Apple Pitches Security of iMessage in Response to SMS Spoofing Issue

[MacRumors]

Late last week, jailbreak hacker pod2g disclosed an issue with the way Apple's iOS handles optional headers in SMS messages, a vulnerability that could allow users to be targeted by SMS spoofing that makes messages appear to originate from people other than the actual senders. While SMS spoofing is certainly not new and can be performed through various services, this specific issue in the handling of reply-to addresses could be addressed fairly easily by Apple.

Engadget reported over the weekend that it had obtained a statement from Apple on the issue, with Apple simply touting its iMessage service as a more secure alternative to SMS.

Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they're directed to an unknown website or address over SMS.

iMessage is of course an Apple-specific messaging service, and is thus only compatible with iOS devices running iOS 5 or later and Macs running OS X Mountain Lion. Consequently, it is generally not possible for users to entirely replace their SMS usage with iMessage. Apple has also not committed to making any changes in how it handles reply-to addresses for SMS, so it is unknown whether they will be directly addressing the issue.

Article Link: Apple Pitches Security of iMessage in Response to SMS Spoofing Issue

 

[joedemax]

So they want to pitch there own service rather than fix the problem? ugh.

 

[KdParker]

so then iMessage is more secure that SMS. OK, now what?

 

[iBreatheApple]

So they want to pitch there own service rather than fix the problem? ugh.

No, it says it is unknown whether Apple is working to address the issue. That isn't a yes or a no at this point.

 

[Roessnakhan]

What a BS response.

 

[Agent OrangeZ]

Translation:

Don't use SMS! Use iMessage and you can be sure it's secure! If you're friends don't have iPhones, tell them to get one!

 

[Small White Car]

While SMS spoofing is certainly not new and can be performed through various services, this specific issue in the handling of reply-to addresses could be addressed fairly easily by Apple.

Ok, well someone needs to explain this better to me.

From what I've read, this can be done with any phone number and you don't need to have the phone in question to do it...just like how someone can compromise my e-mail without stealing my actual computer. Do I have that right or not?

If I do have it right, I don't understand how Apple can "address it" easily.

If I don't have it right, ok, so how does it work, then?

 

[somethingelsefl]

Of course iMessage is secure. Now let's just get it show up on all my devices at the same time.

 

[zorinlynx]

Most of my friends use Android phones (and we do playfully bicker about what's better sometimes, it's what friends do) so I can't iMessage with them.

Spouting a proprietary service as a solution instead of fixing the problem is just plain stupid and embarrassing, Apple. Fix your ****.

 

[Gemütlichkeit]

Translation:

Don't use SMS! Use iMessage and you can be sure it's secure! If you're friends don't have iPhones, tell them to get one!

No. Translation: This is a flaw in SMS, don't go to sites linked from SMS or stick with iMessage.

This is the same limitation as current email setups. You can spoof the sender of an email to make it look like it's coming from anyone.

 

[emvath]

I wish Apple would make iMessage compatible with other texting apps (Android, Windows, etc.). Of course I wish for a lot of things that will never happen.

 

[Consultant]

Most of my friends use Android phones (and we do playfully bicker about what's better sometimes, it's what friends do) so I can't iMessage with them.

Spouting a proprietary service as a solution instead of fixing the problem is just plain stupid and embarrassing, Apple. Fix your ****.

It's a SMS problem that is a problem on other phones as well, including Android, etc.

 

[bacaramac]

Love my iMessage and Facetime, but wish it was open source so I could use it with family and friends on Android.

 

[drummerdude1390]

Apple actually handles these kinds of problems pretty well. (Though it is unusual that they would make a statement)

If it's any kind of fixable problem, Apple would have it fixed when iOS 6 comes out. They wouldn't mention it, but it would be fixed. And no one would ever mention it again.


I'm not sure if it's fixable on Apple's end because I don't know the specifics, but if it was, that's how it would be done.

 

[foodog]

So they want to pitch there own service rather than fix the problem? ugh.

The carriers need to fix the problem.

 

[joelisfar]

Now if only our phone numbers could be receiving iMessages across all our devices. It's confusing for me and I work in IT!

I know millions of people won't get it working correctly because it's a bit too confusing.

 

[WhySoSerious]

i love, love, love iMessage and FaceTime. I'm with the poster above wishing it was opensource so we could interface with other devices/OS.

 

[foodog]

Most of my friends use Android phones (and we do playfully bicker about what's better sometimes, it's what friends do) so I can't iMessage with them.

Spouting a proprietary service as a solution instead of fixing the problem is just plain stupid and embarrassing, Apple. Fix your ****.

So Apple should fix the SMS flaw for the carriers?

 

[The Phazer]

Yes Apple, that’s right. The SMS flaw (which can be fixed on Apple’s end) is a fairly difficult proof of concept that requires carefully modified message headers.

Meanwhile iMessage’s security relies on someone’s iCloud password not being compromised, which happens… ohh, all the time. Or indeed, Apple not giving it out to randoms on the phone. At which point a spammer could send out messages with “real” headers to all and sundry.

So your answer to a security problem is not to fix it, but to suggest a solution that is, at least potentially, even less secure. Bravo. Which idiot signed off on this press statement?

 

[jak1502]

Now if only our phone numbers could be receiving iMessages across all our devices. It's confusing for me and I work in IT!

I know millions of people won't get it working correctly because it's a bit too confusing.

You will be getting that in iOS 6, working pretty well at the moment.

 

[Small White Car]

Yes Apple, that’s right. The SMS flaw (which can be fixed on Apple’s end) is a fairly difficult proof of concept that requires carefully modified message headers.

This is the part of the article that's still confusing to me:

While SMS spoofing is certainly not new and can be performed through various services

What does that mean? And are all these services different? Would a fix on Apple's end block them all in one blow, or are they all different things that Apple would have to go out and shut down one by one?

 

[kdarling]

So Apple should fix the SMS flaw for the carriers?

It's not a flaw in SMS. Apple needs to enhance their app.

The problem is not that there is an optional SMS header that gives a different reply-to number, it's that Apple reportedly displays only that number and doesn't display the originator number as well.

In other words, an evil site could send you an SMS with a reply-to number that matches someone or place known to you. Since the iPhone only displays that instead of the evil originator, you might be inclined to trust any link or other info... because you (falsely) believe the origin was friendly.

 

[jglonek]

If only iMessage was actually reliable! I absolutely love sending messages out and having them hang for five minutes before they decide to send as SMS. Or receive duplicate messages because I receive both an iMessage and SMS version at the same time!

I also enjoy when I'm chatting with people overseas via iMessage and one decides to come in as SMS. Thanks for that charge!

This happens over WiFi and 3G, for me and the other people. Multiple people.

I love the iMessage concept but it needs work.

 

[powaking]

Messages app for OSX supports other accounts (gmail/aim/yahoo) so I see no reason why the iOS version can't do the same. And once it does its game over for the other multi-protocol apps out there.

They also need to make iMessage protocol opened for other platforms to use, then you can pretty much say bye bye to SMS.

 

[Rodimus Prime]

funny part is iMessage security and set up is pretty piss poor as well so that not like they are saying much.