Don't Trust That Text Message: Tool Simplifies iOS SMS-Spoofing

[InfoSec News <alerts () infosecnews org>]

http://www.darkreading.com/mobile-security/167901113/security/vulnerabilities/240005872/don-t-trust-that-text-message-tool-simplifies-ios-sms-spoofing.html

By Kelly Jackson Higgins
Dark Reading
Aug 20, 2012

A French researcher has unleashed a free tool that exploits a weakness 
he recently highlighted in the SMS feature of Apple's iOS that could 
allow an attacker to spoof the sender of a text message.

The new tool, created by researcher pod2g, basically lets an attacker 
send a text message that appears to be from someone you know or trust -- 
such as your bank.

But the vulnerability isn't in the smartphone itself, says Errata 
Security CTO David Maynor; rather, it's in the network transporting the 
SMS messages. And there are already services available, such as 
SMSGang's Spoof SMS Service, that provide spoofing, Maynor says. The new 
tool just automates SMS-spoofing, he says.

"It's a network problem," Maynor says of the issue. Even so, phone 
manufacturers could add some protections for this attack that help 
prevent malicious activity at the User Data Header (UDH) used in SMS, he 
says.

[...]