A French hacker is playing “tell and show” with a security flaw in iOS and how the iPhone handles SMS.
Last week, “Pod2g” released details of the vulnerability, which is still present in the latest beta ofiOS 6, that could make iPhones a bit more exposed to spoofed texts or phishing scams. The missive included a plea to Apple to fix the security hole before the final release of iOS 6.
Until that happens, however, the same hacker is apparently quite happy to help others exploit the fact that iOS shows the “reply-to” number of a text by default. Shortly after blogging about the vulnerability and appealing to Apple, Pod2g released a tool called “sendrawpdu” that it says provides access to an SMS header and can be used for spoofing the reply-to field — although it doesn’t explicitly encourage such a use.
At least Pod2g was kind enough to warn us before adding another tool for digital deception to the world. Seems sporting, like a 30-second headstart to evade a flood of spoofed texts appearing to be from Citibank, or maybe the White House, or almost certainly — Apple.
Fake sandwich orders could be just the beginning…
I’ve reached out to Apple multiple times for comment on the SMS security issue and not heard back. I will continue to do so and update this post when I hear anything. An Apple representative did tell Engadget that spoofed messages are one of the “limitations of SMS,” and encouraged users to exercise caution when an unknown Web address pops up in a text.