Apple Pitches Security of iMessage in Response to SMS Spoofing Issue

[jennyp]

I'd like iMessage more if it didn't sometimes take 11 hours to reach the recipient.

 

[Vell843]

i love, love, love iMessage and FaceTime. I'm with the poster above wishing it was opensource so we could interface with other devices/OS.

But then it would not be imessage which is specific to apple.

 

[subsonix]

U
The only anomaly being brought up is that the iPhone SMS app makes it appear as if the reply-to number is also the origin number, by showing only the former.

However bringing obscure protocol details to the attention of the general public may not be the best option. As was mentioned in the original blog post, it's a feature many mobile phones does not use, and most carriers does not check.

So just ignoring the UDH header, may be a better choice from a usability perspective. Why should a typical user who only wish to communicate have to deal with, and know about, obscure protocol details? It's pretty much guaranteed to be misunderstood and/or ignored anyway.

 

[longofest]

So, instead of talking about the issue, you're trying to deflect to iMessages? Okay, I'll play this game...

If your iMessages are so secure, why are so many of iMessages re-sent as SMS messages because iCloud's iMessage servers are down, unreachable, or otherwise unavailable?

The only way to win this game is to quickly patch the issue, Apple, not try to play a smoke and mirrors game.

 

[3460169]

Well if orgin and reply-to spoofing are both possible, then a smart hacker would spoof both and set them to the same thing and Apple's response is an acceptable answer in the short-term.

But minimally the SMS app should at least look at both the origin and reply-to and employ some paranoia if the reply-to is different from origin. There still needs to be some validation of origin but that's outside of Apple's hands.

 

[FoxMcCloud]

Slow news day

Cant wait till september.

 

[batitombo]

BS! They need to surface the reply-to and be more realistic if there service is Apple only. Not everyone has an iOS or Mac OS X

 

[larrylaffer]

Hey kids, this has nothing to do with iOS. Anyone can easily spoof an SMS and send it to any phone if they know what they're doing. I won't tell anyone how to do it, but believe me, it's easy. As others have stated previously, this is analogous to how e-mail headers can be spoofed.

This isn't Apple's responsibility to fix. In fact, they probably CAN'T fix it.

Shock. Awe.

 

[JHankwitz]

Spouting a proprietary service as a solution instead of fixing the problem is just plain stupid and embarrassing, Apple. Fix your ****.

Apple can't ensure the security of non-proprietary service and wants to make sure you can't get hacked. That doesn't need to be fixed in my book.

 

[unlinked]

However bringing obscure protocol details to the attention of the general public may not be the best option. As was mentioned in the original blog post, it's a feature many mobile phones does not use, and most carriers does not check.

So just ignoring the UDH header, may be a better choice from a usability perspective. Why should a typical user who only wish to communicate have to deal with, and know about, obscure protocol details? It's pretty much guaranteed to be misunderstood and/or ignored anyway.

Multipart messages are implemented using UDH. I'm sure you have thought out the implications of ignoring the UDH but some other users might miss the features you are trashing.

 

[Codyak]

I'd like iMessage more if it didn't sometimes take 11 hours to reach the recipient.

Hmm, takes my messages a matter of seconds to reach, to almost any apple device when sent through an iPhone or MBP. I wonder how prevalent that is.

 

[Tech198]

...

<no comment>

Well... actually, the hole is deep..... Apple keeping digging.

This should have been secure from the very beginning ... Its like email...

We won't allow/force ecryption in the WIndows or Mac email clients bunded with the OS. We'll give just an "option" to download gnuPGP if people really want.

Trouble is, this "option" hold the key point.... some people will do it, most people won't because their friends can't read ecrypted email if its not used at both ends.

My soloution: Stick it in the OS ... then people will have to do it as there won't be any fallback.

Same with SMS, and Apple (in all i.devices, and all new mobiles)... I belive if this was encrypted (same goes for mobile carrier SMS/MMS too) we wouldn't have this problem.

 

[i-John]

No. Translation: This is a flaw in SMS, don't go to sites linked from SMS or stick with iMessage.

This is the same limitation as current email setups. You can spoof the sender of an email to make it look like it's coming from anyone.

Somehow other non-iOS devices don't have the same issue though.

 

[ArtOfWarfare]

Hmm, takes my messages a matter of seconds to reach, to almost any apple device when sent through an iPhone or MBP. I wonder how prevalent that is.

My time varies day to day and device to device. My iOS devices generally take seconds but could take minutes. My Macs take anywhere from seconds to hours... Most common delivery time seems to be around 10 minutes.

Edit: this is regarding sending a message to an address after you haven't sent one to it in a few days. I've noticed sending 2nd, 3rd, and so on messages go much quicker than the first.

 

[newjacksm]

Love my iMessage and Facetime, but wish it was open source so I could use it with family and friends on Android.

If apple was smart they'd make it available for other devices but charge for it.

 

[joelisfar]

wasnt that very feature already announced for iOS 6?

I have iOS 6 but I don't need it on my iPhone –*I need it in Mountain Lion.

(I would want it on an iPad or iPod Touch if I had one but I don't.)

 

[Orange Crane]

Of course iMessage is secure. Now let's just get it show up on all my devices at the same time.

Or at all and not weeks later. iMessage is such bs. Now that more people I know have iPhones I'm going to have to turn iMessage off just to be able to keep texting folks.

 

[faroZ06]

so then iMessage is more secure that SMS. OK, now what?

Kill SMS. The cell companies should be sued for collusion because of the prices they charge for SMS. People are paying ridiculous amounts of money per megabit of data because the cell companies are making sure SMS stays as the standard.

I don't like iMessage that much, especially because it doesn't work with iChat, but I'm glad it's replacing SMS for many iOS users. And, as a bonus, it is more secure.

----------

Hmm, takes my messages a matter of seconds to reach, to almost any apple device when sent through an iPhone or MBP. I wonder how prevalent that is.

It used to be very unreliable for me, but it's good now. More importantly, it's the right idea.

----------

Guys Skype does the same god dam thing as Imessage\facetime.

Theres no need for it.

Yeah it takes 3g but eh, it works. and will work over cell and wifi

Skype is total garbage. It routes other persons' data through your machine. AIM is, at this point, the best mainstream messaging system there is. It works on everything. Why can't Apple just get iMessage onto every device? I mean, it's not even for Lion!

----------

So secure that only iphones can read them! So there goes 65% of the rest of the market.

I know, seriously!! It doesn't even work with Snow Leopard or Lion, Apple's own operating systems! Sorry Apple, I like your service, but I'm not going to use it unless it works for my Apple computer.

 

[bushido]

and not a single frack was given that day ....

anyone remember sms bombs? now those were annoying indeed

 

[twosee]

It's not a flaw in SMS. Apple needs to enhance their app.

The problem is not that there is an optional SMS header that gives a different reply-to number, it's that Apple reportedly displays only that number and doesn't display the originator number as well.

In other words, an evil site could send you an SMS with a reply-to number that matches someone or place known to you. Since the iPhone only displays that instead of the evil originator, you might be inclined to trust any link or other info... because you (falsely) believe the origin was friendly.

Isn't it possible for someone to spoof both the reply-to and the sent-from just like they do with spam e-mail? If so, how could an OS control that the sent-from is actually coming from where it says it is? Which phone manufacturers (or OSes) are doing these security checks now?

 

[charlituna]

Love my iMessage and Facetime, but wish it was open source so I could use it with family and friends on Android.

They may not be open source but when Apple announced FaceTime they said they were happy to license it to anyone that wanted to use it because they wanted it to become a standard on video communication.

So the issue might be that no one has taken them up on the offer

----------

Now if only our phone numbers could be receiving iMessages across all our devices. It's confusing for me and I work in IT!

I know millions of people won't get it working correctly because it's a bit too confusing.

iOS 6 includes linking your Apple id and phone number so iMessages will fully sync to all devices

----------

. Or indeed, Apple not giving it out to randoms on the phone. At which point a spammer could send out messages with “real” headers to all and sundry.

Hyperbolic much. The 'hack' involved google, Amazon and user stupidity before Apple ever played a role

 

[Tinmania]

funny part is iMessage security and set up is pretty piss poor as well so that not like they are saying much.

Exactly. Heck, using iMessage on my mac with mountain lion I have seen messages from one person end up in the conversation with another. This is usually cleared up with restarting the app but it is a little unnerving to see a message you sent to one person intermingled with another person's conversation.

Then there is the issue of still sending iMessage messages to a phone you have sold, with no easy way of fixing it. This could happen if you didn't know to disable iMessage for that iPhone before selling it and left the SIM inside--and you wouldn't have that chance if it was stolen.



Michael

 

[ncaissie]

The carriers need to fix the problem.

How can they fix the problem if the From address is not sent from iOS properly? iOS sends that data in fields. I can easily spoof in email and I'm guessing the process is similar.

 

[Nungster]

Ok, well someone needs to explain this better to me.

From what I've read, this can be done with any phone number and you don't need to have the phone in question to do it...just like how someone can compromise my e-mail without stealing my actual computer. Do I have that right or not?

If I do have it right, I don't understand how Apple can "address it" easily.

If I don't have it right, ok, so how does it work, then?

That's how i understand it. SMS can be spoofed period. with iMessage, Apple is adding another layer of security, that being your iCloud/iMessage ID. The SMS would have to match in their system with two identifiers instead of just your phone number.

 

[mytdave]

ah

Come on Apple, just write a simple routine that alerts the user when the sender and the 'reply-to' don't match. Then the user is informed and can choose for themselves what they want to do. Problem solved.