• Your favorite

    Apple

    ,

    iPhone

    ,

    iPad

    ,

    iOS

    ,
    Jailbreak
    , and
    Cydia
    site.
  • Apple Responds to SMS Spoofing Vulnerability, Suggests Using iMessage


    Apple officially responded to reports regarding its latest mobile operating system being vulnerable to text message spoofing, recommending that customers use the more secure iMessage service instead. The news comes in just after popular iOS hacker and security researcher, pod2g, discovered and drew headlines to a SMS spoofing vulnerability on the iOS platform. Here, pod2g urged Apple to take action with Apple giving a rather generic response for now.

    The problem remains with SMS messages in itself, where the iOS platform, like many other mobile operating systems, supports transmission of optional, advanced features in the header section of text messages, including a “reply to” address. Since most wireless carriers don’t perform verification checks on the header specifications, incoming messages to the iPhone can be manipulated to appear as if they’re coming from the “reply to” address and not the actual sender.
    Apple released a statement where it reminded customers that the iMessage service which was released with iOS 5, was designed to protect against such vulnerabilities. They stated the following:

    Originally Posted by :
    Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they're directed to an unknown website or address over SMS.
    As it turns out, the problem isn’t just with the iPhone but rather a SMS problem with every phone. For iPhone users, you can easily use iMessage to help prevent the issue but the real problem occurs if you aren’t an iPhone user, where SMS is your only option.

    Source: The Loop
    This article was originally published in forum thread: Apple Responds to SMS Spoofing Vulnerability, Suggests Using iMessage started by Akshay Masand View original post
    Comments 12 Comments
    1. fungusfeet's Avatar
      fungusfeet -
      How does me using imessage stop someone sending me a spoofed sms?!
    1. HeliPilot's Avatar
      HeliPilot -
      Ran into this issue about six months ago on my GFs android based phone, she received a seeming legitimate text only to be sent to a malicious site resulting in a complete restore of her phone and password resets for all sites. Glad Pod2G has pointed this out because it's an industry wide problem, not just iOS.
    1. H4CK3R's Avatar
      H4CK3R -
      Quote Originally Posted by fungusfeet View Post
      How does me using imessage stop someone sending me a spoofed sms?!
      Because its verified unlike SMS.
    1. Silvio6's Avatar
      Silvio6 -
      What Pod2g warned about, is the payment systems (banks etc..) who use sms for authentication. These can not use iMessage, and there is a real danger here.
    1. fungusfeet's Avatar
      fungusfeet -
      Quote Originally Posted by H4CK3R View Post
      Because its verified unlike SMS.
      Wow! I don't think I can put it any simpler so just try reading it again.
    1. H4CK3R's Avatar
      H4CK3R -
      Quote Originally Posted by fungusfeet View Post
      How does me using imessage stop someone sending me a spoofed sms?!
      Quote Originally Posted by fungusfeet View Post
      Wow! I don't think I can put it any simpler so just try reading it again.
      That is as simple as it gets. It is verified unlike SMS.

      The problem remains with SMS messages in itself, where the iOS platform, like many other mobile operating systems, supports transmission of optional, advanced features in the header section of text messages, including a “reply to” address. Since most wireless carriers don’t perform verification checks on the header specifications, incoming messages to the iPhone can be manipulated to appear as if they’re coming from the “reply to” address and not the actual sender.
      Apple released a statement where it reminded customers that the iMessage service which was released with iOS 5, was designed to protect against such vulnerabilities.
      ^Read this maybe?

      There is no reason to get all pissed off and be rude about it. Your question is a very simple answer.

      iMessage does not work like that of SMS. Like I said, iMessage = verified, SMS = Unverified.
    1. scroogelives's Avatar
      scroogelives -
      What everyone is missing is this was on the bbc a while back and effects nearly all phones not just ios! So it's industry problem that needs fixed
    1. NakedFaerie's Avatar
      NakedFaerie -
      Quote Originally Posted by fungusfeet View Post
      How does me using imessage stop someone sending me a spoofed sms?!
      It doesn't really. All imessage does is confirms YOUR message is sent to be true and not a fake. And when you receive a message via imessage you know its not a fake.
      But as not many people actually use iMessage and still use SMS's then you will still have to make the choice to open a weblink or not.
      99.9% of SMS's I receive don't have weblinks in them anyway as if someone wants to send me a weblink they email it to me not SMS it so if I receive any SMSs with a weblink I know its probably a fake and delete it anyway.

      Apple can still fix this. All they need to do is make sure when the iPhone receives an SMS to show you the actual number and not the reply to number. There, bug fixed. BUT do you really think Apple will do that? I doubt it. They will just keep telling people to use iMessage, even that more people have an Andorid phone and they don't have iMessage so you have no choice but to keep receiving SMSs.
    1. fungusfeet's Avatar
      fungusfeet -
      Quote Originally Posted by H4CK3R View Post
      That is as simple as it gets. It is verified unlike SMS.


      ^Read this maybe?

      There is no reason to get all pissed off and be rude about it. Your question is a very simple answer.

      iMessage does not work like that of SMS. Like I said, iMessage = verified, SMS = Unverified.

      See below

      Quote Originally Posted by NakedFaerie View Post
      It doesn't really. All imessage does is confirms YOUR message is sent to be true and not a fake. And when you receive a message via imessage you know its not a fake.

      So I like I said originally, it doesn't stop me from RECEIVING a spoofed SMS which was the entire premise of this article, Apple's "solution" is not applicable to the question. But then it's not really Apple's problem.
    1. Breezer23's Avatar
      Breezer23 -
      Your holding it wrong! You're texting wrong!
    1. Micturition's Avatar
      Micturition -
      Quote Originally Posted by fungusfeet View Post
      How does me using imessage stop someone sending me a spoofed sms?!
      Did you read the article? Apple verifies then reply-to address along with the others to prevent this from happening. How about a text messaging 2.0 from the guys at our cell phone carriers to fix this?
    1. killakill's Avatar
      killakill -
      So does everyone really believe that a hacker could not fake a verification of an iMessage? We all know that nothing is impossible. Nothing is unhackable.

      Quote Originally Posted by Breezer23 View Post
      Your holding it wrong! You're texting wrong!
      Apple's ultimate fix. Just do it a different way.

      Quote Originally Posted by NakedFaerie View Post
      It doesn't really. All imessage does is confirms YOUR message is sent to be true and not a fake. And when you receive a message via imessage you know its not a fake.
      But as not many people actually use iMessage and still use SMS's then you will still have to make the choice to open a weblink or not.
      99.9% of SMS's I receive don't have weblinks in them anyway as if someone wants to send me a weblink they email it to me not SMS it so if I receive any SMSs with a weblink I know its probably a fake and delete it anyway.

      Apple can still fix this. All they need to do is make sure when the iPhone receives an SMS to show you the actual number and not the reply to number. There, bug fixed. BUT do you really think Apple will do that? I doubt it. They will just keep telling people to use iMessage, even that more people have an Andorid phone and they don't have iMessage so you have no choice but to keep receiving SMSs.
      You are so right. How many people actually get sent legitimate web links via SMS without being told about by the person sending it?