Apple urges users to stick with iMessage to avoid iPhone SMS spoofing - Page 2

Quote:

Originally Posted by 28jp 

Too bad iMessage is messed up!  I had to turn mine off.  It was taking up to an hour for a message to send with a full signal.  Half the time it would make me send as a text anyway.

 

It started working really good when i had my 3GS and when I first got my 4s... but the last couple of months the service has totally sucked.  I am not the only one in my area who is complaining.

 

Even when using Wi-Fi... it sucks!

 

Numerous calls to AT&T and Apple have been of no help.  So, I just turned off iMessage and have zero problems sending and receiving texts.

 

If they would acknowledge and fix the problem, I would definitely use it.

I never had the problems you've experienced. I have Verizon. Works great for me... even over wifi. Could be your phone or the at&t network.

Quote:

Originally Posted by joeblowjapan 

But really, if it's such a problem for some, why not just email from your phone instead?  I often wonder why Americans & Europeans are so hooked on texting.

It is not the sending that is the problem. It is receiving of a spoofed txt that is a security issue. One of the inherent problems with SMS is you cannot control who sends you a message. Here in the US you have to pay $0.20 to receive an SMS even if it is bogus. One of the benefits is that if you are having a quick communication exchange with someone, the message shows up instantly. You don't have to select the title and open it like an email. Also you can see more incoming messages while composing a response. If you are on the move the SMS even shows up on your lock screen, so it is convenient.

I may be an exception, but most of my friends either do not send me messages from an Apple device or they have not updated to iCloud or ML. I still think SMS is the default method of short messaging for most people. iMessage might be great but it ranks right up there with FaceTime as another of the most underused features of Apple devices. 

Quote:

Originally Posted by mstone 

It is not the sending that is the problem. It is receiving of a spoofed txt that is a security issue. One of the inherent problems with SMS is you cannot control who sends you a message. Here in the US you have to pay $0.20 to receive an SMS even if it is bogus. One of the benefits is that if you are having a quick communication exchange with someone, the message shows up instantly. You don't have to select the title and open it like an email. Also you can see more incoming messages while composing a response. If you are on the move the SMS even shows up on your lock screen, so it is convenient.

 

I may be an exception, but most of my friends either do not send me messages from an Apple device or they have not updated to iCloud or ML. I still think SMS is the default method of short messaging for most people. iMessage might be great but it ranks right up there with FaceTime as another of the most underused features of Apple devices. 

I think a lot of the issues you listed could, theoretically, be solved with an email client that behaved the way you describe if someone really wanted to make one. But the real problem with emails is that over half of the cell phones in use are not smartphones, so emails won't work in a lot of instances. Also, SMS messages can usually get through in low signal environments were you might not get an email to go through. I have no specific figures, but I suspect an SMS is far less data being exchanged than an email with an equivalent length message. And finally, for email to be a viable option, you have to assume that everyone has push email turned on. (I for one, don't.)

For email to replace SMS, it has to be as universally available. Otherwise every time you want to send a message you need to wonder if the person will actually get it in a timely fashion. 

Quote:

Originally Posted by mstone 

 

I may be an exception, but most of my friends either do not send me messages from an Apple device or they have not updated to iCloud or ML. I still think SMS is the default method of short messaging for most people. iMessage might be great but it ranks right up there with FaceTime as another of the most underused features of Apple devices. 

You're not too rare, it's the same with me.  Agree with what you're saying.  My list of top people I get texts/messages from is full of people who could be using iMessage but aren't.

When reviewing the settings for messages, it appears that the iPhone with iOS version 5.1.1 defaults to iMessage if possible and only uses SMS when iMessage is unavailable.

So iMessage is the preferred messaging system with 5.1.1. I'd just leave the settings as they are.

This is much to do about nothing even if hacked SMS messages come to your iPhone. Just being aware of this possibility is all that is needed anyway.

iMessage has always worked fine for me, never had an undelivered message or speed issue. But I'm not on AT&T, not even in the US. However, iMessage is still not grouping together messages from same person or group of people.

Quote:

Originally Posted by jragosta 


As has been stated repeatedly in this thread, it's not specific to any OS or platform. It's inherent in SMS.
It IS possible to work around it by using the optional features of SMS, but since only a few clients (including iMessage) use them, that's not a real solution.

I was under the impression that it was an iOS issue because iOS will read the header that contains the bogus from information and correlates it with your contacts list so the bogus message incorrectly states that the message is from someone in your contacts list and not just an unknown phone number. It was my understanding, which can often be wrong, that the problem, although caused by the underlying insecurity of SMS, was never a real issue on older feature phones because they did not read the from 'name' header but instead read the from phone number. I am not aware of the details but something like that was explained in an earlier thread. I also am not sure how Android handles the same situation. Maybe someone with more knowledge can clarify as I am curious as well.

I've had a couple times where I had to resend the message but it's certainly yards better than standard SMS.

Quote:

Originally Posted by muppetry 


The "vulnerability" is inherent in the SMS specification, but currently only manifests itself on iOS devices, because iOS is the only platform that ignores the sender phone number if a reply-to number is specified. A fix is within Apple's power - the iOS SMS app could be modified at least to display the sender number as well as the reply-to number. That would not change the SMS specification, but would alert an iOS user that a spoof may be occurring.

I was wondering how that came about but even since the iChat days it was possible to send and SMS from a computer which did not have a phone number so they had to enable the 'from name' field in order to identify the sender. Thanks for your clarification. Now we need to wait and see what the solution will be from Apple.

Quote:

Originally Posted by Vaelian 


The sender field in the SMS specification is alphanumeric, an SMS central (or a user behind an SMS central that doesn't care about what goes in the messages) can put whatever they wish in there. Current phones (and this is predates the iPhone by a long time) support an additional sender name which obviously can also be spoofed, but to claim that this can be fixed by displaying the information from the sender field in the SMS is retarded. There are loads of SMS providers offering SMS spoofing services, and before news breaks in that the iPhone is also vulnerable to caller ID spoofing, let me be the first to tell you that caller IDs can also be spoofed (that's essentially how unidentified calls work, except they just remove the caller ID rather than replacing it with something arbitrary).

I have received telemarketing calls from 000-000-0000

Too bad iMessage is unreliable!

(Yes, unreliable. I've been notified a week+ after the fact that an iMessage was not delivered, and I don't send many texts at all. I guess Apple can figure out who I am, since there's no one else this has happened to. )

Quote:

Originally Posted by muppetry 

However, as pointed out by others above, if the sender number itself is spoofed then nothing can be done to fix it, and that spoof would work against all platforms.
Also - it is no different than the ability to spoof email via the SMTP protocol, where you can fake any of the headers.

That's a big IF-- IF the sender number itself is spoofed. As far as we know, SMS is not the same as spoofing with SMTP. There is an apparent reluctance on the part of handset makers and/or telecoms to highlight the fact when an SMS sent-by and reply-to addresses differ.

considdering i've got quite a few friends that can't do iMessage, what should we do to text them?

Why does everyone keep saying it's general SMS problem? It's apple's implementation that is insecure. Other phones do not interpret 'reply-to' as 'from' field.

Quote:

Originally Posted by JohnnyW2001 

This IS an Apple/iPhone issue.
There's a lot of weird misinformation in this thread, so let me clear it up: When you send an SMS message, you have two fields. FROM and REPLY-TO. You can only alter the REPLY-TO, and not FROM. The problem is that the iPhone hides the FROM (which is correct) and replaces it with the REPLY-TO field if it's present. It's a really dumb thing to do, and it's entirely a decision by Apple to do this.
Also, it's not a "vulnerability" in the SMS system, as the REPLY-TO field is designed to filled with whatever the user wants... but it's known that this information could be false, so it's supposed to be used as a request by the sender. As in, "Yes, I know this message was sent from X, but it would be better for me if you replied to Y. Thanks".
Apple suggesting everyone use iMessage is beyond idiotic for all the obvious reasons people have pointed out. A simple tweak to iOS so that messages are only ever seen to be coming from the FROM field would fix the issue.

Uh oh....You explained the situation perfectly but called Apple idiotic. That's all most people on this forum will see.

I will add that with all the analogies drawn to SMTP, it doesn't work like the iPhone at all.  I don't believe most (or any) mail clients worth mentioning show the "reply-to" address as who the message is from.  It is the reply-to address, not who it is from.    The mail clients I have worked with show reply-to differently than the from.

I am not sure if the iPhone has done this since its release in 2007.  If they have, it shows this WAS a minor problem until now.  Now that it is a very public issue, the spammers will jump on it.  If Apple doesn't address it quickly and just counts on iMessage to be the fix, that would be idiotic.  That said, I took their statement on iMessage to be an interim solution until they get a patch out to fix the SMS issue.  Not that iMessage WAS the fix.

Maybe that is just giving them the benefit of the doubt, but usually Apple patches these issues that reach the public eye quickly.

Quote:

Originally Posted by nagromme 

Are other smartphones immune from this SMS issue? Is it iPhone-specific? (Some statements imply that this is not an iPhone issue at all, just a carrier issue.)

The headline should read more along the lines of "ALL SMS capable phones are vulnerable to spoofed SMS headers due to the SMS specification and a lack of security checks by ALL carriers - only Apple iOS and Mountain Lion offer a secure alternative called iMessage which does include security protocols to block such insecure communications" of course that is too long to work as a 10 second sound bite. 

I find it odd that the service is called iMessage - but the app is named Messages in Mountain Lion - why not call the app iMessage?

Regarding emails, despite the obvious lack of security verification of header information, some services (Yahoo) even make is easy to change your reply to address. Now I am sure there are plenty of legitimate reasons to do so and spammers etc would get around it even if there was no easy user interface way to set your reply to differently that your actual email address - but I have seen a couple of windows makes where their Yahoo reply to and or Vacation auto response got changed by some malicious website code or something - and caused a bunch of trouble. Of course these are users who end up with 12 IE toolbars installed and call me claiming "my computer stopped working" in cases where one web site will not load or they accidentally hit the WiFi off button.

And I, in return, am going to urge Apple to get iMessages working as consistently as text messages. It's really frustrating when you sit there staring at a message trying to go out for a full 2 minutes before it times out and suggests you send it as an text message, which then goes off without a hitch.

I love the concept of iMessages, but damn, get the thing working already.