or Connect
AppleInsider › Forums › Mobile › iPhone › Apple urges users to stick with iMessage to avoid iPhone SMS spoofing
New Posts  All Forums:Forum Nav:

Apple urges users to stick with iMessage to avoid iPhone SMS spoofing

post #1 of 134
Thread Starter 
Apple on Saturday officially responded to reports that its latest mobile operating system remains vulnerable to text message spoofing, recommending that customers use its more secure iMessage service instead.

A hacker on Thursday drew headlines when he urged Apple to plug a hole in iOS that could allow malicious individuals to send text messages that appear as if they're coming from someone else.

Like other mobile operating systems, iOS SMS messages support transmission of optional, advanced features in the header section of text messages, including a "reply to" address. Since most wireless carriers don't perform verification checks on these header specifications, incoming SMS messages to iPhones could be manipulated to appear as if they're coming from the "reply to" address and not the actual sender.

In a statement obtained by Engadget, Apple reminds customers that its iMessage service was designed to safeguard against the vulnerabilities of the yesteryear Short Message Service (SMS):


Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they're directed to an unknown website or address over SMS.


"Spoofed" SMS messages can include anything from a spam to phishing attempts at personal information. The weakness flaunted by the SMS specification is similar to vulnerabilities in the standard email specification, which similarly does not authentic the names and addresses in header data.

Introduced by Apple in June of 2011 as an alternative to SMS messaging, iMessage allows users to send texts, photos, videos, contact information, and group messages over Wi-Fi or 3G to other iOS?5 users. It's accessible through the Messages app on an iPhone, iPad, or an iPod touch running iOS 5 or later or on a Mac running OS X Mountain Lion or later.
post #2 of 134

Are other smartphones immune from this SMS issue? Is it iPhone-specific? (Some statements imply that this is not an iPhone issue at all, just a carrier issue.)

post #3 of 134

Too bad iMessage is messed up!  I had to turn mine off.  It was taking up to an hour for a message to send with a full signal.  Half the time it would make me send as a text anyway.

 

It started working really good when i had my 3GS and when I first got my 4s... but the last couple of months the service has totally sucked.  I am not the only one in my area who is complaining.

 

Even when using Wi-Fi... it sucks!

 

Numerous calls to AT&T and Apple have been of no help.  So, I just turned off iMessage and have zero problems sending and receiving texts.

 

If they would acknowledge and fix the problem, I would definitely use it.

post #4 of 134
Apple should make it more apparent that when you send a text between iOS devices, you automatically use iMessage. Just telling people to use iMessage when they aren't aware it's an automatic action isn't helpful! Messages that are blue in the Messages app use iMessage and are secure. Messages that are green are using SMS and cost you extra and are insecure.
post #5 of 134

I love iMessage, but many messages have to be sent as SMS, and it seems to be random when it works and when it doesn't. Most of the time it works, but I will say that it doesn't about 10-15% of the time. Both sender and receiver have wifi and iPhone 4S. Even worse is pictures ("MMS") which 95% of the time doesn't work with iMessage. I've experienced it taking 15 minutes to send 3 pictures with iMessage on a 12MBit/s wifi. Using real MMS sending the same pictures takes about 15 seconds. But the real problem here is that most of the time it doesn't work at all. I'm from Norway and I have normal 3G and wifi without other problems.

post #6 of 134

"In response, AT&T has stated that to use iMessage, users must pay $10 more per month."

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply
post #7 of 134

Yeah, iMessage should work really well, to my mother's 4 year old cell phone.  #LowestCommonDenominator-LikeFaxandSMTP.

post #8 of 134

iMessage has always worked very well for me. I love it. I recommend it to everyone with an iPhone. 

post #9 of 134

Cool solution, I'll just buy an iPhone for family, friends, and anyone else I might communicate with. 

post #10 of 134
Quote:
Originally Posted by 28jp View Post

Too bad iMessage is messed up!  I had to turn mine off.  It was taking up to an hour for a message to send with a full signal.  Half the time it would make me send as a text anyway.

 

It started working really good when i had my 3GS and when I first got my 4s... but the last couple of months the service has totally sucked.  I am not the only one in my area who is complaining.

 

Even when using Wi-Fi... it sucks!

 

Numerous calls to AT&T and Apple have been of no help.  So, I just turned off iMessage and have zero problems sending and receiving texts.

 

If they would acknowledge and fix the problem, I would definitely use it.

 

iMessage works well. Too bad you comment and don't specifically detail how you come to that comment's conclusion.

post #11 of 134
Quote:
Originally Posted by nagromme View Post

Are other smartphones immune from this SMS issue? Is it iPhone-specific? (Some statements imply that this is not an iPhone issue at all, just a carrier issue.)

No, as I mentioned in the original thread, this issue predates the iPhone and is in fact related to the SMS specification itself. Yesterday's headlines were maliciously misleading and I truly think there should be legal consequences for that.
post #12 of 134
Quote:
Originally Posted by nagromme View Post

Are other smartphones immune from this SMS issue? Is it iPhone-specific? (Some statements imply that this is not an iPhone issue at all, just a carrier issue.)

 

I don't know that it's a vulnerability, in the same sense that the postal service is vulnerable to "spoofing" of return addresses. I assume that if all phones can receive SMS, all phones are equally vulnerable.

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply
post #13 of 134

It's an SMS problem, not an iPhone-specific problem… 

 

It would be great if I could iMessage my Android and other non-iOS buddies… but, alas...

post #14 of 134
Quote:
Originally Posted by mdriftmeyer View Post

 

iMessage works well. Too bad you comment and don't specifically detail how you come to that comment's conclusion.

 

iMessage is temperamental at best.  Too bad you don't read before reacting...

Quote:
Originally Posted by 28jp View Post

It was taking up to an hour for a message to send with a full signal.  Half the time it would make me send as a text anyway.

censored

Reply

censored

Reply
post #15 of 134
Originally Posted by Crowley View Post
iMessage is temperamental at best.  Too bad you don't read before reacting...

 

For him. I've not read that anywhere else.

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply
post #16 of 134

While ATT encourages potential customers to go with samsung so that they will get to charge for the message service.

An Apple man since 1977
Reply
An Apple man since 1977
Reply
post #17 of 134
I like iMessage. But not everyone has an iPhone or Mac or iPad or iPod touch. We need a real solution, Apple.

 

 


Tim Cook using Galaxy Tabs as frisbees

 

Reply

 

 


Tim Cook using Galaxy Tabs as frisbees

 

Reply
post #18 of 134

Maybe there is something I don't understand ... Using iMessage doesn't mean one can simply ignore SMS texts. So how does that eliminate text scams/spams?

post #19 of 134
Quote:
Originally Posted by NormM View Post

Apple should make it more apparent that when you send a text between iOS devices, you automatically use iMessage. Just telling people to use iMessage when they aren't aware it's an automatic action isn't helpful! Messages that are blue in the Messages app use iMessage and are secure. Messages that are green are using SMS and cost you extra and are insecure.

 

I thought the same thing.  Here there was a fantastic opportunity to blow their own horn and advertise iMessage a bit more (most don't know it exists given that the icon is for SMS), yet they chose to be typically brief instead.  Wasted their chance. 

post #20 of 134
Quote:
Originally Posted by tylerk36 View Post

While ATT encourages potential customers to go with samsung so that they will get to charge for the message service.

 

Sammy operates an iMessage equivalent called ChatON.

post #21 of 134
Quote:
Originally Posted by logandigges View Post

I like iMessage. But not everyone has an iPhone or Mac or iPad or iPod touch. We need a real solution, Apple.

 

A Windows iMessage client would help a lot but if someone is SMS'ing from an old phone there isn't much you can do.  I don't understand what else you would expect from a "real solution."  

 

SMS is inherently insecure and inherently expensive.  Apple is trying to move people away from it by offering an extremely secure, free client that integrates seamlessly with the old SMS as well as a lot of IM clients.  

 

This seems like the best possible strategy to me.  

post #22 of 134
Originally Posted by Gazoobee View Post
I thought the same thing.  Here there was a fantastic opportunity to blow their own horn and advertise iMessage a bit more (most don't know it exists given that the icon is for SMS), yet they chose to be typically brief instead.  Wasted their chance. 

 

The icon doesn't say SMS anymore, though. Hasn't since they added MMS. If they changed it fully, people would scream that Apple took away SMS entirely.

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply
post #23 of 134
Quote:
Originally Posted by Gazoobee View Post

A Windows iMessage client would help a lot but if someone is SMS'ing from an old phone there isn't much you can do.  I don't understand what else you would expect from a "real solution."  

SMS is inherently insecure and inherently expensive.  Apple is trying to move people away from it by offering an extremely secure, free client that integrates seamlessly with the old SMS as well as a lot of IM clients.  

This seems like the best possible strategy to me.  

By a real solution I mean a fix for the SMS spoofing so it's not just through iMessage that users are safe. We need it to be safe even if the person you are communicating with doesn't have an iPhone.

 

 


Tim Cook using Galaxy Tabs as frisbees

 

Reply

 

 


Tim Cook using Galaxy Tabs as frisbees

 

Reply
post #24 of 134
Quote:
Originally Posted by dagta View Post

I love iMessage, but many messages have to be sent as SMS, and it seems to be random when it works and when it doesn't. Most of the time it works, but I will say that it doesn't about 10-15% of the time. ...

 

Quote:
Originally Posted by 28jp View Post

Too bad iMessage is messed up!  I had to turn mine off.  It was taking up to an hour for a message to send with a full signal.  ...

 

Are you two in the same country?  I have never had a single report from anyone of iMessage not working or having any troubles like this.  The Mac client did some "interesting" things while in beta but I don't believe I've ever heard of anyone having trouble using it on an iOS device before.  Your problem is so unique and so identical from post to post that I'd almost think you were the same person posting twice.  

post #25 of 134

I'm not surprised, to be honest. I've gotten spam messages like that on almost every phone I've owned, both feature and smart.

 

SMS is like email in that its just a plain text file and it is embarrassingly easy to spoof. All you need is a UNIX system (Mac, Linux, AIX, HPUX, BSD and so forth), make sure the SMTP software is properly configured and then write whatever you want in a plain text file to send as an email.

 

All you need is three commands

 

 

Contents of the "spoof.txt" file:

 

And there we go, one email in my inbox supposedly from Apple.

 

 

I put the wrong format address in the "To" field - but you get the idea. Its the same story with SMS - just a couple of header fields in plain text.

... at night.

Reply

... at night.

Reply
post #26 of 134
Quote:
Originally Posted by logandigges View Post


By a real solution I mean a fix for the SMS spoofing so it's not just through iMessage that users are safe. We need it to be safe even if the person you are communicating with doesn't have an iPhone.

 

I think what Apple is saying here between the lines is that despite the alarmist judgemental reports blaming Apple that it's an issue with how the carrier deals with SMS (they fail to authenticate it), and that it is therefore out of their control.  

 

I really wish they had explicitly spelled this out however.  A golden opportunity to educate it's users has been missed here.  

post #27 of 134
Quote:
Originally Posted by Gazoobee View Post

I think what Apple is saying here between the lines is that despite the alarmist judgemental reports blaming Apple that it's an issue with how the carrier deals with SMS (they fail to authenticate it), and that it is therefore out of their control.  

I really wish they had explicitly spelled this out however.  A golden opportunity to educate it's users has been missed here.  

I agree, I think al co.'s should do this.

 

 


Tim Cook using Galaxy Tabs as frisbees

 

Reply

 

 


Tim Cook using Galaxy Tabs as frisbees

 

Reply
post #28 of 134
Quote:
Originally Posted by logandigges View Post

I like iMessage. But not everyone has an iPhone or Mac or iPad or iPod touch. We need a real solution, Apple.

How in the world is Apple supposed to fix an inherent SMS problem?

The fact is that when an SMS message is sent, it may have a fake return address. How do you expect Apple to fix that?

Now, if the message is sent by an iOS device, they can include the optional features which can provide some level of security, but only another iOS device will recognize them. So the result is the same - Apple can do something to secure iOS to iOS messages (and they've already done that). There's not a blasted thing they can do to secure non-iOS messages.
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #29 of 134

Apple should just say that they are working on a solution - suggesting iMessenger is a viable solution to SMS is just idiotic.

post #30 of 134
Originally Posted by agramonte View Post
Apple should just say that they are working on a solution - suggesting iMessenger is a viable solution to SMS is just idiotic.

 

Thinking that Apple is the one that needs to be fixing anything or can be the one fixing anything is… 

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply
post #31 of 134
Quote:
Originally Posted by jragosta View Post

How in the world is Apple supposed to fix an inherent SMS problem?
The fact is that when an SMS message is sent, it may have a fake return address. How do you expect Apple to fix that?
Now, if the message is sent by an iOS device, they can include the optional features which can provide some level of security, but only another iOS device will recognize them. So the result is the same - Apple can do something to secure iOS to iOS messages (and they've already done that). There's not a blasted thing they can do to secure non-iOS messages.

I see the issue now. But I stil think we could fix it. SMS sucks. It needs to be reinvented with much better stuff. While they are reinventing it, might as well make it safe. And don't ask me who "they" are, cuz I have no idea.

 

 


Tim Cook using Galaxy Tabs as frisbees

 

Reply

 

 


Tim Cook using Galaxy Tabs as frisbees

 

Reply
post #32 of 134
Quote:
Originally Posted by Crowley View Post

 

iMessage is temperamental at best.  Too bad you don't read before reacting...

 

That's still not an answer, nim wit. Run a damn trace on your packet network and how it handshakes between your set up. Test it with WiFi, at home, at Hotspots and with Celluar [assuming you have the set up] and then study the bottle necks.

 

Instead, you whine about it taking an hour with no substance to back it up.

post #33 of 134
Quote:
Originally Posted by benanderson89 View Post

I'm not surprised, to be honest. I've gotten spam messages like that on almost every phone I've owned, both feature and smart.

 

SMS is like email in that its just a plain text file and it is embarrassingly easy to spoof. All you need is a UNIX system (Mac, Linux, AIX, HPUX, BSD and so forth), make sure the SMTP software is properly configured and then write whatever you want in a plain text file to send as an email.

 

All you need is three commands

 

 

Contents of the "spoof.txt" file:

 

And there we go, one email in my inbox supposedly from Apple.

 

 

I put the wrong format address in the "To" field - but you get the idea. Its the same story with SMS - just a couple of header fields in plain text.

 

You're using sendmail? Still?

post #34 of 134
Quote:
Originally Posted by mdriftmeyer View Post

 

You're using sendmail? Still?

Technically I'm using exim4 to send emails. The sendmail command parses the header information in the text file correctly as well. mailx and mail simply paste the contents of the text file as plain text into the message body.

... at night.

Reply

... at night.

Reply
post #35 of 134

iMessages have never been a problem for me (or many, many clients). In fact they often seem faster than SMS. Love the Messages app in Mountain Lion too - same chat on my phone as my Mac.

 

But really, if it's such a problem for some, why not just email from your phone instead? I often wonder why Americans & Europeans are so hooked on texting.

post #36 of 134
Quote:
Originally Posted by logandigges View Post

Quote:
Originally Posted by jragosta View Post

How in the world is Apple supposed to fix an inherent SMS problem?
The fact is that when an SMS message is sent, it may have a fake return address. How do you expect Apple to fix that?
Now, if the message is sent by an iOS device, they can include the optional features which can provide some level of security, but only another iOS device will recognize them. So the result is the same - Apple can do something to secure iOS to iOS messages (and they've already done that). There's not a blasted thing they can do to secure non-iOS messages.

I see the issue now. But I stil think we could fix it. SMS sucks. It needs to be reinvented with much better stuff. While they are reinventing it, might as well make it safe. And don't ask me who "they" are, cuz I have no idea.

Dude, just realize this: the people who could potentially be interested in doing anything evil with this already knew of this a long time ago. I've known about this for over a decade, I had fun playing pranks on friends pretending I was the police a long time ago, this really old news to anyone with a basic knowledge of telecommunications, there is absolutely no reason to be afraid of it now. It's good to be aware, but it doesn't really need a solution, SMS is fine as it is.
post #37 of 134
1) Remember when carriers used to let you send an SMS from their website to a phone?

2) I stopped paying for SMS when iOS 5 was released and most of the people I know were on it. Can't say I miss it. Such a rip off.

3) If I have any complaints with iMessages they are all mostly gone as of iOS 6 with the ability to choose which accounts it can send and receive and the better unification and syncing which may or may not be part of iOS 6 on the device. On iOS 6 on the iPad you can choose to receive iMessages from your iPhone's phone number. This is still not an option on ML. The benefit of this is that if someone sends an iMessage to your phone using your phone number you don't have to tell them to send using your @me.com address so you can get it on all your devices.


PS: This is very minor but I'd not like that Messages icon to be blue.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #38 of 134
Quote:
Originally Posted by logandigges View Post

I like iMessage. But not everyone has an iPhone or Mac or iPad or iPod touch. We need a real solution, Apple.

Apple can't really give you that solution because it is inherent in the SMS system. It's possible on all phones etc.

In order to imessage from different OSes, the other side would have to approach Apple, license the code etc.

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply
post #39 of 134
Quote:
Originally Posted by Vaelian View Post

Dude, just realize this: the people who could potentially be interested in doing anything evil with this already knew of this a long time ago. I've known about this for over a decade, I had fun playing pranks on friends pretending I was the police a long time ago, this really old news to anyone with a basic knowledge of telecommunications, there is absolutely no reason to be afraid of it now. It's good to be aware, but it doesn't really need a solution, SMS is fine as it is.

I actually like SMS, but it does suck, from a practical standpoint. And if we are talking security, it needs to be overhauled.

 

 


Tim Cook using Galaxy Tabs as frisbees

 

Reply

 

 


Tim Cook using Galaxy Tabs as frisbees

 

Reply
post #40 of 134

What seems to be missing from this discussion is understanding about what is being spoofed. From the original article on AI, the spoofing is only on the Reply To address field, which is optional. Can the From field be spoofed, too? Also from the article, "This would apparently limit the audience of SMS spoofing largely to iPhone users" after referencing that iOS only displays the Reply To, not the From. This suggests that other phones us the From field because "not all phones support these [optional] features".

 

So, if other phones safely use From and that can't be spoofed, and if the iPhone is vulnerable because it uses an optional spoof-able field, then yes, it is an iPhone problem that Apple should fix. Use From like everyone else (why on Earth would SMS ever legitamately need a different Reply To field anyway. Apparently nobody except scammer use it.

 

Note: I'm making a lot of assumptions above. Haven't had time to dig into in more. Just wanted to throw it out there. If there is a safe From field that everyone else uses, then so should Apple.

New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
AppleInsider › Forums › Mobile › iPhone › Apple urges users to stick with iMessage to avoid iPhone SMS spoofing