+ Reply
Results 1 to 13 of 13

Your favorite Apple, iPhone, iPad, iOS, Jailbreak, and Cydia site.


Thread: Apple Responds to SMS Spoofing Vulnerability, Suggests Using iMessage

is a discussion within the

iPhone News

forums, a part of the

General iPhone

section;
...
  1. #1
    MMi Staff Writer Akshay Masand's Avatar
    Join Date
    Sep 2011
    Location
    New York City
    Posts
    3,631
    Thanks
    3
    Thanked 116 Times in 102 Posts

    Default Apple Responds to SMS Spoofing Vulnerability, Suggests Using iMessage


    Apple officially responded to reports regarding its latest mobile operating system being vulnerable to text message spoofing, recommending that customers use the more secure iMessage service instead. The news comes in just after popular iOS hacker and security researcher, pod2g, discovered and drew headlines to a SMS spoofing vulnerability on the iOS platform. Here, pod2g urged Apple to take action with Apple giving a rather generic response for now.

    The problem remains with SMS messages in itself, where the iOS platform, like many other mobile operating systems, supports transmission of optional, advanced features in the header section of text messages, including a “reply to” address. Since most wireless carriers don’t perform verification checks on the header specifications, incoming messages to the iPhone can be manipulated to appear as if they’re coming from the “reply to” address and not the actual sender.
    Apple released a statement where it reminded customers that the iMessage service which was released with iOS 5, was designed to protect against such vulnerabilities. They stated the following:

    Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they're directed to an unknown website or address over SMS.
    As it turns out, the problem isn’t just with the iPhone but rather a SMS problem with every phone. For iPhone users, you can easily use iMessage to help prevent the issue but the real problem occurs if you aren’t an iPhone user, where SMS is your only option.

    Source: The Loop

    Twitter: @AkshayMasand

  2. #2
    Green Apple
    Join Date
    Nov 2008
    Posts
    44
    Thanks
    1
    Thanked 1 Time in 1 Post
    How does me using imessage stop someone sending me a spoofed sms?!

  3. #3
    Green Apple
    Join Date
    Jul 2012
    Location
    Olympia, WA. USA
    Posts
    84
    Thanks
    2
    Thanked 6 Times in 5 Posts

    Ran into this issue about six months ago on my GFs android based phone, she received a seeming legitimate text only to be sent to a malicious site resulting in a complete restore of her phone and password resets for all sites. Glad Pod2G has pointed this out because it's an industry wide problem, not just iOS.

  4. #4
    H4CK3R's Avatar
    Join Date
    Jan 2012
    Location
    java.lang.IllegalStateException: Location unknown.
    Posts
    5,826
    Thanks
    63
    Thanked 264 Times in 253 Posts

    Quote Originally Posted by fungusfeet View Post
    How does me using imessage stop someone sending me a spoofed sms?!
    Because its verified unlike SMS.
    Last edited by H4CK3R; 08-19-2012 at 05:47 AM.
    Great minds discuss ideas.
    Average minds discuss events.
    Small minds discuss people.

  5. #5
    Green Apple
    Join Date
    Sep 2010
    Posts
    37
    Thanks
    0
    Thanked 0 Times in 0 Posts

    What Pod2g warned about, is the payment systems (banks etc..) who use sms for authentication. These can not use iMessage, and there is a real danger here.

  6. #6
    Green Apple
    Join Date
    Nov 2008
    Posts
    44
    Thanks
    1
    Thanked 1 Time in 1 Post
    Quote Originally Posted by H4CK3R View Post
    Because its verified unlike SMS.
    Wow! I don't think I can put it any simpler so just try reading it again.

  7. #7
    H4CK3R's Avatar
    Join Date
    Jan 2012
    Location
    java.lang.IllegalStateException: Location unknown.
    Posts
    5,826
    Thanks
    63
    Thanked 264 Times in 253 Posts

    Quote Originally Posted by fungusfeet View Post
    How does me using imessage stop someone sending me a spoofed sms?!
    Quote Originally Posted by fungusfeet View Post
    Wow! I don't think I can put it any simpler so just try reading it again.
    That is as simple as it gets. It is verified unlike SMS.

    The problem remains with SMS messages in itself, where the iOS platform, like many other mobile operating systems, supports transmission of optional, advanced features in the header section of text messages, including a “reply to” address. Since most wireless carriers don’t perform verification checks on the header specifications, incoming messages to the iPhone can be manipulated to appear as if they’re coming from the “reply to” address and not the actual sender.
    Apple released a statement where it reminded customers that the iMessage service which was released with iOS 5, was designed to protect against such vulnerabilities.
    ^Read this maybe?

    There is no reason to get all pissed off and be rude about it. Your question is a very simple answer.

    iMessage does not work like that of SMS. Like I said, iMessage = verified, SMS = Unverified.
    Great minds discuss ideas.
    Average minds discuss events.
    Small minds discuss people.

  8. #8
    iPhoneaholic scroogelives's Avatar
    Join Date
    Aug 2008
    Posts
    386
    Thanks
    26
    Thanked 13 Times in 12 Posts

    What everyone is missing is this was on the bbc a while back and effects nearly all phones not just ios! So it's industry problem that needs fixed

  9. #9
    Banned
    Join Date
    May 2008
    Location
    In the shadows
    Posts
    798
    Thanks
    120
    Thanked 74 Times in 47 Posts

    Quote Originally Posted by fungusfeet View Post
    How does me using imessage stop someone sending me a spoofed sms?!
    It doesn't really. All imessage does is confirms YOUR message is sent to be true and not a fake. And when you receive a message via imessage you know its not a fake.
    But as not many people actually use iMessage and still use SMS's then you will still have to make the choice to open a weblink or not.
    99.9% of SMS's I receive don't have weblinks in them anyway as if someone wants to send me a weblink they email it to me not SMS it so if I receive any SMSs with a weblink I know its probably a fake and delete it anyway.

    Apple can still fix this. All they need to do is make sure when the iPhone receives an SMS to show you the actual number and not the reply to number. There, bug fixed. BUT do you really think Apple will do that? I doubt it. They will just keep telling people to use iMessage, even that more people have an Andorid phone and they don't have iMessage so you have no choice but to keep receiving SMSs.

  10. #10
    Green Apple
    Join Date
    Nov 2008
    Posts
    44
    Thanks
    1
    Thanked 1 Time in 1 Post
    Quote Originally Posted by H4CK3R View Post
    That is as simple as it gets. It is verified unlike SMS.


    ^Read this maybe?

    There is no reason to get all pissed off and be rude about it. Your question is a very simple answer.

    iMessage does not work like that of SMS. Like I said, iMessage = verified, SMS = Unverified.

    See below

    Quote Originally Posted by NakedFaerie View Post
    It doesn't really. All imessage does is confirms YOUR message is sent to be true and not a fake. And when you receive a message via imessage you know its not a fake.

    So I like I said originally, it doesn't stop me from RECEIVING a spoofed SMS which was the entire premise of this article, Apple's "solution" is not applicable to the question. But then it's not really Apple's problem.
    Last edited by fungusfeet; 08-19-2012 at 11:15 AM.

  11. #11
    iPhone? More like MyPhone
    Join Date
    Nov 2010
    Posts
    129
    Thanks
    12
    Thanked 1 Time in 1 Post
    Your holding it wrong! You're texting wrong!

  12. #12
    Green Apple
    Join Date
    Aug 2012
    Posts
    45
    Thanks
    0
    Thanked 1 Time in 1 Post
    Quote Originally Posted by fungusfeet View Post
    How does me using imessage stop someone sending me a spoofed sms?!
    Did you read the article? Apple verifies then reply-to address along with the others to prevent this from happening. How about a text messaging 2.0 from the guys at our cell phone carriers to fix this?

  13. #13
    Green Apple killakill's Avatar
    Join Date
    Dec 2007
    Posts
    32
    Thanks
    0
    Thanked 5 Times in 3 Posts

    So does everyone really believe that a hacker could not fake a verification of an iMessage? We all know that nothing is impossible. Nothing is unhackable.

    Quote Originally Posted by Breezer23 View Post
    Your holding it wrong! You're texting wrong!
    Apple's ultimate fix. Just do it a different way.

    Quote Originally Posted by NakedFaerie View Post
    It doesn't really. All imessage does is confirms YOUR message is sent to be true and not a fake. And when you receive a message via imessage you know its not a fake.
    But as not many people actually use iMessage and still use SMS's then you will still have to make the choice to open a weblink or not.
    99.9% of SMS's I receive don't have weblinks in them anyway as if someone wants to send me a weblink they email it to me not SMS it so if I receive any SMSs with a weblink I know its probably a fake and delete it anyway.

    Apple can still fix this. All they need to do is make sure when the iPhone receives an SMS to show you the actual number and not the reply to number. There, bug fixed. BUT do you really think Apple will do that? I doubt it. They will just keep telling people to use iMessage, even that more people have an Andorid phone and they don't have iMessage so you have no choice but to keep receiving SMSs.
    You are so right. How many people actually get sent legitimate web links via SMS without being told about by the person sending it?
    Last edited by killakill; 08-19-2012 at 01:29 PM.

Posting Permissions
  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts