Apple urges users to stick with iMessage to avoid iPhone SMS spoofing - Page 3

Quote:

Originally Posted by muppetry 


It's not completely false; while all phones are vulnerable to spoofing the "From" field, the issue here is that iOS is also vulnerable to spoofing the "Reply-To" field.
Whether that actually matters - for example if it is easier to spoof the "Reply-To" field than the "From" field then that could make it a bigger problem for iOS - does not seem to have been established.
Apple clearly could change the way iOS handles and uses the "Reply-To" field, but it would only defeat one of those spoofing methods.

Quote:

Originally Posted by jragosta 


This is absolutely false. You can also spoof the 'from' field:
http://www.youspoof.info/textSpoofing.html
"For example the sender could specify that the recipient's caller ID shows an incoming message is from "The Pope" and the text message reads "Repent!""
or:
http://spoofsms.net
"You can put ANY mobile number or alphanumeric character in the "From" field when sending a message."
Please stop spreading lies. It's bad enough when all the usual trolls here spread FUD, but you created a new account specifically to post something that's totally false? That's really sad.
The fact is that there's nothing at all in this that is iOS specific and it can affect EVERY SMS user. The only exception is if you're using iOS and iMessage, you have some warning.
The really amazing thing is that even though this flaw affects everyone, if you search for 'sms spoof', you have to get near the end of the third page before you find even a single hit that doesn't present it as an iOS flaw.

Spoofing the "From" header is different than spoofing the "Reply-to".  Perhaps that is a very technical distinction, but I am a technical person.  So saying one thing is the same as another, when technically it is not, is incorrect (though I understand your logic).  

If other phones that recognize the "reply-to" header and use that to override "from", they are as wrong as the iPhone.  It does appear to me that while all phones are vulnerable to a "From" spoof, not ALL phones recognize the "reply-to" header the way the iPhone does.  It may be true that all phones that recognize the "reply-to" header handle it the way the iPhone does, but I couldn't even verify that.  That said, you are right in saying that ALL phones are vulnerable to the "From" field spoofing, BUT that is a completely different issue than the method described and being discussed here.

Spoofing the "From" field is more of a carrier issue, where spoofing the "reply-to" is an phone issue (regardless of who made the phone). In the case of email, SMTP servers usually verify that the server sending the message is allowed to send emails for the domain that appears in the  "From" field.  So for email, "from" field spoofing is controlled by the ISP/email servers, not the email client.  Notifying a user of a different reply-to address, that is controlled by the email client.  The point is, "From" field is verified by the ISP/Email server, and giving the similarities with SMS, it would almost certainly have to be the same way.  

To end spoofing you have to fix both issues.  To say that Apple doesn't need to do anything because the other issue still exists to me is incorrect and distracts from the actual issue being talked about.  To stop spoofing you have to address both issues: one is a carrier issue and one is a handset maker issue.  If anything, Apple should fix the reply-to issue and use their influence to pressure carriers to address "from" field spoofing.  As it stands, I think carriers have little motivation to fix the issue.  They potentially get paid for every message they send, so verifying and blocking certain messages would ultimately hurt their bottom line.  That was never an issue that ISP/email providers had to overcome.

OH?? ALL your contacts don't have iMessage?? Well, why not?? Get them over to iMessage and you won't have a problem, now will you??

Just ask ANY of our retail employees that, Ooops, they've been laid off, no - wait - we're going to reverse that decision - no wait for it - no, YES!!! You've all been rehired.. Just in time for us to cut your pay... No - Wait - we promised you a pay increase last month - no - wait - are you sure - no - wait - YES WE DID !!! Yeah.. NOW we got the story straight - no - wait - - - - - .....

These guys have REALLY acted like jackasses over the last few months...

Originally Posted by Bwinski 
Just ask ANY of our retail employees that, Ooops, they've been laid off, no - wait - we're going to reverse that decision - no wait for it - no, YES!!! You've all been rehired.. Just in time for us to cut your pay... No - Wait - we promised you a pay increase last month - no - wait - are you sure - no - wait - YES WE DID !!! Yeah.. NOW we got the story straight - no - wait - - - - - .....

 

These guys have REALLY acted like jackasses over the last few months...

You've been reading too much Gizmodo/WSJ.

Could be, but it certainly feels that way. I've had TWO run ins with the Apple store 'genius' personnel lately in two different locations and IT WAS AWFUL. SO, i speak from a bit of very personal, recent experience...

Quote:

Originally Posted by nagromme 

Are other smartphones immune from this SMS issue? Is it iPhone-specific? (Some statements imply that this is not an iPhone issue at all, just a carrier issue.)

Hi Nagromme, if you're asking if there is an iPhone specific problem on AppleInsider your answer is almost always going to come back a little dogmatically as"'No, the iPhone has no flaws and is BETTER!" :p  Reading some of these responses that seems to be the direction they are headed and they are wrong in this case.

If my analogy below confuses you, heres a link to more info:  http://www.informationweek.com/security/mobile/android-and-blackberry-safer-than-ios-fo/240006075

Remember 'caller id' on those old fashioned wall phones?  When you called someone from your home phone, if they had caller id, it would automatically tell them it was you calling.  You had no input.  Your carrier had the technology to recognize it was your hardware.  That is the equivalent of 'from' in an SMS message.  It is not impossible, but it is very difficult to spoof- and in an SMS text would usually require knowledge of your victims carrier and access to their carriers' SMSC servers to hack.  It would open the hackers up to substantial criminal penalty.  Any phone, whether android or Apple even using iMessage, would be prone to this attack.  This type of attack isn't common because it is generally traceable and hard to execute.  Those sites listed above do not work in the US or Canada.  Feel free to try them if you wish.  Some use the 'reply to' method (even though it says 'from' on their site) and hope your user has an iPhone- in which case they will work.  Some offer Android apps for you to download in order for them to work.  Your victims (if using Android phones) would need to have that software installed too which renders the attack pretty much useless.

Back to our 'caller id' example.  Imagine if you called someone and your carrier, instead of using the information from your hardware, gave you a message 'please enter your phone number identifying who you are' and you now had to key in your phone number.  Imagine it used the number you yourself keyed in to identify you to whomever you were calling...  Not rocket science here.  You could type in any number you wanted and that is whom it would tell your recipient was calling.  If you looked up Apple's or IBM's corporate phone numbers you could type that in and it would tell your recipient that Apple (or IBM, or whomever) was calling.  Very easy to do.  No hacking required.  That is the equivalent of 'reply to' spoofing.

'Reply To' *is* built into the SMS protocol and is quite useful.  AT&T can send you a promotional SMS message.   Some phones would tell you that the message is FROM: AT&T and that you should REPLY TO: ATTPROMO or something like that.  No problem.  The poor choice Apple made (and I cringe to say that on this site) is that they use the 'Reply To' field that your sender has control of to tell you that is who the message is FROM.  So I can send you a bogus malicious message that you might not normally fall for, but when you look at the FROM field and see that it is 'FROM: facebook.com' you will decide it is safe and fall for it.

With that, the 'vulnerability' is way overblown.  People can't hack your information or take over your phone with it.  They can only fool you into trusting them.  As long as you don't trust anybody sending you texts requiring dubious action on your part- there is no vulnerability.

Apple unfortunately doesn't like to admit error.  They issued a pretty brilliant response as usual, but its a little bit of misdirection.  Their statement is that the 'Reply To' field is built into SMS and is there on all phones- which is an absolutely true statement.  They then say if you use iMessage you will not be prone to the attack- which is also an absolutely true statement.  What they leave out is that the flaw in the iPhone was due to their less than optimal choice of using the 'Reply To' field in the header to tell you that that is where the text came 'From' and that they will (hopefully) correct their mistake in future versions.  Any Android phone that has software that chooses to use the 'Reply To' field as the 'From' indicator would be prone to the same spoofing, but I guess that was one area they chose not to copy Apple. :p

For the record I was a long time Apple user and loved my iPhone until Apple kept insisting that I wanted a puny 3.5" screen.  They were dead wrong and 'forced' me to switch to my giant screen Android phone.  My 'dirty secret' is that I actually think both phones are great so I'm a little out of place on either an Apple or Android site.  If Apple bumps up the screen size a little more and introduces usable mainstream widgets instead of the stone age 'icon grids' I'll be back in line for the iPhone 6  =)  ( as long as Android hasn't implemented a feature that cooks for me and cleans my house )   Hooray competition!

Quote:

Originally Posted by hill60 


Wasn't THE BIG RED EXCLAMATION MARK next to the message just a bit of a giveaway?
😜😜😜

Oh, yeah, really helpful. with notification coming a WEEK+ AFTER THE FACT. Kapisch???

Originally Posted by Frood 

If Apple… …introduces usable mainstream widgets… 

What does this even mean? What is the point of this? Live updating icons would do just the same. And I've just had a thought for how… ooh. I gotta write that down and mock it up…

Funny how when you have the stone, those without want to steal it from you.

*narrows eyes*

Quote:

Originally Posted by Cpsro 

Too bad iMessage is unreliable!

(Yes, unreliable. I've been notified a week+ after the fact that an iMessage was not delivered)

I've had the same thing happen with SMS messages on Verizon.  I can't say I've found iMessage to be any less reliable...

Funny thing is, SMS was the one thing AT&T seemed to do better than Verizon.  I don't recall ever having problems sending or receiving messages in a timely fashion with them.  With Verizon it's a crapshoot, and it has been for years.  Had the same lousy SMS experience when I was with them prior to getting my iPhone in 2009.

Go figure.

Quote:

Originally Posted by Bwinski 

Could be, but it certainly feels that way. I've had TWO run ins with the Apple store 'genius' personnel lately in two different locations and IT WAS AWFUL. SO, i speak from a bit of very personal, recent experience...

 

So take your two poor experiences and broadly describe it as the norm. Such hubris.

Quote:

Originally Posted by 28jp 

Too bad iMessage is messed up!  I had to turn mine off.  It was taking up to an hour for a message to send with a full signal.  Half the time it would make me send as a text anyway.

 

It started working really good when i had my 3GS and when I first got my 4s... but the last couple of months the service has totally sucked.  I am not the only one in my area who is complaining.

 

Even when using Wi-Fi... it sucks!

 

Numerous calls to AT&T and Apple have been of no help.  So, I just turned off iMessage and have zero problems sending and receiving texts.

 

If they would acknowledge and fix the problem, I would definitely use it.

Bullcrap... 1st post to spam/troll... 

Quote:

Originally Posted by Tallest Skil 

 

What does this even mean? What is the point of this? Live updating icons would do just the same. And I've just had a thought for how… ooh. I gotta write that down and mock it up…

 

 

Funny how when you have the stone, those without want to steal it from you.

 

 

*narrows eyes*

Hi Tallest,   I originally just wanted to say 'I hope apple implements widgets' but then a fan would likely

point out to me that Apple already has widgets- so I added the 'usable maintstream' qualifiers because the current versions on Apple are neither.  I don't know much about live tiles but I'd guess they are fairly similar to widgets as long as they are resizable and not limited to having a defined structure with just an info update on them (like an email counter going up a number or two)... 

After the big screen, widgets were the big surprise moving from iOS to Android for me.  I had a 'weather app' and a 'stock market app' and 'news app(s)' on my iPhone , but having them executing continuously on my home screen as widgets pretty radically changes how useful they are to me and how I interact with them  The 'stone age' comment wasn't really a slam on Apple as much as encouragging them to progress from it. I still use my iPhone (it has no SIM card) for games for my nieces and as a metronome, but every time I turn it on it seems like I'm 'moving backward..  I still use an icon grid on my Android phone because it is a good way to cram a ton of apps together, but its not until 3 pages removed from my home screen- and I rarely go there- the widgets have me covered for 95% of what I want to do.  Do wish Android would learn the 'smoothness' of Apple though.  With all that going on it does occasionally get a little hitch in its giddy'up when swiping around that my iPhone never had.

Would be a nice touch if they gave the iFive  a smart swipe to unlock as well- ie if you swipe left to right it does what it does now and opens up to home screen.  If you swipe from bottom to top it opens straight to text messaging, if you swipe right to left it opens straight to your phone with your 'favorites showing.' etc.  Looking forward to the iFive release and I'm sure its going to have a trick or two up its sleeve that leaves me a little envious.

Originally Posted by Frood 

…Apple already has widgets- so I added the 'usable maintstream' qualifiers because the current versions on Apple are neither.

Wait, do they? I genuinely don't know what people mean by "widgets" unless they're talking about those two-space things you sometimes see on Android phones. I just don't get the benefit of those over app icons that update to show you content (sort of like The Interface Formerly Known As Metro, but simpler). 

Oh, and I can understand that, certainly. Why the Weather app on iOS hasn't always (since iPhone OS 1!) shown the current weather of your leftmost city, I'll never know. And seeing your topmost stock's current status would be great.

… I thought that was just an auto-correct gaffe until I saw it again and realized what you were talking about. I seethed. 

But I can't stay mad at you, you zarkin' frood. 

Anyway, about that idea, it's interesting, but I don't see Apple doing it when it happens also through notifications. I realize you have to receive a notification to get that to be available, but I also think that their desire is to make sure the user knows exactly what will happen when they perform an action, which is something that multi-directional swiping would make more blurry.

Quote:

Originally Posted by Tallest Skil 

 

Wait, do they? I genuinely don't know what people mean by "widgets" unless they're talking about those two-space things you sometimes see on Android phones. I just don't get the benefit of those over app icons that update to show you content (sort of like The Interface Formerly Known As Metro, but simpler). 

 

 

Oh, and I can understand that, certainly. Why the Weather app on iOS hasn't always (since iPhone OS 1!) shown the current weather of your leftmost city, I'll never know. And seeing your topmost stock's current status would be great.

 

 

… I thought that was just an auto-correct gaffe until I saw it again and realized what you were talking about. I seethed. 

 

But I can't stay mad at you, you zarkin' frood. 

 

Anyway, about that idea, it's interesting, but I don't see Apple doing it when it happens also through notifications. I realize you have to receive a notification to get that to be available, but I also think that their desire is to make sure the user knows exactly what will happen when they perform an action, which is something that multi-directional swiping would make more blurry.

Sorry on the iFive.  I thought it was kind of cool and even catchy.  If its a cause for 'seething' I'll call it the iPhone 5 moving forward.  Glad you got the Hitchhiker's reference =) 

And on the widgets, I think you are still thinking small:

Why the Weather app on iOS hasn't always (since iPhone OS 1!) shown the current weather of your leftmost city, I'll never know. And seeing your topmost stock's current status would be great.

For current weather I look out the window :p  My widget shows me the next 5 days in graphical display.  I rarely used my weather app- mostly because it just never hit me to check whether until I went outside and found it was raining :/  With it on my home screen I'm always using it because its hard to miss.  My stock widget doesn't look like an icon and just show me my topmost stocks status- it is implemented as an actual stock ticker that scrolls across my screen with options to show daily highs/lows etc.  Instead of scrolling whole indexes, I have it set to only show stocks that are actually in my portfolio so all the info is relevant to me.  If I notice one moved (hopefully upward) I just have to touch it and it opens up the actual app where it has all the latest news on that particular stock available.

Nothing I couldn't do on my iPhone, but the implementation is just more natural since the information is continually right there.

Originally Posted by Frood 
Sorry on the iFive.  I thought it was kind of cool and even catchy.  If its a cause for 'seething' I'll call it the iPhone 5 moving forward.  Glad you got the Hitchhiker's reference =) 

I'd prefer you'd drop the number entirely. 

It'd have to be pretty long for that, eh? Ooh! how about this, a corner (or top bar/percent of) of the icon changes to the NOAA standard color for whatever watch or warning is in effect for the area? So severe thunderstorm watch would be a yellow highlight, tornado warning a red, flood a green, etc… 

Quote:

Originally Posted by mdriftmeyer 

 

iMessage works well. Too bad you comment and don't specifically detail how you come to that comment's conclusion.

Well, he does specifically state that iMessage does NOT work well for him, and explains why. Being God, I guess you know better?

Quote:

Originally Posted by jragosta 


Not at all. The report (and the thousands of 'me, too' reports) act as though spoofing is something that can only happen to iPhones.
In reality, the overwhelming majority of spoofs use the 'from' header and therefore affect everyone.

The problem, as Apple stated, lies with the SMS specification. However, unless you're texting to another iPhone which has iMessage, you can't use iMessage.

The "solution" probably is to type in numbers by hand/selection from address book.

Quote:

Originally Posted by muppetry 


The "vulnerability" is inherent in the SMS specification, but currently only manifests itself on iOS devices, because iOS is the only platform that ignores the sender phone number if a reply-to number is specified. A fix is within Apple's power - the iOS SMS app could be modified at least to display the sender number as well as the reply-to number. That would not change the SMS specification, but would alert an iOS user that a spoof may be occurring.

Hmmm, that's a very interesting post. It would definitely make the problem lie with Apple, even though, of course, the spec is still insecure.

Quote:

Originally Posted by Tallest Skil 

 

I'd prefer you'd drop the number entirely. 

 

 

What's wrong with the sixth iPhone being called iPhone 5 really? As long as it just works? What I can tell you is I was talking phones (and perfume, but it's unrelated) with a group of girls saturday and they all are waiting for iPhone 5...

Quote:

Originally Posted by dagta 

I love iMessage, but many messages have to be sent as SMS, and it seems to be random when it works and when it doesn't. Most of the time it works, but I will say that it doesn't about 10-15% of the time. Both sender and receiver have wifi and iPhone 4S. Even worse is pictures ("MMS") which 95% of the time doesn't work with iMessage. I've experienced it taking 15 minutes to send 3 pictures with iMessage on a 12MBit/s wifi. Using real MMS sending the same pictures takes about 15 seconds. But the real problem here is that most of the time it doesn't work at all. I'm from Norway and I have normal 3G and wifi without other problems.

So why exactly do you "love" it?   

Quote:

Originally Posted by JohnnyW2001 

This IS an Apple/iPhone issue.
There's a lot of weird misinformation in this thread, so let me clear it up: When you send an SMS message, you have two fields. FROM and REPLY-TO. You can only alter the REPLY-TO, and not FROM. The problem is that the iPhone hides the FROM (which is correct) and replaces it with the REPLY-TO field if it's present. It's a really dumb thing to do, and it's entirely a decision by Apple. (Other phones may do this, too, but that's completely besides the point - it's entirely up to the software developer.)
Also, it's not a "vulnerability" in the SMS system, as the REPLY-TO field is designed to filled with whatever the user wants... but it's known that this information could be false, so it's supposed to be used as a request by the sender. As in, "Yes, I know this message was sent from X, but it would be better for me if you replied to Y. Thanks".
Anyone suggesting everyone use iMessage is beyond idiotic for all the obvious reasons people have pointed out. A simple tweak to iOS so that messages are only ever seen to be coming from the FROM field would fix the issue.
Hopefully the final version of iOS 6 will fix this issue.

No, it is an SMS problem - its exactly the same problem that plagues SMTP but you don't see people throwing bricks at Microsoft's house over outlook. I've owned loads of phones (both feature and smart) including the iPhone and I've gotten spoof SMS messages on all of them. Weather or not the reply-to field is present and is or is not removing the From field from the user's view is irrelevant - if "Reply-To" is set, it will reply to that address, if its not, it will use the address in the "From" field - who you are replying too (and therefore who you are potentially giving money by texting) is far more important than the automated spam bot that processed it. On the iPhone and Windows Phone 7 (to name two) where the message came from is clearly displayed in the list of message threads anyway in big bold letters! But that is also irrelevant because the From field can be spoofed as well and its alarmingly easy. All I have to do is write the following in the header section of an SMS message before sending:

From: <number>

The problem lies with the carriers who should implement spam checking on SMS messages before they are delivered to your inbox.

The only thing Apple are guilty of right now is using the already present scare mongering media drivel to dupe thick-headed yahoo's into using iMessage with the weak excuse of "ish sayfur".

Disclaimer: I use a Windows Phone

EDIT: You also stated that the Reply-To field is supposed to be filled by the user. No, it isn't. The nature of SMS does not allow that. You have three options: Delete, Forward or Send. Technically, in SMS, there is no such thing as a Reply function - There is nothing to show if a message is a response to a previous one. The only thing you have to go on is the originating user - this is how threads are organised on any phone.

Quote:

Originally Posted by benanderson89 

No, it is an SMS problem - its exactly the same problem that plagues SMTP but you don't see people throwing bricks at Microsoft's house over outlook.

 

People ARE throwing bricks at MS over Hotmail though ^^

Found the guy who uses the word "Yahoo".

Quote:

Originally Posted by benanderson89 

 thick-headed yahoo's 

Quote:

Originally Posted by jragosta 


This is absolutely false. You can also spoof the 'from' field:
http://www.youspoof.info/textSpoofing.html
"For example the sender could specify that the recipient's caller ID shows an incoming message is from "The Pope" and the text message reads "Repent!""
or:
http://spoofsms.net
"You can put ANY mobile number or alphanumeric character in the "From" field when sending a message."
Please stop spreading lies. It's bad enough when all the usual trolls here spread FUD, but you created a new account specifically to post something that's totally false? That's really sad.
The fact is that there's nothing at all in this that is iOS specific and it can affect EVERY SMS user. The only exception is if you're using iOS and iMessage, you have some warning.
The really amazing thing is that even though this flaw affects everyone, if you search for 'sms spoof', you have to get near the end of the third page before you find even a single hit that doesn't present it as an iOS flaw.

I'm sorry but you're entirely incorrect. The issue was raised by a blogger called pod2g, and that's the issue I described. It's also the issue that AppleInsider reported about, and it's the issue which Apple themselves are responding to.

You can read the original blog post here: http://pod2g-ios.blogspot.co.uk/2012/08/never-trust-sms-ios-text-spoofing.html

You can read AppleInsider's original news post here: http://www.appleinsider.com/articles/12/08/17/hacker_discovers_iphone_sms_spoofing_issue_asks_apple_to_fix_for_ios_6.html

And you can read Apple's original statement to Engadget, which makes reference to this REPLY-TO field issue: http://www.engadget.com/2012/08/18/apple-responds-to-iphone-text-message-spoofing/

This is nothing to do with the SMS standard.

Once again, this is entirely Apple's fault.

On an unrelated note: It's also worth pointing out that Email has many anti-spam and verification processes. I'm not entirely sure why everyone is regurgitating the nonsense that it doesn't. Technologies like DKIM and Domain Keys, as well as server blacklists, have been verifying the origin servers for years.