Yesterday a nasty iPhone SMS spoofing hack was detailed by iOS hacker pod2g. Someone with malicious intent could theoretically change the reply-to number in a SMS message without your knowledge. For instance, you could receive a SMS from a number pretending to be your bank. If you replied with a password or other sensitive data, your security would be compromised. The hack also allows for someone to send a completely spoofed message from a random number.
This bug has been on the iPhone for years and is still present in the iOS 6 beta. Apple today released an official statement addressing the issue.
Engadget relays the official comment from Cupertino:
Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they’re directed to an unknown website or address over SMS.
So basically Apple is telling everyone to use iMessage, which makes sense. When using SMS, always be cautious of incoming messages. If you don’t know the sender, think twice before replying with any important information.
- Source Engadget