If you're using an iPhone, you may be aware of the SMS spoof security problem. The news surfaced over the weekend and indicated that the SMS security issue has existed with all iPhone firmware versions. Now, it seems that the beta 4 version of iOS6, due for release shortly, also has security concerns.
The news implies that using iMessage is a safer option than SMS and even though there hasn't been any widespread exploitation of this flaw, it is something that iOS users should be aware of.
On Aug. 17, Pod2g released details of the vulnerability, which is still present in the latest beta of iOS 6. This vulnerability could make your iPhone slightly exposed to spoofed texts or phishing scams. The note also included a plea to Apple to fix the security hole before the final release of iOS 6.
"The flaw exists since the beginning of the implementation of SMS in the iPhone, and is still there in iOS 6 beta 4. Apple: please fix before the final release," stated the Pod2g blog post.
The post goes on to emphasize that "A SMS text is basically a few bytes of data exchanged between two mobile phones, with the carrier transporting the information. When the user writes a message, it is converted to PDU (Protocol Description Unit) by the mobile and passed to the baseband for delivery."
However, until Apple takes any serious action, Pod2g seems quite happy to help others exploit the fact that iOS shows the "reply-to" number of a text by default. Just after blogging about the vulnerability and appealing to Apple, Pod2g also released a tool called "sendrawpdu" which provides access to an SMS header and can be used for spoofing the reply-to field (although it doesn't openly support such a use).
