A security flaw in the iPhone SMS messaging system has been discovered and released by security researcher known as ‘pod2g’. It is claimed the flaw has been present in iOS ever since the first iPhone was released in 2007 and hasn’t been publicly discovered by anyone including Apple. Although pod2g suggests it has been known privately by others in the security community.

Message IconThe flaw allows an SMS message to be sent that has a spoofed identity, which could be used by an attacker to elicit information from a victim or direct victims to phishing or other malicious sites. The flaw relates to elements of the processing of the SMS payload by the receiving device after transmission across the mobile network.

The flaw exploits a problem with the handling of element of the payload called the UDH (User Data Header), it is an optional component which contains some advanced features that are not compatible with all mobiles. One of these options enables the user to change the reply address for the text. In a similar manner to the Reply-To header of an email. If the destination mobile is compatible it will if the user tries to answer the message respond to the specified number in the header field and not the original number. Most carriers don’t check or handle this component of the message which means anyone sending a message can write whatever in this section.

In good implementations of this feature the mobile would display the original number and the reply to one. On the iPhone it parses the message and seems to loose the originating number and just displays the one provided in the reply to field. Thus allowing the spoofing of the originator of the message.

To demonstrate the flaw pod2g released a little tool called sendrawpdu to allow the testing of this flaw. The code for the tool was released on github here. You can also read the full detail of pod2g’s discovery here.