There are two kinds of hackers; those who use their skills for good – or of course – those who use them for evil. The good kind of hackers are either security testers or security researchers. To be a good security tester you have to think like a villain, and go through an app like a hacker would looking for vulnerabilities.
And that was exactly what French iOS security researcher, Pod2G, did on Friday when he identified a SMS spoofing flaw in every version of Apple’s OS. As explained by Devindra Hardawar in VentureBeat:
“Using the flaw, hackers could spoof their identities via text and send messages asking for private information (by pretending to be from a users’ bank, for example), or direct users to phishing sites.
As Pod2g explains it, an SMS text message is converted to Protocol Description Unit (PDU) when sent from a phone, a dense protocol that also handles things like voice mail alerts and emergency medical systems. If a hacker was able to send a message in raw PDU format, they could take advantage of the User Data Header section to alter the reply number for a text.
If properly implemented, you should see both the original texting address and the altered reply number. But on the iPhone, you only see the altered reply number. For whatever reason, the original sender gets hidden. The flaw only relates to texts on the iPhone, and not messages sent through Apple’s iMessage network (those don’t hit the SMS protocol at all).”
Pretty scary stuff. These types of vulnerabilities can exist on any device or mobile application. The only way to discover them is to utilize a community of skilled security experts for testing.
To learn more about security testing click here.