Apple Pitches Security of iMessage in Response to SMS Spoofing Issue

MacRumors

macrumors bot
Original poster
Apr 12, 2001
46,728
8,946



Late last week, jailbreak hacker pod2g disclosed an issue with the way Apple's iOS handles optional headers in SMS messages, a vulnerability that could allow users to be targeted by SMS spoofing that makes messages appear to originate from people other than the actual senders. While SMS spoofing is certainly not new and can be performed through various services, this specific issue in the handling of reply-to addresses could be addressed fairly easily by Apple.

Engadget reported over the weekend that it had obtained a statement from Apple on the issue, with Apple simply touting its iMessage service as a more secure alternative to SMS.
Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they're directed to an unknown website or address over SMS.

iMessage is of course an Apple-specific messaging service, and is thus only compatible with iOS devices running iOS 5 or later and Macs running OS X Mountain Lion. Consequently, it is generally not possible for users to entirely replace their SMS usage with iMessage. Apple has also not committed to making any changes in how it handles reply-to addresses for SMS, so it is unknown whether they will be directly addressing the issue.

Article Link: Apple Pitches Security of iMessage in Response to SMS Spoofing Issue
 

1080p

macrumors 68030
Mar 17, 2010
2,720
1,922
Planet Earth
Translation:

Don't use SMS! Use iMessage and you can be sure it's secure! If you're friends don't have iPhones, tell them to get one!
 

Small White Car

macrumors G4
Aug 29, 2006
10,899
1,125
Washington DC
While SMS spoofing is certainly not new and can be performed through various services, this specific issue in the handling of reply-to addresses could be addressed fairly easily by Apple.
Ok, well someone needs to explain this better to me.

From what I've read, this can be done with any phone number and you don't need to have the phone in question to do it...just like how someone can compromise my e-mail without stealing my actual computer. Do I have that right or not?

If I do have it right, I don't understand how Apple can "address it" easily.

If I don't have it right, ok, so how does it work, then?
 

zorinlynx

macrumors 603
May 31, 2007
5,712
7,046
Florida, USA
Most of my friends use Android phones (and we do playfully bicker about what's better sometimes, it's what friends do) so I can't iMessage with them.

Spouting a proprietary service as a solution instead of fixing the problem is just plain stupid and embarrassing, Apple. Fix your ****.
 

Gemütlichkeit

macrumors 65816
Nov 17, 2010
1,276
0
Translation:

Don't use SMS! Use iMessage and you can be sure it's secure! If you're friends don't have iPhones, tell them to get one!
No. Translation: This is a flaw in SMS, don't go to sites linked from SMS or stick with iMessage.

This is the same limitation as current email setups. You can spoof the sender of an email to make it look like it's coming from anyone.
 

emvath

macrumors regular
Jan 5, 2009
211
172
I wish Apple would make iMessage compatible with other texting apps (Android, Windows, etc.). Of course I wish for a lot of things that will never happen.
 

Consultant

macrumors G5
Jun 27, 2007
13,291
14
Most of my friends use Android phones (and we do playfully bicker about what's better sometimes, it's what friends do) so I can't iMessage with them.

Spouting a proprietary service as a solution instead of fixing the problem is just plain stupid and embarrassing, Apple. Fix your ****.
It's a SMS problem that is a problem on other phones as well, including Android, etc.
 

bacaramac

macrumors 65816
Dec 29, 2007
1,411
76
Love my iMessage and Facetime, but wish it was open source so I could use it with family and friends on Android.
 

drummerdude1390

macrumors member
Apr 22, 2011
67
0
USA
Apple actually handles these kinds of problems pretty well. (Though it is unusual that they would make a statement)

If it's any kind of fixable problem, Apple would have it fixed when iOS 6 comes out. They wouldn't mention it, but it would be fixed. And no one would ever mention it again.


I'm not sure if it's fixable on Apple's end because I don't know the specifics, but if it was, that's how it would be done.
 

joelisfar

macrumors member
Jun 29, 2012
91
41
Now if only our phone numbers could be receiving iMessages across all our devices. It's confusing for me and I work in IT!

I know millions of people won't get it working correctly because it's a bit too confusing.
 

WhySoSerious

macrumors 65816
Jun 30, 2007
1,450
68
Dallas, TX
i love, love, love iMessage and FaceTime. I'm with the poster above wishing it was opensource so we could interface with other devices/OS.
 

foodog

macrumors 6502a
Sep 6, 2006
906
38
Atlanta, GA
Most of my friends use Android phones (and we do playfully bicker about what's better sometimes, it's what friends do) so I can't iMessage with them.

Spouting a proprietary service as a solution instead of fixing the problem is just plain stupid and embarrassing, Apple. Fix your ****.
So Apple should fix the SMS flaw for the carriers?
 

The Phazer

macrumors 68030
Oct 31, 2007
2,764
322
London, UK
Yes Apple, that’s right. The SMS flaw (which can be fixed on Apple’s end) is a fairly difficult proof of concept that requires carefully modified message headers.

Meanwhile iMessage’s security relies on someone’s iCloud password not being compromised, which happens… ohh, all the time. Or indeed, Apple not giving it out to randoms on the phone. At which point a spammer could send out messages with “real” headers to all and sundry.

So your answer to a security problem is not to fix it, but to suggest a solution that is, at least potentially, even less secure. Bravo. Which idiot signed off on this press statement?
 

jak1502

macrumors newbie
Jan 15, 2009
6
0
Now if only our phone numbers could be receiving iMessages across all our devices. It's confusing for me and I work in IT!

I know millions of people won't get it working correctly because it's a bit too confusing.
You will be getting that in iOS 6, working pretty well at the moment.
 

Small White Car

macrumors G4
Aug 29, 2006
10,899
1,125
Washington DC
Yes Apple, that’s right. The SMS flaw (which can be fixed on Apple’s end) is a fairly difficult proof of concept that requires carefully modified message headers.
This is the part of the article that's still confusing to me:

MacRumors said:
While SMS spoofing is certainly not new and can be performed through various services
What does that mean? And are all these services different? Would a fix on Apple's end block them all in one blow, or are they all different things that Apple would have to go out and shut down one by one?
 

kdarling

macrumors P6
So Apple should fix the SMS flaw for the carriers?
It's not a flaw in SMS. Apple needs to enhance their app.

The problem is not that there is an optional SMS header that gives a different reply-to number, it's that Apple reportedly displays only that number and doesn't display the originator number as well.

In other words, an evil site could send you an SMS with a reply-to number that matches someone or place known to you. Since the iPhone only displays that instead of the evil originator, you might be inclined to trust any link or other info... because you (falsely) believe the origin was friendly.
 

jglonek

macrumors member
Aug 20, 2012
32
10
If only iMessage was actually reliable! I absolutely love sending messages out and having them hang for five minutes before they decide to send as SMS. Or receive duplicate messages because I receive both an iMessage and SMS version at the same time!

I also enjoy when I'm chatting with people overseas via iMessage and one decides to come in as SMS. Thanks for that charge!

This happens over WiFi and 3G, for me and the other people. Multiple people.

I love the iMessage concept but it needs work.
 

powaking

macrumors 6502
Jul 3, 2008
430
126
Messages app for OSX supports other accounts (gmail/aim/yahoo) so I see no reason why the iOS version can't do the same. And once it does its game over for the other multi-protocol apps out there.

They also need to make iMessage protocol opened for other platforms to use, then you can pretty much say bye bye to SMS.
 

Rodimus Prime

macrumors G4
Oct 9, 2006
10,136
4
funny part is iMessage security and set up is pretty piss poor as well so that not like they are saying much.