerability in its handsets which could allow consumers to be fooled and hand over personal details to hackers and criminals,” says McDaid.
The only phone with the SMS security flaw
Under the protocols handling the exchange of SMS (Short Message Service) text between mobile phones, the sender of a message can technically change the reply-to phone number to something different from the original number, the hacker who found the flaw, who goes by the alias Pod2g, explained. In a good implementation, the receiver of the message would see both the original phone number and the reply-to one. But using iPhone's SMS feature, when receivers see the message, it seems to come from the reply-to number, while the original phone number of the sender is hidden. The loophole means that someone could send iPhone users messages pretending to be from the receivers' banks or other trusted sources, asking for some private information, or cheating them to go to a dedicated website to obtain users' information.
Pod2g called the security flaw “severe” and urged Apple to fix it before the final release of the iOS 6 software. “Now you are alerted. Never trust any SMS you received on your iPhone at first sight,” Pod2g wrote in the blog post .Apple Inc. could not be reached for comments.
Engadget had received this response from apple on the matter: “Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they're directed to an unknown Web site or address over SMS.”