Update: Apple responds to iPhone SMS vulnerability

Jared Newman
20 August, 2012
View more articles fromthe author

UPDATE: Apple has responded to reports that the iPhone is vulnerable to a SMS spoofing attack and urges users to try the more secure iMessage service.

“Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they’re directed to an unknown website or address over SMS,” Apple told Engadget.


A hacker known for jailbreaking Apple devices claims that the iPhone is vulnerable to text message spoofing, even in the latest beta of iOS 6.

According to pod2g, this issue could allow scammers to send people to phishing websites under the guise of a financial institution, or allow criminals to plant spoofed messages as false evidence on other peoples’ phones. It also opens up other types of manipulation where the recipient thinks a message is coming from a trusted source.

As pod2g explains, all text messages are converted to a format called Protocol Description Unit, which spells out the many types of information an SMS needs to reach its destination. One of these information types is the UDH (User Data Header) indicator, which allows the user to change the reply address of the message.

The problem with the iPhone is that when the sender specifies a reply-to number this way, the recipient doesn’t see the original phone number in the text message. That means there’s no way to know whether a text message has been spoofed or not.

“In a good implementation of this feature, the receiver would see the original phone number and the reply-to one,” pod2g wrote. “On iPhone, when you see the message, it seems to come from the reply-to number, and you loose track of the origin.”

In fairness, the iPhone is not the only handset vulnerable to SMS spoofing. Plenty of websites offer SMS spoofing as a service, one that isn’t limited to Apple’s handsets.

The main issues seem to be that some phones, including the iPhone, are compatible with the UDH indicator that allows for alternative reply-to addresses, and that the iPhone in particular doesn’t show the original address. It’s not clear how many other phones on the market only show the reply-to number, and not the original.

Also worth noting: This flaw can only trick people into thinking a message comes from a trusted source. Any replies to that message would go to the contact who’s being spoofed, so there’s no danger of giving up sensitive information to a malicious source solely via text message.

In a blog post, pod2g says he will soon publicise a tool for the iPhone 4 that sends messages in raw PDU format, which will demonstrate the vulnerability. In the meantime – and as always – avoid following web links from text messages that ask for logins, banking details or other sensitive information.

One Comment

One person was compelled to have their say. We encourage you to do the same..

  1. Apple Brain Fart says:

    It’s just unbelievable how even on a negative news article the writer manages to turn it around and make it sound like there is no real threat or Apple’s fault. SMS has been the same way forever and iOS has had this flaw for the past 5 years and now thier solution is to tell users to simply use imessage? Seriously Apple? When are you going to take responsibility for your screw ups? Ohh, maybe the day users stop being so tolerant and blind. It’s becoming very obvious they are so arrogant to take responsibility that they always try to blame it on someone else. It sounds childish the way they respond to this flaws blaming others afraid of getting spanked.

Leave a Comment

Please keep your comments friendly on the topic.

Contact us