iPhone SMS spoofing tool released

Share this article:
A French hacker has released a tool capable of sending SMS messages with spoofed sender details on the iPhone 4.

The "sendrawpdu" command-line interface tool allows users to customize the reply number on text messages and could be ideal for phishing attacks.

The hacker, known as pod2g, released the free tool after detailing a flaw in the way the iPhone handled SMS messages, which made it possible to spoof sender details.

“Pirates could send a message that seems to come from the bank of the receiver asking for some private information, or inviting them to go to a dedicated [phishing] website,” pod2g said in a blog post. 

The vulnerability exists on other mobile devices and all versions of Apple's iOS platform, including the upcoming iOS 6, according to pod2g.

"If the destination mobile is compatible with (User Data Header features), and if the receiver tries to answer the text, he will not respond to the original number, but to the specified one,” pod2g wrote. “Most carriers don't check this part of the message, which means one can write whatever he wants in this section. In a good implementation of this feature, the receiver would see the original phone number and the reply-to one. On iPhone, when you see the message, it seems to come from the reply-to number, and you lose track of the origin.”

Apple urged customers to use its iMessage service because it verifies the address from which messages were sent, unlike its SMS app which displays the vulnerable reply-to address.

iMessages are only available between iOS and OS X devices.

“When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attack," Apple said in a statement. “One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they're directed to an unknown website or address over SMS.”

Website SMSspoofing.com pointed out that dozens of paid SMS spoofing services exist online.

Senddrawpdu was based on sendmodem and could be downloaded for jailbroken iPhone 4 devices from GitHub.

This article originally appeared at scmagazine.au.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Kevin Mitnick to sell zero-day exploits

Kevin Mitnick's new venture will develop and procure zero-day exploits, then sell them for $100,000 or more.

FBI warns of potential cyber attacks launched by ISIS hacktivists

Following U.S. military airstrikes in the Middle East, the FBI has issued a warning regarding possible cyber threats aimed at U.S. networks and critical infrastructure by hacktivists in support of ISIS.

Report: 75 million records compromised so far in 2014

Report: 75 million records compromised so far in ...

An updated report indicates that since this time last year, breaches have increased by 29.4 percent, with 568 breaches occurring this year.