WP_iOSalertThe Text Messaging community had in effect, an earthquake last week, due to a discovery by pod2g. It was discovered that iOS shows the SMS UDH Reply Address within the user interface, instead of the original source number. In a nutshell you can send message from a normal on-net handset that appear to be coming from elsewhere to iPhone devices.

Different carriers will have different ways of dealing with the UDH content and you may find that your carrier strips it out, but on Vodafone New Zealand, the UDH data is transmitted fully to the recipient handset. It is not possible to set the actual source number through an SMSC from a handset or modem. This source number is set by the carrier on receipt to the SMSC.

Setting the Reply Address to a shortcode presents the message on the iOS as coming from the shortcode. What this does allow you to do is specifically use Virtual Modem Gateways to send bulk messages from shortcodes to iOS handsets bypassing operator charges. It goes without saying this breaches carrier and shortcode regulations.

An example PDU:

0691461206600041000A81515555555500002F06220404819999C472FBED9ED3E5617AFAED06BDCD203ABA0C82BFC9B23328FD9C82A6CD2908FD669701

This PDU sends the message “Demonstration of the pod2g iOS SMS hole” to the number +1555555555 (fake) with the Reply Address 9999

Utilising PDUSpy with a simple USB GSM Modem such as the Teltonika series provides the ability for you to craft the RAW PDU’s on a Windows device and send them onto the network.

This particular message format is not processed on the Android Platform. The message will arrive but the UDH data is stripped and has no impact – we’ve tested it. We’ve also tested on a Nokia N9 using the Meego platform and shown that it is not affected either.

You can find out all about the SMS Specification in the latest published version – specifically section 9.2.3.24.10.1.17. This specification makes specific note that this may be open to abuse and advises users get shown the destination number.

You’ve always been able to set the source of messages sent to and from carrier networks via third party providers such as ourselves, so it pays to always check the authenticity of the sender and you should never send confidential information to a number from whom you have received a text unless you are certain of its source. We don’t think this is any more of a security concern than currently exists, all it opens the door to is the ability to use consumer handsets or modems to send messages to iOS devices with custom source addresses.

Bulletin.net carefully control the setting of source numbers and you cannot make unapproved changes. We protect our customers.