Apple iOS 6

Apple iPhone Text Messaging Vulnerable To Phishing Attack

While SMS phishing attack is not new to most of us it is still annoying and it can still lure some innocent iPhone users.  One of the known iOS French hackers whom contributed a lot in finding vulnerabilities within Apple iOS products, Pod2G, found a severe flaw in iPhone SMS. The flaw according to Pod2G had been sitting within iOS since SMS was implemented for iPhone and it is unbelievably still there with the latest iOS 6 Beta 4 release.  He was hoping for Apple company to rectify this issue before the final release. Engadget also took interest about this issue and asked Apple to comment on Pod2G’s claims.

iPhone Phishing Attack


What exactly is the problem, really?  Pod2G explained everything on his blog for us all to understand what happens when you composed a text message and send it. Also he elaborated how can the SMS from iPhone used by malicious users to lure the users. The theory lies behind to a section of a SMS message that we call “User Data Header” (UDH). This is where the user can opt to change reply address of the text which has become susceptible to phishing attack. To simply elaborate it, let’s say I wanted to get some vital information from a certain user like his online bank account. With some know-how on utilizing this iPhone vulnerability, I could change the reply-to-address of the SMS message that I’ll send fronting as the user’s bank and deliberately ask the information. If the user is not wise enough or trust so much the message and messenger then he/she can immediately give the information. Are you getting the picture now?

Apple responded to Engadget request to comment after they’ve published the reports and claims of Pod2G and from the looks of it, Apple does admit that there’s this limitation. And if you are looking forward for a solution, do not be dismay as the only recommendation you’ll get from the Apple company is for iPhone users to be more vigilant before believing into some messages you just received.  Here’s the excerpt from Apple in response to Engadget’s post:

Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they’re directed to an unknown website or address over SMS.

So, there you have it. It looks like that you just have to be more wiser and more vigilant before taking any further actions of believing on everything that you will see or receive onto your iPhone SMS Inbox.

As I’ve mentioned on my opening sentence, this kind of messages is not really new. I myself have been receiving these kinds of messages for a long time and I am not even an iPhone users. You just have to learn how or to whom you should verify first the information you just received and do not immediately believe it or you might end up regretting it in the end.  All I am saying is that whether you are using Symbian, Google Android, or Apple iOS, there will always these kinds of phishing attack. You just need to learn how to filter which are true and which are not.

You can get the details about the SMS vulnerabilities that Pod2G found from his blog site. And the response from Apple from Engadget.

Do you think we should held Apple liable for this so-called limitations or it is us who should know what’s best before believing on some text messages?

One Comment

  1. Unbelievable, how it can be. Attacks are increasing in many ways, cant believe yet.
    But its interesting news, Thanks for sharing this.


Post Comment