You can no longer trust your SMS to tell you who it’s really from on an iPhone. But don’t worry, the flaw has been found, and it can be fixed.
Apparently, within the code sent via SMS there is a ‘User Data Header’ (UDH). This contains an option where you can set the number that the text originates from. Pod2G discovered that this can then be hacked and when your message arrives in your phone, it will read this UDH data rather than where the SMS actually came from.
This might seem harmless in the context of, perhaps, a prank from one of your friends. But there are more serious security risks here: one could fool your phone into thinking that the SMS comes from your bank, and fool you into clicking a link where you’d put in your passwords or credit card details. It could also be used to send false messages to be used in court cases.
It’s not like this is easy to access – you’d need to deploy a SMS gateway. And Apple should be able to nip it in the bud with an iOS update so there isn’t any real reason to panic. Just, as always, be cautious about links you click (or touch) on SMS messages, if you’ve got an iPhone.
Apple has actually responded, according to The Verge, to say that “Apple take security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks.” It’s likely that Apple will fix this up in the coming iOS 6 release later this year.
So if you are on an iPhone and you haven’t got iMessage turned on – now would be a good time!