Apple Pitches Security of iMessage in Response to SMS Spoofing Issue

MacRumors · Aug 20, 2012

Late last week, jailbreak hacker pod2g disclosed an issue with the way Apple's iOS handles optional headers in SMS messages, a vulnerability that could allow users to be targeted by SMS spoofing that makes messages appear to originate from people other than the actual senders. While SMS spoofing is certainly not new and can be performed through various services, this specific issue in the handling of reply-to addresses could be addressed fairly easily by Apple.

Engadget reported over the weekend that it had obtained a statement from Apple on the issue, with Apple simply touting its iMessage service as a more secure alternative to SMS.

Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they're directed to an unknown website or address over SMS.

iMessage is of course an Apple-specific messaging service, and is thus only compatible with iOS devices running iOS 5 or later and Macs running OS X Mountain Lion. Consequently, it is generally not possible for users to entirely replace their SMS usage with iMessage. Apple has also not committed to making any changes in how it handles reply-to addresses for SMS, so it is unknown whether they will be directly addressing the issue.

Article Link: Apple Pitches Security of iMessage in Response to SMS Spoofing Issue

joedemax · Aug 20, 2012

So they want to pitch there own service rather than fix the problem? ugh.

KdParker · Aug 20, 2012

so then iMessage is more secure that SMS. OK, now what?

iBreatheApple · Aug 20, 2012

joedemax said:
So they want to pitch there own service rather than fix the problem? ugh.

No, it says it is unknown whether Apple is working to address the issue. That isn't a yes or a no at this point.

Roessnakhan · Aug 20, 2012

What a BS response.

Agent OrangeZ · Aug 20, 2012

Translation:

Don't use SMS! Use iMessage and you can be sure it's secure! If you're friends don't have iPhones, tell them to get one!

Small White Car · Aug 20, 2012

MacRumors said:
While SMS spoofing is certainly not new and can be performed through various services, this specific issue in the handling of reply-to addresses could be addressed fairly easily by Apple.

Ok, well someone needs to explain this better to me.

From what I've read, this can be done with any phone number and you don't need to have the phone in question to do it...just like how someone can compromise my e-mail without stealing my actual computer. Do I have that right or not?

If I do have it right, I don't understand how Apple can "address it" easily.

If I don't have it right, ok, so how does it work, then?

somethingelsefl · Aug 20, 2012

Of course iMessage is secure. Now let's just get it show up on all my devices at the same time.

zorinlynx · Aug 20, 2012

Most of my friends use Android phones (and we do playfully bicker about what's better sometimes, it's what friends do) so I can't iMessage with them.

Spouting a proprietary service as a solution instead of fixing the problem is just plain stupid and embarrassing, Apple. Fix your ****.

Gemütlichkeit · Aug 20, 2012

1080p said:
Translation:

Don't use SMS! Use iMessage and you can be sure it's secure! If you're friends don't have iPhones, tell them to get one!

No. Translation: This is a flaw in SMS, don't go to sites linked from SMS or stick with iMessage.

This is the same limitation as current email setups. You can spoof the sender of an email to make it look like it's coming from anyone.

emvath · Aug 20, 2012

I wish Apple would make iMessage compatible with other texting apps (Android, Windows, etc.). Of course I wish for a lot of things that will never happen.

Consultant · Aug 20, 2012

zorinlynx said:
Most of my friends use Android phones (and we do playfully bicker about what's better sometimes, it's what friends do) so I can't iMessage with them.

Spouting a proprietary service as a solution instead of fixing the problem is just plain stupid and embarrassing, Apple. Fix your ****.

It's a SMS problem that is a problem on other phones as well, including Android, etc.

bacaramac · Aug 20, 2012

Love my iMessage and Facetime, but wish it was open source so I could use it with family and friends on Android.

drummerdude1390 · Aug 20, 2012

Apple actually handles these kinds of problems pretty well. (Though it is unusual that they would make a statement)

If it's any kind of fixable problem, Apple would have it fixed when iOS 6 comes out. They wouldn't mention it, but it would be fixed. And no one would ever mention it again.

I'm not sure if it's fixable on Apple's end because I don't know the specifics, but if it was, that's how it would be done.

foodog · Aug 20, 2012

joedemax said:
So they want to pitch there own service rather than fix the problem? ugh.

The carriers need to fix the problem.

joelisfar · Aug 20, 2012

Now if only our phone numbers could be receiving iMessages across all our devices. It's confusing for me and I work in IT!

I know millions of people won't get it working correctly because it's a bit too confusing.

WhySoSerious · Aug 20, 2012

i love, love, love iMessage and FaceTime. I'm with the poster above wishing it was opensource so we could interface with other devices/OS.

foodog · Aug 20, 2012

zorinlynx said:
Most of my friends use Android phones (and we do playfully bicker about what's better sometimes, it's what friends do) so I can't iMessage with them.

Spouting a proprietary service as a solution instead of fixing the problem is just plain stupid and embarrassing, Apple. Fix your ****.

So Apple should fix the SMS flaw for the carriers?

The Phazer · Aug 20, 2012

Yes Apple, thats right. The SMS flaw (which can be fixed on Apples end) is a fairly difficult proof of concept that requires carefully modified message headers.

Meanwhile iMessages security relies on someones iCloud password not being compromised, which happens ohh, all the time. Or indeed, Apple not giving it out to randoms on the phone. At which point a spammer could send out messages with real headers to all and sundry.

So your answer to a security problem is not to fix it, but to suggest a solution that is, at least potentially, even less secure. Bravo. Which idiot signed off on this press statement?

jak1502 · Aug 20, 2012

joelisfar said:
Now if only our phone numbers could be receiving iMessages across all our devices. It's confusing for me and I work in IT!

I know millions of people won't get it working correctly because it's a bit too confusing.

You will be getting that in iOS 6, working pretty well at the moment.

Small White Car · Aug 20, 2012

The Phazer said:
Yes Apple, thats right. The SMS flaw (which can be fixed on Apples end) is a fairly difficult proof of concept that requires carefully modified message headers.

This is the part of the article that's still confusing to me:

MacRumors said:
While SMS spoofing is certainly not new and can be performed through various services

What does that mean? And are all these services different? Would a fix on Apple's end block them all in one blow, or are they all different things that Apple would have to go out and shut down one by one?

kdarling · Aug 20, 2012

foodog said:
So Apple should fix the SMS flaw for the carriers?

It's not a flaw in SMS. Apple needs to enhance their app.

The problem is not that there is an optional SMS header that gives a different reply-to number, it's that Apple reportedly displays only that number and doesn't display the originator number as well.

In other words, an evil site could send you an SMS with a reply-to number that matches someone or place known to you. Since the iPhone only displays that instead of the evil originator, you might be inclined to trust any link or other info... because you (falsely) believe the origin was friendly.

jglonek · Aug 20, 2012

If only iMessage was actually reliable! I absolutely love sending messages out and having them hang for five minutes before they decide to send as SMS. Or receive duplicate messages because I receive both an iMessage and SMS version at the same time!

I also enjoy when I'm chatting with people overseas via iMessage and one decides to come in as SMS. Thanks for that charge!

This happens over WiFi and 3G, for me and the other people. Multiple people.

I love the iMessage concept but it needs work.

powaking · Aug 20, 2012

Messages app for OSX supports other accounts (gmail/aim/yahoo) so I see no reason why the iOS version can't do the same. And once it does its game over for the other multi-protocol apps out there.

They also need to make iMessage protocol opened for other platforms to use, then you can pretty much say bye bye to SMS.

Rodimus Prime · Aug 20, 2012

funny part is iMessage security and set up is pretty piss poor as well so that not like they are saying much.

Apple Pitches Security of iMessage in Response to SMS Spoofing Issue

macrumors bot

macrumors newbie

macrumors 601

macrumors 68030

macrumors 68040

macrumors 68040

macrumors G4

macrumors 6502

macrumors G3

macrumors 65816

macrumors regular

macrumors G5

macrumors 65816

macrumors member

macrumors 6502a

macrumors regular

macrumors 65816

macrumors 6502a

macrumors 68030

macrumors newbie

macrumors G4

macrumors P6

macrumors member

macrumors 6502

macrumors G4

Our Staff