TechSpot

Apple responds to SMS vulnerability in iOS, suggests using iMessage

By Shawn Knight
Aug 20, 2012
Post New Reply
  1. Apple has replied to a story that surfaced last week highlighting a SMS vulnerability in iOS that has existed since the original iPhone shipped in 2007 and is still present in iOS 6 beta 4. Instead of offering to fix…

    Read more
     
  2. SNGX1275

    SNGX1275 TS Forces Special Posts: 12,654   +323

    You linked the Engadget article and that Apple suggests iMessage over SMS, but you left out a potentially big part of the quote:
    That implies, to me at least, that this isn't an issue limited to an iPhone. That perhaps any phone could have this happen to them. So then that brings up the question - If it can happen to any phone, do other phones have spoofing protection on them that the iPhone does not? I do not know the answer to this, but I saw the engadget article this weekend and it wasn't really addressed there either.
     
  3. Win7Dev

    Win7Dev TS Booster Posts: 375   +43

    I honestly hope their stock value drops because of this. Running a business like this has disaster written all over it if this continues. I will laugh if someone spoofs some messages to apple staff.
     
  4. It's a feature not a flaw.
     
  5. Vrmithrax

    Vrmithrax TechSpot Paladin Posts: 1,286   +232

    While I understand the limitations of SMS, this is yet another example of Apple's demonstrated arrogance with regards to issues in recent years.

    Signal is dropping off? It's not hardware, you're just holding it wrong. Here, just hold it in this incredibly awkward and uncomfortable way. See? Everything is fiiiiiiiiine...

    Worried about getting hacked through messages? It's a problem with the industry standard SMS that nobody else seems to have a problem with, you're just texting wrong. Here, just use our proprietary iMessage instead. What, then you can't text a few of your friends? Ah, they don't have Apple products, so they aren't worthy of your attentions anyway. See? Everything is fiiiiiiiine...
     
  6. gwailo247

    gwailo247 TechSpot Chancellor Posts: 2,105   +18

    Well I suppose a TS staff member who seems driven to dispute any wrongdoing on the part of Apple should take it upon himself to actually find out if this is something that can be done. I'm sure there are plenty like-minded Apple aficionados out there who are doing the very same thing.

    That aside, the key issue is not whether or not the issue is solely with Apple, but that Apple's solution is to have people use its service as a solution to its own technical inadequacies.

    I don't honestly think so, but one may argue that they're going to be less than zealous in repairing this flaw in hopes that people will migrate to their own program.

    But I'm looking forward to the results of the investigation. I'm sure you can find out if the problem is solely limited to Apple or not...
     
  7. Wendig0

    Wendig0 TechSpot Paladin Posts: 1,078   +76

    If Microsoft said something like this, the EU would be foaming at the mouth and calling for some ***. Since it is Apple, and not Internet Explorer though, it's not a problem.
     
  8. Lurker101

    Lurker101 TS Addict Posts: 638   +127

    Isn't this just the default response from Apple? Why is anybody even remotely surprised?

    Customer - "If I hold my phone like this, I lose all signal"
    Apple - "Well don't hold it like that"

    Customer - "There's a serious problem with SMS"
    Apple - "Well don't use SMS"
     
  9. Doesn't iMessage only work when used between iPhones a la BBM?
     
  10. Tanstar

    Tanstar TS Enthusiast Posts: 204   +18

    Either they edited the original article to include that since your response or you didn't read the article, as the same quote is listed in the article now.
     
  11. Darth Shiv

    Darth Shiv TS Evangelist Posts: 1,175   +176

    My understanding was that Apple was using the "Reply To" phone number rather than the network defined number. So it is indeed a flaw of iOS or anyone else who uses the same methodology and is not a vulnerability in a properly applied SMS implementation.
     
     
  12. SNGX1275

    SNGX1275 TS Forces Special Posts: 12,654   +323

    The Engadget article always had that in it. The TS article though choose to dismiss the part I bolded (although if you are reading this from the front page the bolding doesn't carry through). The TS article has this pertaining to Apple's response: "In a message to Engadget, an Apple spokesperson said the company takes security very seriously. When using iMessage instead of SMS, addresses are said to be verified which protects against these type of attacks. Apple suggests users be extremely careful if they are directed to an unknown website over SMS."

    Which leaves out the critical part of Apple's reply. Apple implies they aren't the only ones vulnerable, and that perhaps there is nothing that they could do even if they wanted to (completely contrary to the tone of this article) because it is an inherent flaw in SMS.

    And you are just a ****. I was simply asking a question that was intentionally avoided in the TS news posting (by selective editing), I'm not a journalist, it isn't my job to investigate these things.

    Prove to me, if you are going to be that arrogant, that this is only an iPhone issue and not a vulnerability in SMS in general. I was only asking if that was the case because I didn't know. But you are so springloaded to fire against me because of some dispute in a thread a few weeks ago.
     
  13. TJGeezer

    TJGeezer TS Enthusiast Posts: 385   +10

    Big question: is it a problem with SMS or with iOS? I don't use iDoohickies so I'm only affected if the risk goes with any link sent by SMS - if the sender can be spoofed on any SMS-capable device. If that's the case, no link would be trustworthy, no matter who seems to have sent it.

    Since such a basic question isn't answered here, I don't get Win7Dev's comment at all, unless it's a rather misplaced glee at possible harm to Apple. As SNGX1275 says, if there are better approaches to blocking spoofed SMS messages, the article doesn't point to them.
     
    SNGX1275 likes this.
  14. SNGX1275

    SNGX1275 TS Forces Special Posts: 12,654   +323

    At least you are accepting the possibility it is a SMS flaw not an Apple flaw. But then you had to go on a bit longer with that other stuff. Apple's stance on other issue's they've had is totally unrelated to this if this is a true SMS problem and not a limited to iPhone problem.
    If its Apple's fault and all these other phones have built in spoofing protection as of this past weekend, then I'll shut up and accept defeat in this.
     
  15. Vrmithrax

    Vrmithrax TechSpot Paladin Posts: 1,286   +232

    All you have to do is go back and look at patch and update histories, along with vulnerability reports, @SNGX1275... It was reported as far back as 2007 that SMS handling could potentially introduce vulnerabilities in both iOS and Android, and Google immediately began patching up the vulnerability. As new possible exploits or issues popped up, Android was updated. Apple kept saying "just use iMessage" as their solution, and tried to put down an industry standard as the problem. Let me reiterate: Apple blames AN INDUSTRY STANDARD method of messaging as the problem, yet other platforms are able to effectively utilize it by actually doing some programming, rather than just arrogantly fluffing it off and pushing their own proprietary methods. As such, I fully stand behind my comment and comparison to the whole "Antenna-gate" debacle, because it speaks to a corporate mentality that is being witnessed firsthand yet again with this SMS issue.
     
    SNGX1275 likes this.
  16. SNGX1275

    SNGX1275 TS Forces Special Posts: 12,654   +323

    Ok, you backed it up like I was asking. I honestly (despite what gwalio thinks) didn't know and it was a legitimate question. I guess it doesn't matter at this point, but since that is true, why wasn't android and google "immediately patching up the vulnerability" pointed out in this story. It isn't just TS that didn't report that, Engadget didn't either.. why?
     
  17. Darth Shiv

    Darth Shiv TS Evangelist Posts: 1,175   +176

    @SNGX As I said before, it is NOT an SMS flaw. Only a bad implementation would have this issue. This is an iOS problem and the flaw is the exception rather than the rule. It would be harder to find others doing the same more than those doing it right...
     
  18. Darth Shiv

    Darth Shiv TS Evangelist Posts: 1,175   +176

    If you are sent two values, one was from the network provider, the other was defined by the sender, who in their right mind *trusts* the user defined one? Apple does.... that is not SMS's fault
     
  19. DanUK

    DanUK TS Enthusiast Posts: 196   +8

    +1. I guess the problem is they know they can get away with it.
     
  20. SNGX1275

    SNGX1275 TS Forces Special Posts: 12,654   +323

    Ok. And I yeilded, but you posted another message. So, in a 'friendly' counter volley. What about spoofing a SMTP header in email? We know people get tricked into responding in emails all the time.
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.