Security researcher and iOS hacker pod2g has detailed a "serious" security flaw affecting all iPhones that he says could facilitate hackers or thieves to access your personal information. The flaw involves a malicious party spoofing the "reply" to number,
essentially forcing you to send an SMS to a different number than the one you initially intended. According to pod2g, this flaw is present in all versions of iOS up to and including the latest iOS 6 beta 4.
The SMS flaw takes advantage of a feature in the PDU (Protocol Description Unit) — the protocol handles the sending and receiving of various types of messages in mobile devices. Included in the message header — similar to an email header — are various pieces of information regarding the message, including the sender details. This feature, commonly utilized for automated messages from companies and carriers, can be exploited since carriers don’t check for the validity of this information when used by third-parties. While all devices are capable of receiving these messages,
iOS does not allow you to view the number that you're replying to. This enables a malicious sender to fake his identity, making you think that a trusted number is sending the SMS. Because the "reply-to" number is different to the number displayed, iOS would send your message to a hidden number without you realizing.
While this is an issue Apple should address, there isn't any immediate danger, as companies and financial institutions would never encourage sharing sensitive data over SMS. The researcher states that this could be used to impersonate your bank or incriminate you, but it's difficult to imagine a situation where a user would start divulging sensitive information through a text message. The fact that this flaw has been around since the dawn of iOS but wasn't exploited in a large enough scale to raise eyebrows, speaks volumes.
Update: An earlier version of this story inaccurately described the reply behavior on the iPhone. The Messages app shows users — and sends any replies to — the number that is specified in the SMS reply-to field. This field can be spoofed when sending a message to any phone. However, it's up to the SMS implementation on a given device to determine whether the actual sender or the reply-to information is shown.