Apple: Beware Dangerous iPhone Messages

Apple has warned iPhone users to take care when replying to SMS (Short Message Service) text messages, after a hacker released details about a fundamental security flaw in the iPhone operating system.

The flaw could allow pranksters to send bogus messages that appear to come from someone else. It could also trick users into following dangerous links or handing personal information to criminals.

The revelations come from a "white hat" hacker -- someone who looks for security flaws to pressure companies to improve, rather than to exploit them for personal gain -- who goes by the name "Pod2g".

Pod2g says the problem is in the way the iPhone turns message data into computer files in the Protocol Description Unit (PDU) format.

It's possible to manipulate an iPhone so the sender creates a PDU file. The phone then assumes there's no need to make any changes to the file, and transmits it.

This allows a hacker to create a PDU file that displays a false phone number in the "reply to" field. iPhone software uses this information to identify the sender to the person receiving the message. (Source: tgdaily.com)

SMS Sender Identity Could Be Bogus

If hackers send messages that, for example, appear to be from a financial institution asking the recipient to follow a link, the message could lead to a fake website designed to capture the unsuspecting phone user's online banking details.

Or a message purporting to come from a major website could ask the user to provide personal information. Despite the iPhone's on-screen appearance of legitimacy, the reply could go straight to a fraudster.

Pod2g says Apple must force its iPhone software to compare the phone number in the "reply to" field with the actual phone number of the sender, and to flag any disparity.

Apple Concedes Text Message Security Flaw

Apple isn't commenting on whether it will make these changes. Instead, it has warned iPhone users to take greater care when responding to an SMS text message, and to be wary about providing personal information or following unsolicited links, even when the message appears to be from a known sender.

Apple suggests that iPhone users can use the iMessage instead of the SMS text service, because iMessage verifies addresses, making such scams impossible.

However, iMessage works only between iPhone users. (Source: pcworld.com)