Apple urges users to stick with iMessage to avoid iPhone SMS spoofing - Page 4

Originally Posted by lightknight 
What's wrong with the sixth iPhone being called iPhone 5 really?

The lack of explanation therefor.

Originally Posted by Vadania 
Apple could call it what ever they want.

Exactly, and they will call it something that matters and makes sense. Not "iPhone 5"

Quote:

Originally Posted by muppetry 


True, but while you can verify the origin, you still cannot prevent a spoofed "From" field with unauthenticated SMTP.

No, but your email server can tell if it came from the server it claims to have. So if you send a spoof email from @apple.com, your email server can tell what actual server it was sent from (e.g. @spoofemails.com). If the servers don't match, straight into the SPAM folder.

Also, I wrote another reply explaining why it IS an iPhone issue, but it was held back for administrators to approve (it featured links and I'm still a new user).

The short version of that post is: We're NOT talking about SMS spoofing in general, but about the issue discovered by pod2g. That issue is entirely about the REPLY-TO field, as I previously described. In other words: It's an issue on iPhones and it's entirely up to Apple to fix it.

Yes, you can spoof the SMS "FROM" field, but that's not what the AppleInsider news article was about, nor was Apple's statement to Engadget. It was about the REPLY-TO issue that pod2g discovered.

Also, FWIW, nobody knows how secure iMessage is, as nobody but Apple knows what protocols and security they're using.

Quote:

Originally Posted by JohnnyW2001 

 

No, but a your email server can tell if it came from the server it claims to have. So if you send a spoof email from @apple.com, your email server can tell what actual server it was sent from (e.g. @spoofemails.com). So ff they don't match, straight into the SPAM folder.

 

Also, I wrote another reply explaining why it IS an iPhone issue, but it was held back for administrators to approve (it featured links). Short version: We're NOT talking about SMS spoofing in general, but about the exploit discovered by pod2g. (That issue is entirely about the REPLY-TO field, as I previously described.) In other words: It's an issue on iPhones and it's entirely up to Apple to fix it.

 

Yes, you can spoof the SMS "FROM" field, but that's not what the AppleInsider news article was about, nor was Apple's statement to Engadget about that. It was about the problem that pod2g discovered only.

 

Also, FWIW, nobody knows how secure iMessage is, as nobody but Apple knows what protocols and security they're using.

Thanks for the clear details that cut to the specifics!

or you could go with "BBM"... the long forgotten RIM/(IBM?) Blackberry message service... /rim shot

Quote:

Originally Posted by jragosta 


Still waiting for you to explain why everyone is up in arms about this problem on iOS. If they spoof the 'from' header, it affects everyone. And when you look at all the SMS spoofing sites around, that's what they do. Not surprising since 95% of phones out there don't use the 'reply-to' header and would be unaffected by that type of spoof. The ONLY time it is a problem unique to iOS is if they spoof the 'reply-to' but not the 'from' header. Considering that most people don't use the 'reply-to' header, that doesn't make sense - and I've never seen it happen.
So you have the every day 'from' spoofing that occurs every day and there are dozens of anonymizer sites that tell you how to do it or do it for you - and which affects everyone - vs the theoretical possibility that someone could possibly set up a spoof that only affects iPhones (and possibly a tiny number of other phones that might use the 'reply-to' header) - but which has never happened.
So why is it that you and all the press are screaming like crazy about the potential, theoretical, unobserved spoof that might affect only iPhones and ignoring the common, everyday spoofing that occurs every single day in the real world and which affects all phones.

Yes, there is still the "normal" FROM spoofing. This issue does seem somewhat minor compared to that, I agree. Never-the-less, this is what made the news, so that's what's being discussed. It sounds to me like you should be complaining to Apple Insider for making such a big deal about this new issue, really. Never-the-less, it's completely Apple's fault, and it's a very bizarre decision to implement the REPLY-TO field the way they have. The one distinction is that, unlike FROM spoofing, this is perfectly legitimate, and may result in accidental spoofing.

Quote:

Originally Posted by muppetry 


That only helps if you always expect sender addresses to match originating server domains, which is often not the case. You could set your detection software to reject on that criterium, but it would trigger a lot of false positives.

Sir, you have no idea what you're talking about. It is always expected that the servers match. Always. The only times it wouldn't be the case would be if an amateur was in charge of sys admin of a mail server, or if someone was deliberately trying to spoof an email address.

Quote:

Originally Posted by AppleInsider 

Apple on Saturday officially responded to reports that its latest mobile operating system remains vulnerable to text message spoofing, recommending that customers use its more secure iMessage service instead.
A hacker on Thursday drew headlines when he urged Apple to plug a hole in iOS that could allow malicious individuals to send text messages that appear as if they're coming from someone else.
Like other mobile operating systems, iOS SMS messages support transmission of optional, advanced features in the header section of text messages, including a "reply to" address. Since most wireless carriers don't perform verification checks on these header specifications, incoming SMS messages to iPhones could be manipulated to appear as if they're coming from the "reply to" address and not the actual sender.
In a statement obtained by Engadget, Apple reminds customers that its iMessage service was designed to safeguard against the vulnerabilities of the yesteryear Short Message Service (SMS):

Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they're directed to an unknown website or address over SMS.

"Spoofed" SMS messages can include anything from a spam to phishing attempts at personal information. The weakness flaunted by the SMS specification is similar to vulnerabilities in the standard email specification, which similarly does not authentic the names and addresses in header data.
Introduced by Apple in June of 2011 as an alternative to SMS messaging, iMessage allows users to send texts, photos, videos, contact information, and group messages over Wi-Fi or 3G to other iOS?5 users. It's accessible through the Messages app on an iPhone, iPad, or an iPod touch running iOS 5 or later or on a Mac running OS X Mountain Lion or later.

I've got an iPhone 4s and have no idea if I'm texting in SMS mode or iMessage. How can I tell if I'm using iMessage or SMS? 

Originally Posted by sc_markt 
I've got an iPhone 4s and have no idea if I'm texting in SMS mode or iMessage. How can I tell if I'm using iMessage or SMS? 

iMessage is one color, SMS is the other. I can't remember which; my iMessages come in as all colors and I don't get SMS.

Quote:

Originally Posted by Tallest Skil 

 

The lack of explanation therefor.

 

 

Exactly, and they will call it something that matters and makes sense. Not "iPhone 5"

Hmmm..... since the 'distinguishing feature' that makes sense seems to be the larger screen size how about they call it the iPhone 4"?

Originally Posted by Frood 
Hmmm..... since the 'distinguishing feature' that makes sense seems to be the larger screen size how about they call it the iPhone 4"?

I'm annoyed that I didn't come up with that name.