Apple Pitches Security of iMessage in Response to SMS Spoofing Issue

[viewfly]

So do I understand the problem?

1. Apple displays the 'reply to name/number' only, which can be spoofed on any phone.

2. So the problem is that iOS does not give the option to display the header that would include the real sender (which can also be spoofed?).

3. So the solution would be to give that option...?

I guess to keep SMS conversations clean, you wouldn't want to display all that header junk all the time...and you would only do so for a suspect SMS? But the iOS displaying of the 'reply to' would also be someone you know...otherwise you would already be suspicious of a SMS from -82-923- or something like this?

Isn't this the same security message that Blackberry gave for using BM? And BM only worked for BB users?

Anyhow, the same warning goes to emails, and in my Outlook it is not obvious where to find that header info too.

I think Apple should give that option, but my guess is most people will be can scammed anyways, just as they do with emails.

And in my use of iPhones since 2008, it has not ever really been a problem...

 

[Small White Car]

The problem is not that there is an optional SMS header that gives a different reply-to number, it's that Apple reportedly displays only that number and doesn't display the originator number as well.

Any background info as to why those 2 numbers even can be different in the system? Is there some long-forgotten benefit to that?

 

[usarioclave]

Old issue, no fix

There is no fix. The issue has been known since at least 2008 and is baked into the sms infrastructure.

This is exactly like spoofing smtp mail. This is not Apple's problem, and there isn't anything they can or should do.

 

[ed724]

There sure are a lot of idiotic comments showing up here. So it's Apple fix it fix it. What about all the other devices and OS's out there using SMS. It's ok that their systems can be spoofed but not Apples. Get a life people.

 

[subsonix]

It's not a flaw in SMS. Apple needs to enhance their app.

The problem is not that there is an optional SMS header that gives a different reply-to number, it's that Apple reportedly displays only that number and doesn't display the originator number as well.

And that would be useful to the typical user in about 0% of all cases. A better approach would be to ignore the optional SMS header.

 

[mattraehl]

This is the part of the article that's still confusing to me:



What does that mean? And are all these services different? Would a fix on Apple's end block them all in one blow, or are they all different things that Apple would have to go out and shut down one by one?

It means quite simply that by design SMS carriers do not enforce the actual number being used, and the "Sent From" number in the text, to be the same. There is no fix.

In the case of iOS, Apple decided that the use case of separate "Sent From" and "Reply To" fields was sufficiently obscure enough, to not be worth considering - the decision was that it was sufficient for users to know where their messages are going, since any SMS client will share the common flaw of not being able to know with certainty where their messages came from.

I do think Apple could make iMessage the defacto Internet messaging service if they wanted to, simply by opening it up to other platforms.

 

[ArtOfWarfare]

Simple solution: display the reply-to as the title like normal and have a prompt of "Sent From: (name)" above that if the sender doesn't match the reply-to. Maybe highlight it in red if the person isn't in your address book.

 

[viewfly]

It's not a flaw in SMS. Apple needs to enhance their app.

The problem is not that there is an optional SMS header that gives a different reply-to number, it's that Apple reportedly displays only that number and doesn't display the originator number as well.

In other words, an evil site could send you an SMS with a reply-to number that matches someone or place known to you. Since the iPhone only displays that instead of the evil originator, you might be inclined to trust any link or other info... because you (falsely) believe the origin was friendly.

Well I disagree and agree.

It is a flaw with the worn out SMS legacy, and also some carriers that let SMS to be sent with different 'sender' and 'reply to' headers.

And yes, Apple should give the option to display that full header, just as they give the option to display the subject field.

But to keep the SMS conversation bubble clean, most would turn all those options off. IMHO

There is no danger in replying to a known sender, which is the case here. The only danger is if there is a link to click on in the SMS that is misleading...But that is the same as emails...I suggest you have just one more sms exchange volley with the known person, then you can be assured that the link is legit.

But if a friend wants to go to a site and send you a spoof sms from your wife saying she is leaving you (with no link)...can't prevent that...just reply to your wife with a 'WTF'? and see if she repeats the comment...and get better friends!

 

[mattraehl]

It's not a flaw in SMS. Apple needs to enhance their app.

The problem is not that there is an optional SMS header that gives a different reply-to number, it's that Apple reportedly displays only that number and doesn't display the originator number as well.

In other words, an evil site could send you an SMS with a reply-to number that matches someone or place known to you. Since the iPhone only displays that instead of the evil originator, you might be inclined to trust any link or other info... because you (falsely) believe the origin was friendly.

Quite simply, the evil site can also spoof the originator number. Changing the iOS Messages app behavior will not enhance security in any meaningful way - neither the reply-to nor the originator numbers in SMS messages can be trusted.

The most important thing is that the user can see exactly where thier messages are going TO. That is the only thing an SMS client can control.

 

[kdarling]

Any background info as to why those 2 numbers even can be different in the system? Is there some long-forgotten benefit to that?

Have you ever gotten one of those automated mails from a store that gives a delivery status, but says "do not reply to this address"? It might, however, have a link directly to your order number. That's one example.

Or an automated system could text you a reminder to text your spouse. You obviously don't want to reply to the automated sender... you want your reply to go to your spouse.

Stuff like that.

 

[mattraehl]

Simple solution: display the reply-to as the title like normal and have a prompt of "Sent From: (name)" above that if the sender doesn't match the reply-to. Maybe highlight it in red if the person isn't in your address book.

The point is that the "Sent From" data can be just as easily faked. There is no simple solution - SMS messages cannot be trusted, it's always been this way.

 

[Major.Robto]

Guys Skype does the same god dam thing as Imessage\facetime.

Theres no need for it.

Yeah it takes 3g but eh, it works. and will work over cell and wifi

 

[Small White Car]

Have you ever gotten one of those automated mails from a store that gives a delivery status, but says "do not reply to this address"? It might, however, have a link directly to your order number. That's one example.

Or an automated system could text you a reminder to text your spouse. You obviously don't want to reply to the automated sender... you want your reply to go to your spouse.

Stuff like that.

Interesting. I never think of SMS as being particularly versatile, but I guess the phone companies always had lofty goals for it.

 

[tbrinkma]

So they want to pitch there own service rather than fix the problem? ugh.

It's not a flaw with iOS, or the iPhone. It's a flaw with the SMS standard, which was developed before people started seriously thinking about the security of cell phones. It's virtually identical to the scenario with *e-mail*, where anyone can send an email with any 'from', and 'reply to' values.

 

[NT1440]

Spouting a proprietary service as a solution instead of fixing the problem is just plain stupid and embarrassing, Apple. Fix your ****.

It's a problem with the SMS standard that doesn't require checking before sending a message. It's not just Apple's problem, and I forsee a switch to a system that does check would be a change to a standard and probably causing issues receiving or sending on networks that aren't expecting that kind of data from an SMS message.

 

[sfoster33]

How is this a new vulnerability? Services like Fogmo have allowed you to do this for years.

 

[mactmaster]

Quite simply, the evil site can also spoof the originator number. Changing the iOS Messages app behavior will not enhance security in any meaningful way - neither the reply-to nor the originator numbers in SMS messages can be trusted.

The most important thing is that the user can see exactly where thier messages are going TO. That is the only thing an SMS client can control.

The point is that the "Sent From" data can be just as easily faked. There is no simple solution - SMS messages cannot be trusted, it's always been this way.

Hit the nail on the head.

 

[Anki]

If only iMessage was actually reliable! I absolutely love sending messages out and having them hang for five minutes before they decide to send as SMS. Or receive duplicate messages because I receive both an iMessage and SMS version at the same time!

I also enjoy when I'm chatting with people overseas via iMessage and one decides to come in as SMS. Thanks for that charge!

This happens over WiFi and 3G, for me and the other people. Multiple people.

I love the iMessage concept but it needs work.

I enjoy those glorious "group imessages" and how you just can't opt out even if you're going over seas. That is one of the biggest flaws in iMessage and a damn annoying one too.

 

[Navdakilla]

Love my iMessage and Facetime, but wish it was open source so I could use it with family and friends on Android.

Agreed.
Not a fan of only being able to do it with apple phones

 

[mdelvecchio]

Now if only our phone numbers could be receiving iMessages across all our devices. It's confusing for me and I work in IT!

wasnt that very feature already announced for iOS 6?

 

[theBB]

Any background info as to why those 2 numbers even can be different in the system? Is there some long-forgotten benefit to that?

Just a speculation on my part, but the answer is probably telemarketing. Most companies want to be able to call (or text) you from many different phones, servers, call centers etc, but they still want the customer to reach a single location, where your call gets rerouted to the relevant department or to the idle call center employee. They cannot do that if the phone number of the person who is initiating the call is visible to the customer, so they want to mask the caller ID with the phone number of their main customer service center.

 

[pandamonia]

so then iMessage is more secure that SMS. OK, now what?

So secure that only iphones can read them! So there goes 65% of the rest of the market.

 

[kdarling]

Origin spoofing is a different topic.

Using the reply-to option is not a spoof by itself.

It's an approved method and has some obviously valid uses.

The only anomaly being brought up is that the iPhone SMS app makes it appear as if the reply-to number is also the origin number, by showing only the former.

The fact that this could also be done by actual origin spoofing, is not a good reason to not show both. That's all.

 

[joelisfar]

You will be getting that in iOS 6, working pretty well at the moment.

I have iOS 6 but I don't need it on my iPhone –*I need it in Mountain Lion.

(I would want it on an iPad or iPod Touch if I had one but I don't.)

 

[3460169]

Love my iMessage and Facetime, but wish it was open source so I could use it with family and friends on Android.

I really doubt it'll happen for iMessage; somehow I think this is pure Apple proprietary work. But back when Jobs introduced FaceTime he touted its "openness" as a feature. From Wikipedia:

Upon the launch of the iPhone 4, Jobs promised that Apple would immediately start working with standards bodies to make the FaceTime protocol an "open standard." As of June 2011, it is not yet known to have been ratified by any standards body, and the extent of work by Apple with regard to this promise is unclear as Apple has not released technical specifications for the service. FaceTime is not currently supported on any non-Apple devices.
While FaceTime is based on open standards, Apple's FaceTime service requires a client-side certificate.[10] In other words, while the protocol might become an "open standard", access to Apple's FaceTime service is controlled by Apple.