It appears Apple’s arrogance is getting in the way of protecting its users from a long standing SMS exploit that could allow potential hackers to spoof a reply-to number, causing the recipient to think he/she is replying to a legitimate contact, when in reality, their information is being sent to the hackers designated address. As you can imagine, this is quite troublesome, yet Apple has brushed it away despite numerous pleas made by a well known iOS hacker (pod2g):
The flaw exists since the beginning of the implementation of SMS in the iPhone, and is still there in iOS 6 beta 4. Apple: please fix before the final release.
Apple finally responded to the bug, implying that it was something all manufacturers need to deal with, but according to security firm AdaptiveMobile, that’s not the case.
“A flaw discovered recently in Apple’s iPhone could allow nefarious people to hack SMS messages. according to AdaptiveMobile, the iPhone stands alone with this security hole. AdaptiveMobile tested the exploit in the iPhone and compared it to Android, BlackBerry, Symbian, and Windows Mobile. All the other platforms remained secure in their treatment of SMS messages.”
In a safe implementation of SMS, the recipient of a text would see the original phone number and the reply-to one, however, on the iPhone, only the reply-to number appears.
Apple has yet to issue any sort of fix or even indicate that it plans to do so, and has instead recommended that iPhone users send texts through iMessages rather than SMS. Apple’s lack of priority on the issue is disturbing, and leaves iOS users open and vulnerable to spoofing, phishing, and other nefarious attacks. Lucky for them they have a guy like pod2g.
Pod2g is currently working on a utility that will enable anyone to recreate the problem — without any need of hacking — and hopes to release it soon in order to light the fire under Apple’s you know what.
So as you can see, even the almighty Apple can be exploited. It’s just too bad for their users that they’re too arrogant to acknowledge it.