Apple Warns of SMS Spoofing Tool
If you’ve ever seen the humorous website “Texts from Last Night” then you are probably aware that once you hit the send button your messages are out there. And the only real way to make sure that your auto-correct foibles don’t end up as fodder for such sites is to check your texts before sending them (and leave your phone at home when you’re out at the club so that you don’t end up drunk-texting and regretting it the next day). But what if people start asking you about texts that you have no recollection of sending, not because they were wrong or you typed them up after taking an Ambien, but because someone has jacked your SMS info? Apparently, there is a fatal flaw in Apple’s iOS (present on all of their mobile devices) that makes it easy for hackers to spoof SMS addresses. This means that outsiders could be sending malicious texts to your friends and family that look as if they came from you.
Apple might never have admitted this error (or even known about it) if not for a missive released by blogger pod2g, a noted iPhone jailbreaker, just last week. In a post on his blog (pod2g.org) he explained how SMS messages are coded so that even though a message says it came from one location (i.e. a trusted sender), when the recipient responds directly to the message in question the reply is routed to the third-party who spoofed the address of the sender (although it looks like it’s going to the trusted sender). This is done simply enough by altering the destination (via the User Data Header, or UDH), which tends to be hidden in most messaging.
In response, Apple did not exactly admit that the spoofing issue has the potential to affect all of their users since it is allegedly present in all versions of iOS; but they did say that SMS in general suffers from this limitation. In addition, they urged users concerned about this possibility to utilize iMessage as an alternative, saying that this system will verify the sender so that any spoofing activity can be identified immediately (before the recipient replies or clicks on a link that could allow hackers to mine their data or install malicious software).
However, it may be something of a non-issue for U.S. residents since carriers have taken measures to combat spoofing, this according to former spoofing service provider smsspoofing.com, which only offers information on spoofing since they were forced to shut down their services due to threats of legal action from mobile carriers across the globe. Still, the danger is there, especially for iPhone users, and it could spell trouble for both individuals and businesses that use these popular handsets for everything from texting with friends to sending out mass messages to clients. Luckily, there are solutions out there for both private parties (address verification via iMessage) and businesses (SMS marketing solutions that send your messages for you). So this need not be your cue to ditch the iPhone and consider alternatives; it could just mean you have to utilize a different form of messaging to protect yourself from spoofers.
Editor’s Note
Thanks to Evan Fischer for this guest post. He is a freelance writer and part-time student at California Lutheran University in Thousand Oaks, California.