Apple urges users to stick with iMessage to avoid iPhone SMS spoofing

12467

Comments

  • Reply 61 of 137
    hill60hill60 Posts: 6,992member
    cpsro wrote: »
    Too bad iMessage is unreliable!
    (Yes, unreliable. I've been notified a week+ after the fact that an iMessage was not delivered, and I don't send many texts at all. I guess Apple can figure out who I am, since there's no one else this has happened to. :lol: )

    Wasn't THE BIG RED EXCLAMATION MARK next to the message just a bit of a giveaway?

    ????????????
  • Reply 62 of 137


    considdering i've got quite a few friends that can't do iMessage, what should we do to text them?

  • Reply 63 of 137
    solipsismxsolipsismx Posts: 19,566member
    elrcastor wrote: »
    considdering i've got quite a few friends that can't do iMessage, what should we do to text them?

    Email, IMs, or you could just call them. Bottom line, this isn't an iPhone issue so Apple's response is just pimp their own services. This is all expected behaviour.
  • Reply 64 of 137
    dskdsk Posts: 18member


    Why does everyone keep saying it's general SMS problem? It's apple's implementation that is insecure. Other phones do not interpret 'reply-to' as 'from' field.

  • Reply 65 of 137
    diddydiddy Posts: 282member

    Quote:

    Originally Posted by dsk View Post


    Why does everyone keep saying it's general SMS problem?



     

    #next_pages_container { width: 5px; hight: 5px; position: absolute; top: -100px; left: -100px; z-index: 2147483647 !important; }

    It's the SMS specification.  Something that Apple has no control over.


    #next_pages_container { width: 5px; hight: 5px; position: absolute; top: -100px; left: -100px; z-index: 2147483647 !important; }

     


     


    EDIT:  And it does affect other phones.  From MacWorld


     



    Quote:


    In fairness, the iPhone is not the only handset vulnerable to SMS spoofing. Plenty of websites offer SMS spoofing as a service, one that isn’t limited to Apple’s handsets. The main issues seem to be that some phones, including the iPhone, are compatible with the UDH indicator that allows for alternative reply-to addresses, and that the iPhone in particular doesn’t show the original address.



    So it isn't something that is specific to the iPhone but rather to the nature of SMS itself.  SMS is prone to spoofing.  



    #next_pages_container { width: 5px; hight: 5px; position: absolute; top: -100px; left: -100px; z-index: 2147483647 !important; }

     
  • Reply 66 of 137
    [COLOR=red]This IS an Apple/iPhone issue.[/COLOR]

    There's a lot of weird misinformation in this thread, so let me clear it up: When you send an SMS message, you have two fields. FROM and REPLY-TO. You can only alter the REPLY-TO, and not FROM. The problem is that the iPhone hides the FROM (which is correct) and replaces it with the REPLY-TO field if it's present. It's a really dumb thing to do, and it's entirely a decision by Apple. (Other phones may do this, too, but that's completely besides the point - it's entirely up to the software developer.)

    Also, it's not a "vulnerability" in the SMS system, as the REPLY-TO field is designed to filled with whatever the user wants... but it's known that this information could be false, so it's supposed to be used as a request by the sender. As in, "Yes, I know this message was sent from X, but it would be better for me if you replied to Y. Thanks".

    Anyone suggesting everyone use iMessage is beyond idiotic for all the obvious reasons people have pointed out. A simple tweak to iOS so that messages are only ever seen to be coming from the FROM field would fix the issue.

    Hopefully the final version of iOS 6 will fix this issue.
  • Reply 67 of 137
    rednivalrednival Posts: 331member

    Quote:

    Originally Posted by JohnnyW2001 View Post



    This IS an Apple/iPhone issue.

    There's a lot of weird misinformation in this thread, so let me clear it up: When you send an SMS message, you have two fields. FROM and REPLY-TO. You can only alter the REPLY-TO, and not FROM. The problem is that the iPhone hides the FROM (which is correct) and replaces it with the REPLY-TO field if it's present. It's a really dumb thing to do, and it's entirely a decision by Apple to do this.

    Also, it's not a "vulnerability" in the SMS system, as the REPLY-TO field is designed to filled with whatever the user wants... but it's known that this information could be false, so it's supposed to be used as a request by the sender. As in, "Yes, I know this message was sent from X, but it would be better for me if you replied to Y. Thanks".

    Apple suggesting everyone use iMessage is beyond idiotic for all the obvious reasons people have pointed out. A simple tweak to iOS so that messages are only ever seen to be coming from the FROM field would fix the issue.


     


    Uh oh....You explained the situation perfectly but called Apple idiotic. That's all most people on this forum will see.


     


    I will add that with all the analogies drawn to SMTP, it doesn't work like the iPhone at all.  I don't believe most (or any) mail clients worth mentioning show the "reply-to" address as who the message is from.  It is the reply-to address, not who it is from.    The mail clients I have worked with show reply-to differently than the from.


     


    I am not sure if the iPhone has done this since its release in 2007.  If they have, it shows this WAS a minor problem until now.  Now that it is a very public issue, the spammers will jump on it.  If Apple doesn't address it quickly and just counts on iMessage to be the fix, that would be idiotic.  That said, I took their statement on iMessage to be an interim solution until they get a patch out to fix the SMS issue.  Not that iMessage WAS the fix.


     


    Maybe that is just giving them the benefit of the doubt, but usually Apple patches these issues that reach the public eye quickly.

  • Reply 68 of 137
    rednivalrednival Posts: 331member

    deleted - dupe
  • Reply 69 of 137
    lilgto64lilgto64 Posts: 1,147member

    Quote:

    Originally Posted by nagromme View Post


    Are other smartphones immune from this SMS issue? Is it iPhone-specific? (Some statements imply that this is not an iPhone issue at all, just a carrier issue.)



     


    The headline should read more along the lines of "ALL SMS capable phones are vulnerable to spoofed SMS headers due to the SMS specification and a lack of security checks by ALL carriers - only Apple iOS and Mountain Lion offer a secure alternative called iMessage which does include security protocols to block such insecure communications" of course that is too long to work as a 10 second sound bite. 


     


    I find it odd that the service is called iMessage - but the app is named Messages in Mountain Lion - why not call the app iMessage?


     


    Regarding emails, despite the obvious lack of security verification of header information, some services (Yahoo) even make is easy to change your reply to address. Now I am sure there are plenty of legitimate reasons to do so and spammers etc would get around it even if there was no easy user interface way to set your reply to differently that your actual email address - but I have seen a couple of windows makes where their Yahoo reply to and or Vacation auto response got changed by some malicious website code or something - and caused a bunch of trouble. Of course these are users who end up with 12 IE toolbars installed and call me claiming "my computer stopped working" in cases where one web site will not load or they accidentally hit the WiFi off button.


     
  • Reply 70 of 137
    jragostajragosta Posts: 10,473member
    This IS an Apple/iPhone issue.
    There's a lot of weird misinformation in this thread, so let me clear it up: When you send an SMS message, you have two fields. FROM and REPLY-TO. You can only alter the REPLY-TO, and not FROM. The problem is that the iPhone hides the FROM (which is correct) and replaces it with the REPLY-TO field if it's present. It's a really dumb thing to do, and it's entirely a decision by Apple. (Other phones may do this, too, but that's completely besides the point - it's entirely up to the software developer.)
    Also, it's not a "vulnerability" in the SMS system, as the REPLY-TO field is designed to filled with whatever the user wants... but it's known that this information could be false, so it's supposed to be used as a request by the sender. As in, "Yes, I know this message was sent from X, but it would be better for me if you replied to Y. Thanks".
    Anyone suggesting everyone use iMessage is beyond idiotic for all the obvious reasons people have pointed out. A simple tweak to iOS so that messages are only ever seen to be coming from the FROM field would fix the issue.
    Hopefully the final version of iOS 6 will fix this issue.

    This is absolutely false. You can also spoof the 'from' field:
    http://www.youspoof.info/textSpoofing.html
    "For example the sender could specify that the recipient's caller ID shows an incoming message is from "The Pope" and the text message reads "Repent!""

    or:
    http://spoofsms.net
    "You can put ANY mobile number or alphanumeric character in the "From" field when sending a message."

    Please stop spreading lies. It's bad enough when all the usual trolls here spread FUD, but you created a new account specifically to post something that's totally false? That's really sad.

    The fact is that there's nothing at all in this that is iOS specific and it can affect EVERY SMS user. The only exception is if you're using iOS and iMessage, you have some warning.

    The really amazing thing is that even though this flaw affects everyone, if you search for 'sms spoof', you have to get near the end of the third page before you find even a single hit that doesn't present it as an iOS flaw.
  • Reply 71 of 137
    richlrichl Posts: 2,213member
    A proprierity technology, no matter how good, is not a suitable replacement for an open obiqiutous standard.

    Whilst there's no solution to this issue, there's certainly wokrarounds that Apple could implement.
  • Reply 72 of 137
    jragostajragosta Posts: 10,473member
    rednival wrote: »
    Uh oh....You explained the situation perfectly but called Apple idiotic. That's all most people on this forum will see.

    I will add that with all the analogies drawn to SMTP, it doesn't work like the iPhone at all.  I don't believe most (or any) mail clients worth mentioning show the "reply-to" address as who the message is from.  It is the reply-to address, not who it is from.    The mail clients I have worked with show reply-to differently than the from.

    I am not sure if the iPhone has done this since its release in 2007.  If they have, it shows this WAS a minor problem until now.  Now that it is a very public issue, the spammers will jump on it.  If Apple doesn't address it quickly and just counts on iMessage to be the fix, that would be idiotic.  That said, I took their statement on iMessage to be an interim solution until they get a patch out to fix the SMS issue.  Not that iMessage WAS the fix.

    Maybe that is just giving them the benefit of the doubt, but usually Apple patches these issues that reach the public eye quickly.

    As shown above, that is completely false. It is not in the least specific to iOS - other than iOS users at least have the potential to get a warning.

    I'm still waiting for you or someone else to show how Apple can solve this problem. It affects all phones (as shown by the above sites - one of which specifically mentions Android). So how do you propose that Apple 'fix' the problem - especially since the vast majority of phones out there are not Apple phones.
  • Reply 73 of 137
    muppetrymuppetry Posts: 3,328member
    jragosta wrote: »
    rednival wrote: »
    Uh oh....You explained the situation perfectly but called Apple idiotic. That's all most people on this forum will see.

    I will add that with all the analogies drawn to SMTP, it doesn't work like the iPhone at all.  I don't believe most (or any) mail clients worth mentioning show the "reply-to" address as who the message is from.  It is the reply-to address, not who it is from.    The mail clients I have worked with show reply-to differently than the from.

    I am not sure if the iPhone has done this since its release in 2007.  If they have, it shows this WAS a minor problem until now.  Now that it is a very public issue, the spammers will jump on it.  If Apple doesn't address it quickly and just counts on iMessage to be the fix, that would be idiotic.  That said, I took their statement on iMessage to be an interim solution until they get a patch out to fix the SMS issue.  Not that iMessage WAS the fix.

    Maybe that is just giving them the benefit of the doubt, but usually Apple patches these issues that reach the public eye quickly.

    As shown above, that is completely false. It is not in the least specific to iOS - other than iOS users at least have the potential to get a warning.

    I'm still waiting for you or someone else to show how Apple can solve this problem. It affects all phones (as shown by the above sites - one of which specifically mentions Android). So how do you propose that Apple 'fix' the problem - especially since the vast majority of phones out there are not Apple phones.

    It's not completely false; while all phones are vulnerable to spoofing the "From" field, the issue here is that iOS is also vulnerable to spoofing the "Reply-To" field.

    Whether that actually matters - for example if it is easier to spoof the "Reply-To" field than the "From" field then that could make it a bigger problem for iOS - does not seem to have been established.

    Apple clearly could change the way iOS handles and uses the "Reply-To" field, but it would only defeat one of those spoofing methods.
  • Reply 74 of 137
    jragostajragosta Posts: 10,473member
    muppetry wrote: »
    It's not completely false;

    Yes, it's completely false. The person I was responding to said that the 'from' field could not be spoofed and since Apple only relied on the 'reply to' field, that made Apple uniquely vulnerable. His statements were 100% false - as I showed.
    muppetry wrote: »
    while all phones are vulnerable to spoofing the "From" field, the issue here is that iOS is also vulnerable to spoofing the "Reply-To" field.
    Whether that actually matters - for example if it is easier to spoof the "Reply-To" field than the "From" field then that could make it a bigger problem for iOS - does not seem to have been established.
    Apple clearly could change the way iOS handles and uses the "Reply-To" field, but it would only defeat one of those spoofing methods.

    You're wrong, as well. You can spoof any field in SMS and any phone is vulnerable to such spoofing. There is absolutely nothing unique about iOS in this regard - except that iOS has at least a partial solution while no other mobile OS does.
  • Reply 75 of 137
    jragostajragosta Posts: 10,473member
    richl wrote: »
    A proprierity technology, no matter how good, is not a suitable replacement for an open obiqiutous standard.
    Whilst there's no solution to this issue, there's certainly wokrarounds that Apple could implement.

    That's undoubtedly true.

    The problem is that Apple has no control over the standard - they only control their own OS. So they have two options:
    1. "We can't fix the problem because it's a problem with the standard itself so we're doing nothing"
    or
    2. "We can't fix the problem because it's a problem with the standard itself, but we can provide at least some level of security for people who use our products".

    Clearly, Apple thinks the second option is the better one.

    I agree completely that it's not the BEST solution - which would involve fixing the standard itself, but Apple can't do that, so they have to fall back to the best solution that's available to them.
  • Reply 76 of 137
    muppetrymuppetry Posts: 3,328member
    jragosta wrote: »
    muppetry wrote: »
    It's not completely false;

    Yes, it's completely false. The person I was responding to said that the 'from' field could not be spoofed and since Apple only relied on the 'reply to' field, that made Apple uniquely vulnerable. His statements were 100% false - as I showed.
    muppetry wrote: »
    while all phones are vulnerable to spoofing the "From" field, the issue here is that iOS is also vulnerable to spoofing the "Reply-To" field.
    Whether that actually matters - for example if it is easier to spoof the "Reply-To" field than the "From" field then that could make it a bigger problem for iOS - does not seem to have been established.
    Apple clearly could change the way iOS handles and uses the "Reply-To" field, but it would only defeat one of those spoofing methods.

    You're wrong, as well. You can spoof any field in SMS and any phone is vulnerable to such spoofing. There is absolutely nothing unique about iOS in this regard - except that iOS has at least a partial solution while no other mobile OS does.

    I don't think we really disagree on much here, but you are still not strictly correct, and I'm not clear what I wrote that was wrong. There is a unique aspect to iOS - that, unlike all (?) other phones, it uses the "Reply-To" field (when present) instead of the "From" field, and so only iOS is vulnerable to "Reply-To" spoofing. However, I think that is probably irrelevant since, as you have pointed out, the "From" field can also be spoofed, and so it would only be a significant added vulnerability if it were easier to spoof the "Reply-To" field.
  • Reply 77 of 137
    vaelianvaelian Posts: 446member
    muppetry wrote: »
    jragosta wrote: »
    muppetry wrote: »
    It's not completely false;

    Yes, it's completely false. The person I was responding to said that the 'from' field could not be spoofed and since Apple only relied on the 'reply to' field, that made Apple uniquely vulnerable. His statements were 100% false - as I showed.
    muppetry wrote: »
    while all phones are vulnerable to spoofing the "From" field, the issue here is that iOS is also vulnerable to spoofing the "Reply-To" field.
    Whether that actually matters - for example if it is easier to spoof the "Reply-To" field than the "From" field then that could make it a bigger problem for iOS - does not seem to have been established.
    Apple clearly could change the way iOS handles and uses the "Reply-To" field, but it would only defeat one of those spoofing methods.

    You're wrong, as well. You can spoof any field in SMS and any phone is vulnerable to such spoofing. There is absolutely nothing unique about iOS in this regard - except that iOS has at least a partial solution while no other mobile OS does.

    I don't think we really disagree on much here, but you are still not strictly correct, and I'm not clear what I wrote that was wrong. There is a unique aspect to iOS - that, unlike all (?) other phones, it uses the "Reply-To" field (when present) instead of the "From" field, and so only iOS is vulnerable to "Reply-To" spoofing. However, I think that is probably irrelevant since, as you have pointed out, the "From" field can also be spoofed, and so it would only be a significant added vulnerability if it were easier to spoof the "Reply-To" field.

    This is not only common to iOS, that field predates the iPhone, and many phones have been vulnerable to that for a very long time. The "hacker" himself stated that this affected more than just iOS. I remember playing around with this particular issue as early as 2004, probably even before that, as the high-end Nokias and Siemenses already supported those fields. This issue is overblown, there is no real solution for it, and to blame a single vendor rather than the standard for it is retarded. Even if you start showing the sender field, that doesn't guarantee anything because that field is alphanumeric too and controlled by the sender.
  • Reply 78 of 137


    And I, in return, am going to urge Apple to get iMessages working as consistently as text messages. It's really frustrating when you sit there staring at a message trying to go out for a full 2 minutes before it times out and suggests you send it as an text message, which then goes off without a hitch.


     


    I love the concept of iMessages, but damn, get the thing working already.

  • Reply 79 of 137
    vaelianvaelian Posts: 446member
    richl wrote: »
    A proprierity technology, no matter how good, is not a suitable replacement for an open obiqiutous standard.

    Whilst there's no solution to this issue, there's certainly wokrarounds that Apple could implement.

    And what do you propose as workaround for this that actually addresses the problem other than using iMessage or similar services?
  • Reply 80 of 137
    muppetrymuppetry Posts: 3,328member
    vaelian wrote: »

    This is not only common to iOS, that field predates the iPhone, and many phones have been vulnerable to that for a very long time. The "hacker" himself stated that this affected more than just iOS. I remember playing around with this particular issue as early as 2004, probably even before that, as the high-end Nokias and Siemenses already supported those fields. This issue is overblown, there is no real solution for it, and to blame a single vendor rather than the standard for it is retarded. Even if you start showing the sender field, that doesn't guarantee anything because that field is alphanumeric too and controlled by the sender.

    OK - that may be true, but what the hacker actually said was:
    The flaw exists since the beginning of the implementation of SMS in the iPhone, and is still there in iOS 6 beta 4.

    He, and others seem to be arguing that of the current smartphone operating systems, only iOS displays the "Reply-To" field, but I guess that he does not explicitly state that anywhere.

    I agree that the issue as a whole is overblown, and, in particular, that the distinction between reply-to spoofing and from spoofing is overblown.
Sign In or Register to comment.