By Alexandra Burlacu | Aug 19, 2012 12:47 PM EDT
A well-known French hacker has revealed a major security flaw that has existed in Apple's iPhone since the very first device launched in 2007. Known publicly only as "pod2g," the French iOS security researcher published details about the vulnerability on Friday, Aug. 17. According to him, the security flaw affects all versions of iOS, including the latest beta release of iOS 6.
The hacker has identified a text-based iOS vulnerability that allows hackers to spoof their identities. According to pod2g's report, the reply-to number displayed when an iPhone user receives an SMS can easily be manipulated to display a different number than the one actually sending the message. Through a relatively simple procedure, malicious attackers can exploit this glitch to send messages that appear to be from a legitimate source, such as a bank. Any replies to the SMS would be routed to a separate phone number, and the sender would have no clue. Moreover, pod2g said the iPhone is not the only handset with this security vulnerability.
"In the text payload, a section called UDH (User Data Header) is optional but defines a lot of advanced features not all mobiles are compatible with," explained the hacker. "One of these options enables the user to change the reply address of the text. If the destination mobile is compatible with it, and if the receiver tries to answer the text, he will not respond to the original number, but to the specified one."
In the blog post on Friday the researcher said this flaw is "severe," and urged users to be very careful with SMS messages asking for sensitive information. "Apple: please fix this before the final release," wrote pod2g, referring to the latest beta release of iOS 6. "On iPhone, when you see the message, it seems to come from the reply-to number, and you [lose] track of the origin."
"Now you are alerted," said the researcher. "Never trust any SMS you received on your iPhone at first sight." The blog post did not mention whether pod2g had notified Apple of the flaw. In response to the issue, Apple said it "takes security very seriously."
"When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks," Apple said in a statement to Engadget. "One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they're directed to an unknown website or address over SMS."
Apple is expected to unveil the final version of iOS 6, along with its next-generation iPhone, at an event on Sept. 12. The company, however, has not made any official announcements.
© 2013 Mobile & Apps All rights reserved. Do not reproduce without permission.