The majority of the iOS community will more than likely be familiar with the work of French iOS security researcher Pod2g. For the better part of this year, the iOS security enthusiast has been working hard on finding and exploiting various bugs in iOS that have led to the production of jailbreaks for various iOS devices. He has also been seen out in the wild at various security conferences, including the HITBSecConf and has been nominated for a Pwnie Award for his kernel exploit that was used in the Corona jailbreak.
It seems that even when out of the community limelight, the hard work and investigation of iOS doesn’t stop, and that dedication to the cause has enabled him to find what he believes is a “severe” flaw in Apple’s mobile operating system that allows spoofing of SMS messages. The researcher believes that the bug is more than likely already known by others who are involved in this type of scrutiny of iOS, and although it doesn’t involve any kind of code execution, it could provide some potential risks to users if left unfixed.
It’s always going to be an extremely difficult task for companies to produce entire software ecosystems like iOS that doesn’t contain any flaw or vulnerability, and though Apple has dramatically improved the security of iOS over the last few years, it is concerning that this SMS flaw has been present since the beginning and is still there in the latest fourth beta of iOS 6. Without wanting to go into extremely lengthy technical details, Pod2g has briefly explained that SMS messages exist as bytes of data which undergo a conversion before being handed off to the baseband for delivery to the receiving network and device.
The existence of the vulnerability basically allow owners of a smartphone with an available SMS gateway to replicate this data and send messages to others that could claim to be from what looks like a reputable source. The User Data Header of the payload also allows the sender to change various things, such as the reply path of the message, meaning that a person could hit reply on a malicious text which looks like it came from a known sender, but the reply path has been altered behind-the-scenes to reply elsewhere without the user’s knowledge. Pod2g further added that he will release a tool which he developed for the iPhone 4, which will allows users to send messages in raw PDU format, providing security for the time being till Apple patches the issue for good. The blog post from the dedicated security researcher outlines some additional situations that could be a cause for concern for users.
Here’s hoping that Apple gets wind of this rather persistent issue and make the relevant changes to the final version of iOS 6 to make our SMS experience a lot more secure.