Apple has replied to a story that surfaced last week highlighting a SMS vulnerability in iOS that has existed since the original iPhone shipped in 2007 and is still present in iOS 6 beta 4. Instead of offering to fix the vulnerability that can allow spoofed text messages using the right tools, Apple’s statement highlights the benefits of using iMessage instead of SMS.
In a message to Engadget, an Apple spokesperson said the company takes security very seriously. When using iMessage instead of SMS, addresses are said to be verified which protects against these type of attacks. Apple suggests users be extremely careful if they are directed to an unknown website over SMS.
Perhaps this would be a valid workaround if everyone in the world owned an iPhone but unfortunately for Cupertino, that isn’t the case. iMessage can only be used if both parties are using an iOS 5 or later device. iMessage also works on Macs running OS X Mountain Lion; otherwise messages must be sent as SMS.
Security expert Seth Bromberger from NCI Security agrees, suggesting that Apple should take steps to minimize SMS spoofing instead of using the situation to push iMessage. He says Apple should display the original number in addition to checking to see if the sender’s number and the recipient’s number match.
It’s unclear if Apple plans to take any steps to rectify the situation but as of now, they have not committed to make any changes in how reply-to addresses are handled for SMS.