Apple responds to SMS vulnerability in iOS, suggests using iMessage

Shawn Knight

Shawn Knight

Posts: 15,291   +192
Staff member

Apple has replied to a story that surfaced last week highlighting a SMS vulnerability in iOS that has existed since the original iPhone shipped in 2007 and is still present in iOS 6 beta 4. Instead of offering to fix the vulnerability that can allow spoofed text messages using the right tools, Apple’s statement highlights the benefits of using iMessage instead of SMS.

In a message to Engadget, an Apple spokesperson said the company takes security very seriously. When using iMessage instead of SMS, addresses are said to be verified which protects against these type of attacks. Apple suggests users be extremely careful if they are directed to an unknown website over SMS.

Perhaps this would be a valid workaround if everyone in the world owned an iPhone but unfortunately for Cupertino, that isn’t the case. iMessage can only be used if both parties are using an iOS 5 or later device. iMessage also works on Macs running OS X Mountain Lion; otherwise messages must be sent as SMS.

Security expert Seth Bromberger from NCI Security agrees, suggesting that Apple should take steps to minimize SMS spoofing instead of using the situation to push iMessage. He says Apple should display the original number in addition to checking to see if the sender’s number and the recipient’s number match.

It’s unclear if Apple plans to take any steps to rectify the situation but as of now, they have not committed to make any changes in how reply-to addresses are handled for SMS.

Permalink to story.

https://www.techspot.com/news/49842-apple-responds-to-sms-vulnerability-in-ios-suggests-using-imessage.html

 
You linked the Engadget article and that Apple suggests iMessage over SMS, but you left out a potentially big part of the quote:
Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they're directed to an unknown website or address over SMS.
Click to expand...

That implies, to me at least, that this isn't an issue limited to an iPhone. That perhaps any phone could have this happen to them. So then that brings up the question - If it can happen to any phone, do other phones have spoofing protection on them that the iPhone does not? I do not know the answer to this, but I saw the engadget article this weekend and it wasn't really addressed there either.
 
I honestly hope their stock value drops because of this. Running a business like this has disaster written all over it if this continues. I will laugh if someone spoofs some messages to apple staff.
 
While I understand the limitations of SMS, this is yet another example of Apple's demonstrated arrogance with regards to issues in recent years.

Signal is dropping off? It's not hardware, you're just holding it wrong. Here, just hold it in this incredibly awkward and uncomfortable way. See? Everything is fiiiiiiiiine...

Worried about getting hacked through messages? It's a problem with the industry standard SMS that nobody else seems to have a problem with, you're just texting wrong. Here, just use our proprietary iMessage instead. What, then you can't text a few of your friends? Ah, they don't have Apple products, so they aren't worthy of your attentions anyway. See? Everything is fiiiiiiiine...
 
Well I suppose a TS staff member who seems driven to dispute any wrongdoing on the part of Apple should take it upon himself to actually find out if this is something that can be done. I'm sure there are plenty like-minded Apple aficionados out there who are doing the very same thing.

That aside, the key issue is not whether or not the issue is solely with Apple, but that Apple's solution is to have people use its service as a solution to its own technical inadequacies.

I don't honestly think so, but one may argue that they're going to be less than zealous in repairing this flaw in hopes that people will migrate to their own program.

But I'm looking forward to the results of the investigation. I'm sure you can find out if the problem is solely limited to Apple or not...
 
If Microsoft said something like this, the EU would be foaming at the mouth and calling for some ***. Since it is Apple, and not Internet Explorer though, it's not a problem.
 
Isn't this just the default response from Apple? Why is anybody even remotely surprised?

Customer - "If I hold my phone like this, I lose all signal"
Apple - "Well don't hold it like that"

Customer - "There's a serious problem with SMS"
Apple - "Well don't use SMS"
 
SNGX1275 said:
You linked the Engadget article and that Apple suggests iMessage over SMS, but you left out a potentially big part of the quote:
Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they're directed to an unknown website or address over SMS.
Click to expand...

That implies, to me at least, that this isn't an issue limited to an iPhone. That perhaps any phone could have this happen to them. So then that brings up the question - If it can happen to any phone, do other phones have spoofing protection on them that the iPhone does not? I do not know the answer to this, but I saw the engadget article this weekend and it wasn't really addressed there either.
Click to expand...

Either they edited the original article to include that since your response or you didn't read the article, as the same quote is listed in the article now.
 
SNGX1275 said:
You linked the Engadget article and that Apple suggests iMessage over SMS, but you left out a potentially big part of the quote:
Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they're directed to an unknown website or address over SMS.
Click to expand...

That implies, to me at least, that this isn't an issue limited to an iPhone. That perhaps any phone could have this happen to them. So then that brings up the question - If it can happen to any phone, do other phones have spoofing protection on them that the iPhone does not? I do not know the answer to this, but I saw the engadget article this weekend and it wasn't really addressed there either.
Click to expand...
My understanding was that Apple was using the "Reply To" phone number rather than the network defined number. So it is indeed a flaw of iOS or anyone else who uses the same methodology and is not a vulnerability in a properly applied SMS implementation.
 
Tanstar said:
Either they edited the original article to include that since your response or you didn't read the article, as the same quote is listed in the article now.
Click to expand...
The Engadget article always had that in it. The TS article though choose to dismiss the part I bolded (although if you are reading this from the front page the bolding doesn't carry through). The TS article has this pertaining to Apple's response: "In a message to Engadget, an Apple spokesperson said the company takes security very seriously. When using iMessage instead of SMS, addresses are said to be verified which protects against these type of attacks. Apple suggests users be extremely careful if they are directed to an unknown website over SMS."

Which leaves out the critical part of Apple's reply. Apple implies they aren't the only ones vulnerable, and that perhaps there is nothing that they could do even if they wanted to (completely contrary to the tone of this article) because it is an inherent flaw in SMS.

gwailo247 said:
Well I suppose a TS staff member who seems driven to dispute any wrongdoing on the part of Apple should take it upon himself to actually find out if this is something that can be done. I'm sure there are plenty like-minded Apple aficionados out there who are doing the very same thing.

That aside, the key issue is not whether or not the issue is solely with Apple, but that Apple's solution is to have people use its service as a solution to its own technical inadequacies.

I don't honestly think so, but one may argue that they're going to be less than zealous in repairing this flaw in hopes that people will migrate to their own program.

But I'm looking forward to the results of the investigation. I'm sure you can find out if the problem is solely limited to Apple or not...
Click to expand...

And you are just a ****. I was simply asking a question that was intentionally avoided in the TS news posting (by selective editing), I'm not a journalist, it isn't my job to investigate these things.

Prove to me, if you are going to be that arrogant, that this is only an iPhone issue and not a vulnerability in SMS in general. I was only asking if that was the case because I didn't know. But you are so springloaded to fire against me because of some dispute in a thread a few weeks ago.
 
Big question: is it a problem with SMS or with iOS? I don't use iDoohickies so I'm only affected if the risk goes with any link sent by SMS - if the sender can be spoofed on any SMS-capable device. If that's the case, no link would be trustworthy, no matter who seems to have sent it.

Since such a basic question isn't answered here, I don't get Win7Dev's comment at all, unless it's a rather misplaced glee at possible harm to Apple. As SNGX1275 says, if there are better approaches to blocking spoofed SMS messages, the article doesn't point to them.
 
  • Like
Reactions: SNGX1275
Vrmithrax said:
While I understand the limitations of SMS, this is yet another example of Apple's demonstrated arrogance with regards to issues in recent years.

Signal is dropping off? It's not hardware, you're just holding it wrong. Here, just hold it in this incredibly awkward and uncomfortable way. See? Everything is fiiiiiiiiine...

Worried about getting hacked through messages? It's a problem with the industry standard SMS that nobody else seems to have a problem with, you're just texting wrong. Here, just use our proprietary iMessage instead. What, then you can't text a few of your friends? Ah, they don't have Apple products, so they aren't worthy of your attentions anyway. See? Everything is fiiiiiiiine...
Click to expand...
At least you are accepting the possibility it is a SMS flaw not an Apple flaw. But then you had to go on a bit longer with that other stuff. Apple's stance on other issue's they've had is totally unrelated to this if this is a true SMS problem and not a limited to iPhone problem.
If its Apple's fault and all these other phones have built in spoofing protection as of this past weekend, then I'll shut up and accept defeat in this.
 
All you have to do is go back and look at patch and update histories, along with vulnerability reports, @SNGX1275... It was reported as far back as 2007 that SMS handling could potentially introduce vulnerabilities in both iOS and Android, and Google immediately began patching up the vulnerability. As new possible exploits or issues popped up, Android was updated. Apple kept saying "just use iMessage" as their solution, and tried to put down an industry standard as the problem. Let me reiterate: Apple blames AN INDUSTRY STANDARD method of messaging as the problem, yet other platforms are able to effectively utilize it by actually doing some programming, rather than just arrogantly fluffing it off and pushing their own proprietary methods. As such, I fully stand behind my comment and comparison to the whole "Antenna-gate" debacle, because it speaks to a corporate mentality that is being witnessed firsthand yet again with this SMS issue.
 
  • Like
Reactions: SNGX1275
Ok, you backed it up like I was asking. I honestly (despite what gwalio thinks) didn't know and it was a legitimate question. I guess it doesn't matter at this point, but since that is true, why wasn't android and google "immediately patching up the vulnerability" pointed out in this story. It isn't just TS that didn't report that, Engadget didn't either.. why?
 
@SNGX As I said before, it is NOT an SMS flaw. Only a bad implementation would have this issue. This is an iOS problem and the flaw is the exception rather than the rule. It would be harder to find others doing the same more than those doing it right...
 
If you are sent two values, one was from the network provider, the other was defined by the sender, who in their right mind *trusts* the user defined one? Apple does.... that is not SMS's fault
 
Lurker101 said:
Isn't this just the default response from Apple? Why is anybody even remotely surprised?

Customer - "If I hold my phone like this, I lose all signal"
Apple - "Well don't hold it like that"

Customer - "There's a serious problem with SMS"
Apple - "Well don't use SMS"
Click to expand...

+1. I guess the problem is they know they can get away with it.
 
Darth Shiv said:
If you are sent two values, one was from the network provider, the other was defined by the sender, who in their right mind *trusts* the user defined one? Apple does.... that is not SMS's fault
Click to expand...
Ok. And I yeilded, but you posted another message. So, in a 'friendly' counter volley. What about spoofing a SMTP header in email? We know people get tricked into responding in emails all the time.
 
You must log in or register to reply here.

Similar threads

Daniel Sims
Apple halts another attempt at iMessage on Android, while dodging EU scrutiny
Replies
8
Views
368
BuckarooBonzaii
B
D
Apple secures iMessage against threats from quantum computers
Replies
1
Views
161
erickmendes
erickmendes
Daniel Sims
iPhone will add RCS support next year, ending the green bubble controversy
Replies
12
Views
456
Bl00dyMinded
Bl00dyMinded

Latest posts

Back