Apple urges users to stick with iMessage to avoid iPhone SMS spoofing

13567

Comments

  • Reply 41 of 137
    mstonemstone Posts: 11,510member

    Quote:

    Originally Posted by joeblowjapan View Post


    But really, if it's such a problem for some, why not just email from your phone instead?  I often wonder why Americans & Europeans are so hooked on texting.



    It is not the sending that is the problem. It is receiving of a spoofed txt that is a security issue. One of the inherent problems with SMS is you cannot control who sends you a message. Here in the US you have to pay $0.20 to receive an SMS even if it is bogus. One of the benefits is that if you are having a quick communication exchange with someone, the message shows up instantly. You don't have to select the title and open it like an email. Also you can see more incoming messages while composing a response. If you are on the move the SMS even shows up on your lock screen, so it is convenient.


     


    I may be an exception, but most of my friends either do not send me messages from an Apple device or they have not updated to iCloud or ML. I still think SMS is the default method of short messaging for most people. iMessage might be great but it ranks right up there with FaceTime as another of the most underused features of Apple devices. 

  • Reply 42 of 137
    jragostajragosta Posts: 10,473member
    agramonte wrote: »
    Apple should just say that they are working on a solution - suggesting iMessenger is a viable solution to SMS is just idiotic.

    Not as idiotic as people suggesting that Apple can do something to fix the inherent problems with SMS in some way other than creating and trusting only their own app.
  • Reply 43 of 137
    wigginwiggin Posts: 2,265member

    Quote:

    Originally Posted by mstone View Post


    It is not the sending that is the problem. It is receiving of a spoofed txt that is a security issue. One of the inherent problems with SMS is you cannot control who sends you a message. Here in the US you have to pay $0.20 to receive an SMS even if it is bogus. One of the benefits is that if you are having a quick communication exchange with someone, the message shows up instantly. You don't have to select the title and open it like an email. Also you can see more incoming messages while composing a response. If you are on the move the SMS even shows up on your lock screen, so it is convenient.


     


    I may be an exception, but most of my friends either do not send me messages from an Apple device or they have not updated to iCloud or ML. I still think SMS is the default method of short messaging for most people. iMessage might be great but it ranks right up there with FaceTime as another of the most underused features of Apple devices. 



     


    I think a lot of the issues you listed could, theoretically, be solved with an email client that behaved the way you describe if someone really wanted to make one. But the real problem with emails is that over half of the cell phones in use are not smartphones, so emails won't work in a lot of instances. Also, SMS messages can usually get through in low signal environments were you might not get an email to go through. I have no specific figures, but I suspect an SMS is far less data being exchanged than an email with an equivalent length message. And finally, for email to be a viable option, you have to assume that everyone has push email turned on. (I for one, don't.)


     


    For email to replace SMS, it has to be as universally available. Otherwise every time you want to send a message you need to wonder if the person will actually get it in a timely fashion. 

  • Reply 44 of 137
    jlanddjlandd Posts: 873member

    Quote:

    Originally Posted by mstone View Post


     


    I may be an exception, but most of my friends either do not send me messages from an Apple device or they have not updated to iCloud or ML. I still think SMS is the default method of short messaging for most people. iMessage might be great but it ranks right up there with FaceTime as another of the most underused features of Apple devices. 



     


    You're not too rare, it's the same with me.  Agree with what you're saying.  My list of top people I get texts/messages from is full of people who could be using iMessage but aren't.

  • Reply 45 of 137
    zebrazebra Posts: 35member


    When reviewing the settings for messages, it appears that the iPhone with iOS version 5.1.1 defaults to iMessage if possible and only uses SMS when iMessage is unavailable.


     


    So iMessage is the preferred messaging system with 5.1.1. I'd just leave the settings as they are.


     


    This is much to do about nothing even if hacked SMS messages come to your iPhone. Just being aware of this possibility is all that is needed anyway.

  • Reply 46 of 137
    Can anyone verify if this is iOS specific? I hate when community flaws are blamed on just one company.
  • Reply 47 of 137
    jragostajragosta Posts: 10,473member
    Can anyone verify if this is iOS specific? I hate when community flaws are blamed on just one company.

    As has been stated repeatedly in this thread, it's not specific to any OS or platform. It's inherent in SMS.

    It IS possible to work around it by using the optional features of SMS, but since only a few clients (including iMessage) use them, that's not a real solution.
  • Reply 48 of 137
    mike54mike54 Posts: 433member


    iMessage has always worked fine for me, never had an undelivered message or speed issue. But I'm not on AT&T, not even in the US. However, iMessage is still not grouping together messages from same person or group of people.

  • Reply 49 of 137
    mstonemstone Posts: 11,510member

    Quote:

    Originally Posted by jragosta View Post





    As has been stated repeatedly in this thread, it's not specific to any OS or platform. It's inherent in SMS.

    It IS possible to work around it by using the optional features of SMS, but since only a few clients (including iMessage) use them, that's not a real solution.


    I was under the impression that it was an iOS issue because iOS will read the header that contains the bogus from information and correlates it with your contacts list so the bogus message incorrectly states that the message is from someone in your contacts list and not just an unknown phone number. It was my understanding, which can often be wrong, that the problem, although caused by the underlying insecurity of SMS, was never a real issue on older feature phones because they did not read the from 'name' header but instead read the from phone number. I am not aware of the details but something like that was explained in an earlier thread. I also am not sure how Android handles the same situation. Maybe someone with more knowledge can clarify as I am curious as well.

  • Reply 50 of 137


    I've had a couple times where I had to resend the message but it's certainly yards better than standard SMS.

  • Reply 51 of 137
    muppetrymuppetry Posts: 3,328member
    mstone wrote: »
    jragosta wrote: »
    As has been stated repeatedly in this thread, it's not specific to any OS or platform. It's inherent in SMS.

    It IS possible to work around it by using the optional features of SMS, but since only a few clients (including iMessage) use them, that's not a real solution.
    I was under the impression that it was an iOS issue because iOS will read the header that contains the bogus from information and correlates it with your contacts list so the bogus message incorrectly states that the message is from someone in your contacts list and not just an unknown phone number. It was my understanding, which can often be wrong, that the problem, although caused by the underlying insecurity of SMS, was never a real issue on older feature phones because they did not read the from 'name' header but instead read the from phone number. I am not aware of the details but something like that was explained in an earlier thread. I also am not sure how Android handles the same situation. Maybe someone with more knowledge can clarify as I am curious as well.

    The "vulnerability" is inherent in the SMS specification, but currently only manifests itself on iOS devices, because iOS is the only platform that ignores the sender phone number if a reply-to number is specified. A fix is within Apple's power - the iOS SMS app could be modified at least to display the sender number as well as the reply-to number. That would not change the SMS specification, but would alert an iOS user that a spoof may be occurring.
  • Reply 52 of 137
    vaelianvaelian Posts: 446member
    wiggin wrote: »

    The sender field in the SMS specification is alphanumeric, an SMS central (or a user behind an SMS central that doesn't care about what goes in the messages) can put whatever they wish in there. Current phones (and this is predates the iPhone by a long time) support an additional sender name which obviously can also be spoofed, but to claim that this can be fixed by displaying the information from the sender field in the SMS is retarded. There are loads of SMS providers offering SMS spoofing services, and before news breaks in that the iPhone is also vulnerable to caller ID spoofing, let me be the first to tell you that caller IDs can also be spoofed (that's essentially how unidentified calls work, except they just remove the caller ID rather than replacing it with something arbitrary).
  • Reply 53 of 137
    wovelwovel Posts: 956member
    By a real solution I mean a fix for the SMS spoofing so it's not just through iMessage that users are safe. We need it to be safe even if the person you are communicating with doesn't have an iPhone.

    You will need to fix the SMS protocol and every carrier in the world.

    Eventually SMS will just need to go away. It was ok when you could not do much harm through SMS. Now with smartphones and people sending links through SMS it COULD be a problem. Every smart phone on earth is just as vulnerable as the iPhone. It is not hard to spoof an SMS message sender field. I am not sure why anyone is concerned at all about the reply-to field.
  • Reply 54 of 137
    wovelwovel Posts: 956member
    muppetry wrote: »
    The "vulnerability" is inherent in the SMS specification, but currently only manifests itself on iOS devices, because iOS is the only platform that ignores the sender phone number if a reply-to number is specified. A fix is within Apple's power - the iOS SMS app could be modified at least to display the sender number as well as the reply-to number. That would not change the SMS specification, but would alert an iOS user that a spoof may be occurring.

    A scammer will probably just spoof the sender field. It is not hard.
  • Reply 55 of 137
    mstonemstone Posts: 11,510member

    Quote:

    Originally Posted by muppetry View Post





    The "vulnerability" is inherent in the SMS specification, but currently only manifests itself on iOS devices, because iOS is the only platform that ignores the sender phone number if a reply-to number is specified. A fix is within Apple's power - the iOS SMS app could be modified at least to display the sender number as well as the reply-to number. That would not change the SMS specification, but would alert an iOS user that a spoof may be occurring.


    I was wondering how that came about but even since the iChat days it was possible to send and SMS from a computer which did not have a phone number so they had to enable the 'from name' field in order to identify the sender. Thanks for your clarification. Now we need to wait and see what the solution will be from Apple.

  • Reply 56 of 137
    muppetrymuppetry Posts: 3,328member
    mstone wrote: »
    muppetry wrote: »
    The "vulnerability" is inherent in the SMS specification, but currently only manifests itself on iOS devices, because iOS is the only platform that ignores the sender phone number if a reply-to number is specified. A fix is within Apple's power - the iOS SMS app could be modified at least to display the sender number as well as the reply-to number. That would not change the SMS specification, but would alert an iOS user that a spoof may be occurring.
    I was wondering how that came about but even since the iChat days it was possible to send and SMS from a computer which did not have a phone number so they had to enable the 'from name' field in order to identify the sender. Thanks for your clarification. Now we need to wait and see what the solution will be from Apple.

    However, as pointed out by others above, if the sender number itself is spoofed then nothing can be done to fix it, and that spoof would work against all platforms.

    Also - it is no different than the ability to spoof email via the SMTP protocol, where you can fake any of the headers.
  • Reply 57 of 137
    mstonemstone Posts: 11,510member

    Quote:

    Originally Posted by Vaelian View Post





    The sender field in the SMS specification is alphanumeric, an SMS central (or a user behind an SMS central that doesn't care about what goes in the messages) can put whatever they wish in there. Current phones (and this is predates the iPhone by a long time) support an additional sender name which obviously can also be spoofed, but to claim that this can be fixed by displaying the information from the sender field in the SMS is retarded. There are loads of SMS providers offering SMS spoofing services, and before news breaks in that the iPhone is also vulnerable to caller ID spoofing, let me be the first to tell you that caller IDs can also be spoofed (that's essentially how unidentified calls work, except they just remove the caller ID rather than replacing it with something arbitrary).


    I have received telemarketing calls from 000-000-0000

  • Reply 58 of 137
    cpsrocpsro Posts: 2,825member


    Too bad iMessage is unreliable!


    (Yes, unreliable. I've been notified a week+ after the fact that an iMessage was not delivered, and I don't send many texts at all. I guess Apple can figure out who I am, since there's no one else this has happened to. image)

  • Reply 59 of 137
    mstonemstone Posts: 11,510member
    muppetry wrote: »

    Also - it is no different than the ability to spoof email via the SMTP protocol, where you can fake any of the headers.

    The comparison to email has been made a few times in this thread however there are services and applications which can clean out spam almost 100%. As I have mentioned in the past I use mxmatrix.net and they do a fantastic job cleaning out spam. To my knowledge there is no such service for SMS and the vulnerably of SMS is much more personal than typical email spam because in order for it to be threatening the sender needs to know the names of people in your contact list. The ability of apps to capture that data has already been addressed by Apple and I don't personally worry about spoofed SMS as I have really nothing private or secret on my phone and I am now aware of the situation so it poses little threat for me at this point, however others may be at more risk so I think Apple should try to do more to protect users from this hack.
  • Reply 60 of 137
    cpsrocpsro Posts: 2,825member

    Quote:

    Originally Posted by muppetry View Post



    However, as pointed out by others above, if the sender number itself is spoofed then nothing can be done to fix it, and that spoof would work against all platforms.

    Also - it is no different than the ability to spoof email via the SMTP protocol, where you can fake any of the headers.


    That's a big IF-- IF the sender number itself is spoofed. As far as we know, SMS is not the same as spoofing with SMTP. There is an apparent reluctance on the part of handset makers and/or telecoms to highlight the fact when an SMS sent-by and reply-to addresses differ.

Sign In or Register to comment.