or Connect
AppleInsider › Forums › Mobile › iPhone › Apple urges users to stick with iMessage to avoid iPhone SMS spoofing
New Posts  All Forums:Forum Nav:

Apple urges users to stick with iMessage to avoid iPhone SMS spoofing - Page 2

post #41 of 134
Quote:
Originally Posted by 28jp View Post

Too bad iMessage is messed up!  I had to turn mine off.  It was taking up to an hour for a message to send with a full signal.  Half the time it would make me send as a text anyway.

 

It started working really good when i had my 3GS and when I first got my 4s... but the last couple of months the service has totally sucked.  I am not the only one in my area who is complaining.

 

Even when using Wi-Fi... it sucks!

 

Numerous calls to AT&T and Apple have been of no help.  So, I just turned off iMessage and have zero problems sending and receiving texts.

 

If they would acknowledge and fix the problem, I would definitely use it.

I never had the problems you've experienced. I have Verizon. Works great for me... even over wifi. Could be your phone or the at&t network.

post #42 of 134
Quote:
Originally Posted by joeblowjapan View Post

But really, if it's such a problem for some, why not just email from your phone instead?  I often wonder why Americans & Europeans are so hooked on texting.

It is not the sending that is the problem. It is receiving of a spoofed txt that is a security issue. One of the inherent problems with SMS is you cannot control who sends you a message. Here in the US you have to pay $0.20 to receive an SMS even if it is bogus. One of the benefits is that if you are having a quick communication exchange with someone, the message shows up instantly. You don't have to select the title and open it like an email. Also you can see more incoming messages while composing a response. If you are on the move the SMS even shows up on your lock screen, so it is convenient.

 

I may be an exception, but most of my friends either do not send me messages from an Apple device or they have not updated to iCloud or ML. I still think SMS is the default method of short messaging for most people. iMessage might be great but it ranks right up there with FaceTime as another of the most underused features of Apple devices. 

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #43 of 134
Quote:
Originally Posted by agramonte View Post

Apple should just say that they are working on a solution - suggesting iMessenger is a viable solution to SMS is just idiotic.

Not as idiotic as people suggesting that Apple can do something to fix the inherent problems with SMS in some way other than creating and trusting only their own app.
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #44 of 134
Quote:
Originally Posted by mstone View Post

It is not the sending that is the problem. It is receiving of a spoofed txt that is a security issue. One of the inherent problems with SMS is you cannot control who sends you a message. Here in the US you have to pay $0.20 to receive an SMS even if it is bogus. One of the benefits is that if you are having a quick communication exchange with someone, the message shows up instantly. You don't have to select the title and open it like an email. Also you can see more incoming messages while composing a response. If you are on the move the SMS even shows up on your lock screen, so it is convenient.

 

I may be an exception, but most of my friends either do not send me messages from an Apple device or they have not updated to iCloud or ML. I still think SMS is the default method of short messaging for most people. iMessage might be great but it ranks right up there with FaceTime as another of the most underused features of Apple devices. 

 

I think a lot of the issues you listed could, theoretically, be solved with an email client that behaved the way you describe if someone really wanted to make one. But the real problem with emails is that over half of the cell phones in use are not smartphones, so emails won't work in a lot of instances. Also, SMS messages can usually get through in low signal environments were you might not get an email to go through. I have no specific figures, but I suspect an SMS is far less data being exchanged than an email with an equivalent length message. And finally, for email to be a viable option, you have to assume that everyone has push email turned on. (I for one, don't.)

 

For email to replace SMS, it has to be as universally available. Otherwise every time you want to send a message you need to wonder if the person will actually get it in a timely fashion. 

post #45 of 134
Quote:
Originally Posted by mstone View Post

 

I may be an exception, but most of my friends either do not send me messages from an Apple device or they have not updated to iCloud or ML. I still think SMS is the default method of short messaging for most people. iMessage might be great but it ranks right up there with FaceTime as another of the most underused features of Apple devices. 

 

You're not too rare, it's the same with me.  Agree with what you're saying.  My list of top people I get texts/messages from is full of people who could be using iMessage but aren't.

post #46 of 134

When reviewing the settings for messages, it appears that the iPhone with iOS version 5.1.1 defaults to iMessage if possible and only uses SMS when iMessage is unavailable.

 

So iMessage is the preferred messaging system with 5.1.1. I'd just leave the settings as they are.

 

This is much to do about nothing even if hacked SMS messages come to your iPhone. Just being aware of this possibility is all that is needed anyway.

post #47 of 134
Can anyone verify if this is iOS specific? I hate when community flaws are blamed on just one company.
post #48 of 134
Quote:
Originally Posted by AbsoluteDesignz View Post

Can anyone verify if this is iOS specific? I hate when community flaws are blamed on just one company.

As has been stated repeatedly in this thread, it's not specific to any OS or platform. It's inherent in SMS.

It IS possible to work around it by using the optional features of SMS, but since only a few clients (including iMessage) use them, that's not a real solution.
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #49 of 134

iMessage has always worked fine for me, never had an undelivered message or speed issue. But I'm not on AT&T, not even in the US. However, iMessage is still not grouping together messages from same person or group of people.

post #50 of 134
Quote:
Originally Posted by jragosta View Post


As has been stated repeatedly in this thread, it's not specific to any OS or platform. It's inherent in SMS.
It IS possible to work around it by using the optional features of SMS, but since only a few clients (including iMessage) use them, that's not a real solution.

I was under the impression that it was an iOS issue because iOS will read the header that contains the bogus from information and correlates it with your contacts list so the bogus message incorrectly states that the message is from someone in your contacts list and not just an unknown phone number. It was my understanding, which can often be wrong, that the problem, although caused by the underlying insecurity of SMS, was never a real issue on older feature phones because they did not read the from 'name' header but instead read the from phone number. I am not aware of the details but something like that was explained in an earlier thread. I also am not sure how Android handles the same situation. Maybe someone with more knowledge can clarify as I am curious as well.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #51 of 134

I've had a couple times where I had to resend the message but it's certainly yards better than standard SMS.

post #52 of 134
Quote:
Originally Posted by mstone View Post

Quote:
Originally Posted by jragosta View Post

As has been stated repeatedly in this thread, it's not specific to any OS or platform. It's inherent in SMS.

It IS possible to work around it by using the optional features of SMS, but since only a few clients (including iMessage) use them, that's not a real solution.
I was under the impression that it was an iOS issue because iOS will read the header that contains the bogus from information and correlates it with your contacts list so the bogus message incorrectly states that the message is from someone in your contacts list and not just an unknown phone number. It was my understanding, which can often be wrong, that the problem, although caused by the underlying insecurity of SMS, was never a real issue on older feature phones because they did not read the from 'name' header but instead read the from phone number. I am not aware of the details but something like that was explained in an earlier thread. I also am not sure how Android handles the same situation. Maybe someone with more knowledge can clarify as I am curious as well.

The "vulnerability" is inherent in the SMS specification, but currently only manifests itself on iOS devices, because iOS is the only platform that ignores the sender phone number if a reply-to number is specified. A fix is within Apple's power - the iOS SMS app could be modified at least to display the sender number as well as the reply-to number. That would not change the SMS specification, but would alert an iOS user that a spoof may be occurring.
post #53 of 134
Quote:
Originally Posted by Wiggin View Post


The sender field in the SMS specification is alphanumeric, an SMS central (or a user behind an SMS central that doesn't care about what goes in the messages) can put whatever they wish in there. Current phones (and this is predates the iPhone by a long time) support an additional sender name which obviously can also be spoofed, but to claim that this can be fixed by displaying the information from the sender field in the SMS is retarded. There are loads of SMS providers offering SMS spoofing services, and before news breaks in that the iPhone is also vulnerable to caller ID spoofing, let me be the first to tell you that caller IDs can also be spoofed (that's essentially how unidentified calls work, except they just remove the caller ID rather than replacing it with something arbitrary).
post #54 of 134
Quote:
Originally Posted by logandigges View Post

By a real solution I mean a fix for the SMS spoofing so it's not just through iMessage that users are safe. We need it to be safe even if the person you are communicating with doesn't have an iPhone.

You will need to fix the SMS protocol and every carrier in the world.

Eventually SMS will just need to go away. It was ok when you could not do much harm through SMS. Now with smartphones and people sending links through SMS it COULD be a problem. Every smart phone on earth is just as vulnerable as the iPhone. It is not hard to spoof an SMS message sender field. I am not sure why anyone is concerned at all about the reply-to field.
post #55 of 134
Quote:
Originally Posted by muppetry View Post

The "vulnerability" is inherent in the SMS specification, but currently only manifests itself on iOS devices, because iOS is the only platform that ignores the sender phone number if a reply-to number is specified. A fix is within Apple's power - the iOS SMS app could be modified at least to display the sender number as well as the reply-to number. That would not change the SMS specification, but would alert an iOS user that a spoof may be occurring.

A scammer will probably just spoof the sender field. It is not hard.
post #56 of 134
Quote:
Originally Posted by muppetry View Post


The "vulnerability" is inherent in the SMS specification, but currently only manifests itself on iOS devices, because iOS is the only platform that ignores the sender phone number if a reply-to number is specified. A fix is within Apple's power - the iOS SMS app could be modified at least to display the sender number as well as the reply-to number. That would not change the SMS specification, but would alert an iOS user that a spoof may be occurring.

I was wondering how that came about but even since the iChat days it was possible to send and SMS from a computer which did not have a phone number so they had to enable the 'from name' field in order to identify the sender. Thanks for your clarification. Now we need to wait and see what the solution will be from Apple.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #57 of 134
Quote:
Originally Posted by mstone View Post

Quote:
Originally Posted by muppetry View Post

The "vulnerability" is inherent in the SMS specification, but currently only manifests itself on iOS devices, because iOS is the only platform that ignores the sender phone number if a reply-to number is specified. A fix is within Apple's power - the iOS SMS app could be modified at least to display the sender number as well as the reply-to number. That would not change the SMS specification, but would alert an iOS user that a spoof may be occurring.
I was wondering how that came about but even since the iChat days it was possible to send and SMS from a computer which did not have a phone number so they had to enable the 'from name' field in order to identify the sender. Thanks for your clarification. Now we need to wait and see what the solution will be from Apple.

However, as pointed out by others above, if the sender number itself is spoofed then nothing can be done to fix it, and that spoof would work against all platforms.

Also - it is no different than the ability to spoof email via the SMTP protocol, where you can fake any of the headers.
post #58 of 134
Quote:
Originally Posted by Vaelian View Post


The sender field in the SMS specification is alphanumeric, an SMS central (or a user behind an SMS central that doesn't care about what goes in the messages) can put whatever they wish in there. Current phones (and this is predates the iPhone by a long time) support an additional sender name which obviously can also be spoofed, but to claim that this can be fixed by displaying the information from the sender field in the SMS is retarded. There are loads of SMS providers offering SMS spoofing services, and before news breaks in that the iPhone is also vulnerable to caller ID spoofing, let me be the first to tell you that caller IDs can also be spoofed (that's essentially how unidentified calls work, except they just remove the caller ID rather than replacing it with something arbitrary).

I have received telemarketing calls from 000-000-0000

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #59 of 134

Too bad iMessage is unreliable!

(Yes, unreliable. I've been notified a week+ after the fact that an iMessage was not delivered, and I don't send many texts at all. I guess Apple can figure out who I am, since there's no one else this has happened to. lol.gif)

post #60 of 134
Quote:
Originally Posted by muppetry View Post


Also - it is no different than the ability to spoof email via the SMTP protocol, where you can fake any of the headers.

The comparison to email has been made a few times in this thread however there are services and applications which can clean out spam almost 100%. As I have mentioned in the past I use mxmatrix.net and they do a fantastic job cleaning out spam. To my knowledge there is no such service for SMS and the vulnerably of SMS is much more personal than typical email spam because in order for it to be threatening the sender needs to know the names of people in your contact list. The ability of apps to capture that data has already been addressed by Apple and I don't personally worry about spoofed SMS as I have really nothing private or secret on my phone and I am now aware of the situation so it poses little threat for me at this point, however others may be at more risk so I think Apple should try to do more to protect users from this hack.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #61 of 134
Quote:
Originally Posted by muppetry View Post

However, as pointed out by others above, if the sender number itself is spoofed then nothing can be done to fix it, and that spoof would work against all platforms.
Also - it is no different than the ability to spoof email via the SMTP protocol, where you can fake any of the headers.

That's a big IF-- IF the sender number itself is spoofed. As far as we know, SMS is not the same as spoofing with SMTP. There is an apparent reluctance on the part of handset makers and/or telecoms to highlight the fact when an SMS sent-by and reply-to addresses differ.

post #62 of 134
Quote:
Originally Posted by Cpsro View Post

Too bad iMessage is unreliable!
(Yes, unreliable. I've been notified a week+ after the fact that an iMessage was not delivered, and I don't send many texts at all. I guess Apple can figure out who I am, since there's no one else this has happened to. lol.gif )

Wasn't THE BIG RED EXCLAMATION MARK next to the message just a bit of a giveaway?

😜😜😜
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
post #63 of 134

considdering i've got quite a few friends that can't do iMessage, what should we do to text them?

post #64 of 134
Quote:
Originally Posted by elrcastor View Post

considdering i've got quite a few friends that can't do iMessage, what should we do to text them?

Email, IMs, or you could just call them. Bottom line, this isn't an iPhone issue so Apple's response is just pimp their own services. This is all expected behaviour.

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply
post #65 of 134

Why does everyone keep saying it's general SMS problem? It's apple's implementation that is insecure. Other phones do not interpret 'reply-to' as 'from' field.

post #66 of 134
Quote:
Originally Posted by dsk View Post

Why does everyone keep saying it's general SMS problem?

 

It's the SMS specification.  Something that Apple has no control over.
 
 
EDIT:  And it does affect other phones.  From MacWorld
 
Quote:
In fairness, the iPhone is not the only handset vulnerable to SMS spoofing. Plenty of websites offer SMS spoofing as a service, one that isn’t limited to Apple’s handsets. The main issues seem to be that some phones, including the iPhone, are compatible with the UDH indicator that allows for alternative reply-to addresses, and that the iPhone in particular doesn’t show the original address.

So it isn't something that is specific to the iPhone but rather to the nature of SMS itself.  SMS is prone to spoofing.  

 

Edited by diddy - 8/19/12 at 12:02am
post #67 of 134
This IS an Apple/iPhone issue.

There's a lot of weird misinformation in this thread, so let me clear it up: When you send an SMS message, you have two fields. FROM and REPLY-TO. You can only alter the REPLY-TO, and not FROM. The problem is that the iPhone hides the FROM (which is correct) and replaces it with the REPLY-TO field if it's present. It's a really dumb thing to do, and it's entirely a decision by Apple. (Other phones may do this, too, but that's completely besides the point - it's entirely up to the software developer.)

Also, it's not a "vulnerability" in the SMS system, as the REPLY-TO field is designed to filled with whatever the user wants... but it's known that this information could be false, so it's supposed to be used as a request by the sender. As in, "Yes, I know this message was sent from X, but it would be better for me if you replied to Y. Thanks".

Anyone suggesting everyone use iMessage is beyond idiotic for all the obvious reasons people have pointed out. A simple tweak to iOS so that messages are only ever seen to be coming from the FROM field would fix the issue.

Hopefully the final version of iOS 6 will fix this issue.
Edited by JohnnyW2001 - 8/19/12 at 6:26am
post #68 of 134
Quote:
Originally Posted by JohnnyW2001 View Post

This IS an Apple/iPhone issue.
There's a lot of weird misinformation in this thread, so let me clear it up: When you send an SMS message, you have two fields. FROM and REPLY-TO. You can only alter the REPLY-TO, and not FROM. The problem is that the iPhone hides the FROM (which is correct) and replaces it with the REPLY-TO field if it's present. It's a really dumb thing to do, and it's entirely a decision by Apple to do this.
Also, it's not a "vulnerability" in the SMS system, as the REPLY-TO field is designed to filled with whatever the user wants... but it's known that this information could be false, so it's supposed to be used as a request by the sender. As in, "Yes, I know this message was sent from X, but it would be better for me if you replied to Y. Thanks".
Apple suggesting everyone use iMessage is beyond idiotic for all the obvious reasons people have pointed out. A simple tweak to iOS so that messages are only ever seen to be coming from the FROM field would fix the issue.

 

Uh oh....You explained the situation perfectly but called Apple idiotic. That's all most people on this forum will see.

 

I will add that with all the analogies drawn to SMTP, it doesn't work like the iPhone at all.  I don't believe most (or any) mail clients worth mentioning show the "reply-to" address as who the message is from.  It is the reply-to address, not who it is from.    The mail clients I have worked with show reply-to differently than the from.

 

I am not sure if the iPhone has done this since its release in 2007.  If they have, it shows this WAS a minor problem until now.  Now that it is a very public issue, the spammers will jump on it.  If Apple doesn't address it quickly and just counts on iMessage to be the fix, that would be idiotic.  That said, I took their statement on iMessage to be an interim solution until they get a patch out to fix the SMS issue.  Not that iMessage WAS the fix.

 

Maybe that is just giving them the benefit of the doubt, but usually Apple patches these issues that reach the public eye quickly.

post #69 of 134
Quote:
Originally Posted by nagromme View Post

Are other smartphones immune from this SMS issue? Is it iPhone-specific? (Some statements imply that this is not an iPhone issue at all, just a carrier issue.)

 

The headline should read more along the lines of "ALL SMS capable phones are vulnerable to spoofed SMS headers due to the SMS specification and a lack of security checks by ALL carriers - only Apple iOS and Mountain Lion offer a secure alternative called iMessage which does include security protocols to block such insecure communications" of course that is too long to work as a 10 second sound bite. 

 

I find it odd that the service is called iMessage - but the app is named Messages in Mountain Lion - why not call the app iMessage?

 

Regarding emails, despite the obvious lack of security verification of header information, some services (Yahoo) even make is easy to change your reply to address. Now I am sure there are plenty of legitimate reasons to do so and spammers etc would get around it even if there was no easy user interface way to set your reply to differently that your actual email address - but I have seen a couple of windows makes where their Yahoo reply to and or Vacation auto response got changed by some malicious website code or something - and caused a bunch of trouble. Of course these are users who end up with 12 IE toolbars installed and call me claiming "my computer stopped working" in cases where one web site will not load or they accidentally hit the WiFi off button.

post #70 of 134
Quote:
Originally Posted by JohnnyW2001 View Post

This IS an Apple/iPhone issue.
There's a lot of weird misinformation in this thread, so let me clear it up: When you send an SMS message, you have two fields. FROM and REPLY-TO. You can only alter the REPLY-TO, and not FROM. The problem is that the iPhone hides the FROM (which is correct) and replaces it with the REPLY-TO field if it's present. It's a really dumb thing to do, and it's entirely a decision by Apple. (Other phones may do this, too, but that's completely besides the point - it's entirely up to the software developer.)
Also, it's not a "vulnerability" in the SMS system, as the REPLY-TO field is designed to filled with whatever the user wants... but it's known that this information could be false, so it's supposed to be used as a request by the sender. As in, "Yes, I know this message was sent from X, but it would be better for me if you replied to Y. Thanks".
Anyone suggesting everyone use iMessage is beyond idiotic for all the obvious reasons people have pointed out. A simple tweak to iOS so that messages are only ever seen to be coming from the FROM field would fix the issue.
Hopefully the final version of iOS 6 will fix this issue.

This is absolutely false. You can also spoof the 'from' field:
http://www.youspoof.info/textSpoofing.html
"For example the sender could specify that the recipient's caller ID shows an incoming message is from "The Pope" and the text message reads "Repent!""

or:
http://spoofsms.net
"You can put ANY mobile number or alphanumeric character in the "From" field when sending a message."

Please stop spreading lies. It's bad enough when all the usual trolls here spread FUD, but you created a new account specifically to post something that's totally false? That's really sad.

The fact is that there's nothing at all in this that is iOS specific and it can affect EVERY SMS user. The only exception is if you're using iOS and iMessage, you have some warning.

The really amazing thing is that even though this flaw affects everyone, if you search for 'sms spoof', you have to get near the end of the third page before you find even a single hit that doesn't present it as an iOS flaw.
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #71 of 134
A proprierity technology, no matter how good, is not a suitable replacement for an open obiqiutous standard.

Whilst there's no solution to this issue, there's certainly wokrarounds that Apple could implement.
post #72 of 134
Quote:
Originally Posted by rednival View Post

Uh oh....You explained the situation perfectly but called Apple idiotic. That's all most people on this forum will see.

I will add that with all the analogies drawn to SMTP, it doesn't work like the iPhone at all.  I don't believe most (or any) mail clients worth mentioning show the "reply-to" address as who the message is from.  It is the reply-to address, not who it is from.    The mail clients I have worked with show reply-to differently than the from.

I am not sure if the iPhone has done this since its release in 2007.  If they have, it shows this WAS a minor problem until now.  Now that it is a very public issue, the spammers will jump on it.  If Apple doesn't address it quickly and just counts on iMessage to be the fix, that would be idiotic.  That said, I took their statement on iMessage to be an interim solution until they get a patch out to fix the SMS issue.  Not that iMessage WAS the fix.

Maybe that is just giving them the benefit of the doubt, but usually Apple patches these issues that reach the public eye quickly.

As shown above, that is completely false. It is not in the least specific to iOS - other than iOS users at least have the potential to get a warning.

I'm still waiting for you or someone else to show how Apple can solve this problem. It affects all phones (as shown by the above sites - one of which specifically mentions Android). So how do you propose that Apple 'fix' the problem - especially since the vast majority of phones out there are not Apple phones.
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #73 of 134
Quote:
Originally Posted by jragosta View Post

Quote:
Originally Posted by rednival View Post

Uh oh....You explained the situation perfectly but called Apple idiotic. That's all most people on this forum will see.

I will add that with all the analogies drawn to SMTP, it doesn't work like the iPhone at all.  I don't believe most (or any) mail clients worth mentioning show the "reply-to" address as who the message is from.  It is the reply-to address, not who it is from.    The mail clients I have worked with show reply-to differently than the from.

I am not sure if the iPhone has done this since its release in 2007.  If they have, it shows this WAS a minor problem until now.  Now that it is a very public issue, the spammers will jump on it.  If Apple doesn't address it quickly and just counts on iMessage to be the fix, that would be idiotic.  That said, I took their statement on iMessage to be an interim solution until they get a patch out to fix the SMS issue.  Not that iMessage WAS the fix.

Maybe that is just giving them the benefit of the doubt, but usually Apple patches these issues that reach the public eye quickly.

As shown above, that is completely false. It is not in the least specific to iOS - other than iOS users at least have the potential to get a warning.

I'm still waiting for you or someone else to show how Apple can solve this problem. It affects all phones (as shown by the above sites - one of which specifically mentions Android). So how do you propose that Apple 'fix' the problem - especially since the vast majority of phones out there are not Apple phones.

It's not completely false; while all phones are vulnerable to spoofing the "From" field, the issue here is that iOS is also vulnerable to spoofing the "Reply-To" field.

Whether that actually matters - for example if it is easier to spoof the "Reply-To" field than the "From" field then that could make it a bigger problem for iOS - does not seem to have been established.

Apple clearly could change the way iOS handles and uses the "Reply-To" field, but it would only defeat one of those spoofing methods.
post #74 of 134
Quote:
Originally Posted by muppetry View Post

It's not completely false;

Yes, it's completely false. The person I was responding to said that the 'from' field could not be spoofed and since Apple only relied on the 'reply to' field, that made Apple uniquely vulnerable. His statements were 100% false - as I showed.
Quote:
Originally Posted by muppetry View Post

while all phones are vulnerable to spoofing the "From" field, the issue here is that iOS is also vulnerable to spoofing the "Reply-To" field.
Whether that actually matters - for example if it is easier to spoof the "Reply-To" field than the "From" field then that could make it a bigger problem for iOS - does not seem to have been established.
Apple clearly could change the way iOS handles and uses the "Reply-To" field, but it would only defeat one of those spoofing methods.

You're wrong, as well. You can spoof any field in SMS and any phone is vulnerable to such spoofing. There is absolutely nothing unique about iOS in this regard - except that iOS has at least a partial solution while no other mobile OS does.
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #75 of 134
Quote:
Originally Posted by RichL View Post

A proprierity technology, no matter how good, is not a suitable replacement for an open obiqiutous standard.
Whilst there's no solution to this issue, there's certainly wokrarounds that Apple could implement.

That's undoubtedly true.

The problem is that Apple has no control over the standard - they only control their own OS. So they have two options:
1. "We can't fix the problem because it's a problem with the standard itself so we're doing nothing"
or
2. "We can't fix the problem because it's a problem with the standard itself, but we can provide at least some level of security for people who use our products".

Clearly, Apple thinks the second option is the better one.

I agree completely that it's not the BEST solution - which would involve fixing the standard itself, but Apple can't do that, so they have to fall back to the best solution that's available to them.
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #76 of 134
Quote:
Originally Posted by jragosta View Post

Quote:
Originally Posted by muppetry View Post

It's not completely false;

Yes, it's completely false. The person I was responding to said that the 'from' field could not be spoofed and since Apple only relied on the 'reply to' field, that made Apple uniquely vulnerable. His statements were 100% false - as I showed.
Quote:
Originally Posted by muppetry View Post

while all phones are vulnerable to spoofing the "From" field, the issue here is that iOS is also vulnerable to spoofing the "Reply-To" field.
Whether that actually matters - for example if it is easier to spoof the "Reply-To" field than the "From" field then that could make it a bigger problem for iOS - does not seem to have been established.
Apple clearly could change the way iOS handles and uses the "Reply-To" field, but it would only defeat one of those spoofing methods.

You're wrong, as well. You can spoof any field in SMS and any phone is vulnerable to such spoofing. There is absolutely nothing unique about iOS in this regard - except that iOS has at least a partial solution while no other mobile OS does.

I don't think we really disagree on much here, but you are still not strictly correct, and I'm not clear what I wrote that was wrong. There is a unique aspect to iOS - that, unlike all (?) other phones, it uses the "Reply-To" field (when present) instead of the "From" field, and so only iOS is vulnerable to "Reply-To" spoofing. However, I think that is probably irrelevant since, as you have pointed out, the "From" field can also be spoofed, and so it would only be a significant added vulnerability if it were easier to spoof the "Reply-To" field.
post #77 of 134
Quote:
Originally Posted by muppetry View Post

Quote:
Originally Posted by jragosta View Post

Quote:
Originally Posted by muppetry View Post

It's not completely false;

Yes, it's completely false. The person I was responding to said that the 'from' field could not be spoofed and since Apple only relied on the 'reply to' field, that made Apple uniquely vulnerable. His statements were 100% false - as I showed.
Quote:
Originally Posted by muppetry View Post

while all phones are vulnerable to spoofing the "From" field, the issue here is that iOS is also vulnerable to spoofing the "Reply-To" field.
Whether that actually matters - for example if it is easier to spoof the "Reply-To" field than the "From" field then that could make it a bigger problem for iOS - does not seem to have been established.
Apple clearly could change the way iOS handles and uses the "Reply-To" field, but it would only defeat one of those spoofing methods.

You're wrong, as well. You can spoof any field in SMS and any phone is vulnerable to such spoofing. There is absolutely nothing unique about iOS in this regard - except that iOS has at least a partial solution while no other mobile OS does.

I don't think we really disagree on much here, but you are still not strictly correct, and I'm not clear what I wrote that was wrong. There is a unique aspect to iOS - that, unlike all (?) other phones, it uses the "Reply-To" field (when present) instead of the "From" field, and so only iOS is vulnerable to "Reply-To" spoofing. However, I think that is probably irrelevant since, as you have pointed out, the "From" field can also be spoofed, and so it would only be a significant added vulnerability if it were easier to spoof the "Reply-To" field.

This is not only common to iOS, that field predates the iPhone, and many phones have been vulnerable to that for a very long time. The "hacker" himself stated that this affected more than just iOS. I remember playing around with this particular issue as early as 2004, probably even before that, as the high-end Nokias and Siemenses already supported those fields. This issue is overblown, there is no real solution for it, and to blame a single vendor rather than the standard for it is retarded. Even if you start showing the sender field, that doesn't guarantee anything because that field is alphanumeric too and controlled by the sender.
post #78 of 134

And I, in return, am going to urge Apple to get iMessages working as consistently as text messages. It's really frustrating when you sit there staring at a message trying to go out for a full 2 minutes before it times out and suggests you send it as an text message, which then goes off without a hitch.

 

I love the concept of iMessages, but damn, get the thing working already.

post #79 of 134
Quote:
Originally Posted by RichL View Post

A proprierity technology, no matter how good, is not a suitable replacement for an open obiqiutous standard.

Whilst there's no solution to this issue, there's certainly wokrarounds that Apple could implement.

And what do you propose as workaround for this that actually addresses the problem other than using iMessage or similar services?
post #80 of 134
Quote:
Originally Posted by Vaelian View Post


This is not only common to iOS, that field predates the iPhone, and many phones have been vulnerable to that for a very long time. The "hacker" himself stated that this affected more than just iOS. I remember playing around with this particular issue as early as 2004, probably even before that, as the high-end Nokias and Siemenses already supported those fields. This issue is overblown, there is no real solution for it, and to blame a single vendor rather than the standard for it is retarded. Even if you start showing the sender field, that doesn't guarantee anything because that field is alphanumeric too and controlled by the sender.

OK - that may be true, but what the hacker actually said was:
Quote:
The flaw exists since the beginning of the implementation of SMS in the iPhone, and is still there in iOS 6 beta 4.

He, and others seem to be arguing that of the current smartphone operating systems, only iOS displays the "Reply-To" field, but I guess that he does not explicitly state that anywhere.

I agree that the issue as a whole is overblown, and, in particular, that the distinction between reply-to spoofing and from spoofing is overblown.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
AppleInsider › Forums › Mobile › iPhone › Apple urges users to stick with iMessage to avoid iPhone SMS spoofing