Apple urges users to stick with iMessage to avoid iPhone SMS spoofing

12357

Comments

  • Reply 81 of 137
    jragostajragosta Posts: 10,473member
    vaelian wrote: »
    And what do you propose as workaround for this that actually addresses the problem other than using iMessage or similar services?

    The only workaround is for other companies to do what Apple does with iMessage - and use the optional fields so that they can mark potentially spoofed messages. Unfortunately, that's entirely outside of Apple's control.
    muppetry wrote: »
    I don't think we really disagree on much here, but you are still not strictly correct, and I'm not clear what I wrote that was wrong. There is a unique aspect to iOS - that, unlike all (?) other phones, it uses the "Reply-To" field (when present) instead of the "From" field, and so only iOS is vulnerable to "Reply-To" spoofing. However, I think that is probably irrelevant since, as you have pointed out, the "From" field can also be spoofed, and so it would only be a significant added vulnerability if it were easier to spoof the "Reply-To" field.

    That's a foolish distinction. There's no difference in the difficulty of spoofing 'reply to' and 'from' fields. If anything, it further reinforces Apple's advantage. If a hacker is going to spoof a field, they're more likely to spoof the 'from' field since that's what most phones use. So, by your own logic, iOS is BETTER than other phone operating systems.

    In fact, the links I provided above confirm that. Most of the third party 'anonymizer' sites talk about SMS spoofing, they are all spoofing the 'from' field, not the 'reply to' field. So iOS would not be spoofed while the majority of phones would be.

    So why is it that the first 26 hits on a search for 'sms spoof' are all about iOS?

    My guess is that the guy who started this didn't realize that you could spoof both 'from' and 'reply to' fields and thought he had discovered a real vulnerability with iOS.
  • Reply 82 of 137

    Quote:

    Originally Posted by muppetry View Post





    It's not completely false; while all phones are vulnerable to spoofing the "From" field, the issue here is that iOS is also vulnerable to spoofing the "Reply-To" field.

    Whether that actually matters - for example if it is easier to spoof the "Reply-To" field than the "From" field then that could make it a bigger problem for iOS - does not seem to have been established.

    Apple clearly could change the way iOS handles and uses the "Reply-To" field, but it would only defeat one of those spoofing methods.


     


     


    Quote:

    Originally Posted by jragosta View Post





    This is absolutely false. You can also spoof the 'from' field:

    http://www.youspoof.info/textSpoofing.html

    "For example the sender could specify that the recipient's caller ID shows an incoming message is from "The Pope" and the text message reads "Repent!""

    or:

    http://spoofsms.net

    "You can put ANY mobile number or alphanumeric character in the "From" field when sending a message."

    Please stop spreading lies. It's bad enough when all the usual trolls here spread FUD, but you created a new account specifically to post something that's totally false? That's really sad.

    The fact is that there's nothing at all in this that is iOS specific and it can affect EVERY SMS user. The only exception is if you're using iOS and iMessage, you have some warning.

    The really amazing thing is that even though this flaw affects everyone, if you search for 'sms spoof', you have to get near the end of the third page before you find even a single hit that doesn't present it as an iOS flaw.


     


    Spoofing the "From" header is different than spoofing the "Reply-to".  Perhaps that is a very technical distinction, but I am a technical person.  So saying one thing is the same as another, when technically it is not, is incorrect (though I understand your logic).  


     


    If other phones that recognize the "reply-to" header and use that to override "from", they are as wrong as the iPhone.  It does appear to me that while all phones are vulnerable to a "From" spoof, not ALL phones recognize the "reply-to" header the way the iPhone does.  It may be true that all phones that recognize the "reply-to" header handle it the way the iPhone does, but I couldn't even verify that.  That said, you are right in saying that ALL phones are vulnerable to the "From" field spoofing, BUT that is a completely different issue than the method described and being discussed here.


     


    Spoofing the "From" field is more of a carrier issue, where spoofing the "reply-to" is an phone issue (regardless of who made the phone). In the case of email, SMTP servers usually verify that the server sending the message is allowed to send emails for the domain that appears in the  "From" field.  So for email, "from" field spoofing is controlled by the ISP/email servers, not the email client.  Notifying a user of a different reply-to address, that is controlled by the email client.  The point is, "From" field is verified by the ISP/Email server, and giving the similarities with SMS, it would almost certainly have to be the same way.  


     


    To end spoofing you have to fix both issues.  To say that Apple doesn't need to do anything because the other issue still exists to me is incorrect and distracts from the actual issue being talked about.  To stop spoofing you have to address both issues: one is a carrier issue and one is a handset maker issue.  If anything, Apple should fix the reply-to issue and use their influence to pressure carriers to address "from" field spoofing.  As it stands, I think carriers have little motivation to fix the issue.  They potentially get paid for every message they send, so verifying and blocking certain messages would ultimately hurt their bottom line.  That was never an issue that ISP/email providers had to overcome.

  • Reply 83 of 137
    muppetrymuppetry Posts: 3,328member
    jragosta wrote: »
    muppetry wrote: »
    I don't think we really disagree on much here, but you are still not strictly correct, and I'm not clear what I wrote that was wrong. There is a unique aspect to iOS - that, unlike all (?) other phones, it uses the "Reply-To" field (when present) instead of the "From" field, and so only iOS is vulnerable to "Reply-To" spoofing. However, I think that is probably irrelevant since, as you have pointed out, the "From" field can also be spoofed, and so it would only be a significant added vulnerability if it were easier to spoof the "Reply-To" field.

    That's a foolish distinction. There's no difference in the difficulty of spoofing 'reply to' and 'from' fields. If anything, it further reinforces Apple's advantage. If a hacker is going to spoof a field, they're more likely to spoof the 'from' field since that's what most phones use. So, by your own logic, iOS is BETTER than other phone operating systems.

    In fact, the links I provided above confirm that. Most of the third party 'anonymizer' sites talk about SMS spoofing, they are all spoofing the 'from' field, not the 'reply to' field. So iOS would not be spoofed while the majority of phones would be.

    So why is it that the first 26 hits on a search for 'sms spoof' are all about iOS?

    My guess is that the guy who started this didn't realize that you could spoof both 'from' and 'reply to' fields and thought he had discovered a real vulnerability with iOS.

    Agree - with one reservation about something you also alluded to previously and I meant to ask about. When you say that this reinforces Apple's advantage and that iOS is actually better in this regard than other phone systems - what do you mean? iOS is vulnerable to both forms of spoofing - other OSs are vulnerable only to from spoofing. I assume that you are not just referring to the advantages of iMessage over SMS?
  • Reply 84 of 137
    bwinskibwinski Posts: 164member



    #next_pages_container { width: 5px; hight: 5px; position: absolute; top: -100px; left: -100px; z-index: 2147483647 !important; }
    OH?? ALL your contacts don't have iMessage?? Well, why not?? Get them over to iMessage and you won't have a problem, now will you??


     


    Just ask ANY of our retail employees that, Ooops, they've been laid off, no - wait - we're going to reverse that decision - no wait for it - no, YES!!! You've all been rehired.. Just in time for us to cut your pay... No - Wait - we promised you a pay increase last month - no - wait - are you sure - no - wait - YES WE DID !!! Yeah.. NOW we got the story straight - no - wait - - - - - .....


     


    These guys have REALLY acted like jackasses over the last few months...


     
  • Reply 85 of 137


    Originally Posted by Bwinski View Post

    Just ask ANY of our retail employees that, Ooops, they've been laid off, no - wait - we're going to reverse that decision - no wait for it - no, YES!!! You've all been rehired.. Just in time for us to cut your pay... No - Wait - we promised you a pay increase last month - no - wait - are you sure - no - wait - YES WE DID !!! Yeah.. NOW we got the story straight - no - wait - - - - - .....


     


    These guys have REALLY acted like jackasses over the last few months...



     


    You've been reading too much Gizmodo/WSJ.

  • Reply 86 of 137

    Quote:

    Originally Posted by Bwinski View Post



    #next_pages_container { width: 5px; hight: 5px; position: absolute; top: -100px; left: -100px; z-index: 2147483647 !important; }
    OH?? ALL your contacts don't have iMessage?? Well, why not?? Get them over to iMessage and you won't have a problem, now will you??


     


    Just ask ANY of our retail employees that, Ooops, they've been laid off, no - wait - we're going to reverse that decision - no wait for it - no, YES!!! You've all been rehired.. Just in time for us to cut your pay... No - Wait - we promised you a pay increase last month - no - wait - are you sure - no - wait - YES WE DID !!! Yeah.. NOW we got the story straight - no - wait - - - - - .....


     


    These guys have REALLY acted like jackasses over the last few months...


     



    Time to update the block list

  • Reply 87 of 137
    bwinskibwinski Posts: 164member



    #next_pages_container { width: 5px; hight: 5px; position: absolute; top: -100px; left: -100px; z-index: 2147483647 !important; }
    Could be, but it certainly feels that way. I've had TWO run ins with the Apple store 'genius' personnel lately in two different locations and IT WAS AWFUL. SO, i speak from a bit of very personal, recent experience...


     
  • Reply 88 of 137
    jragostajragosta Posts: 10,473member
    muppetry wrote: »
    Agree - with one reservation about something you also alluded to previously and I meant to ask about. When you say that this reinforces Apple's advantage and that iOS is actually better in this regard than other phone systems - what do you mean? iOS is vulnerable to both forms of spoofing - other OSs are vulnerable only to from spoofing. I assume that you are not just referring to the advantages of iMessage over SMS?

    Yes, I'm referring to iMessage's advantage over other SMS clients. In addition to the advantages that others have cited, iMessages displays the 'reply-to' field while most clients display the 'from' field. If 95% of all SMS-capable phones use the 'from' field, most people who want to spoof their message will spoof the 'from' field which would not fool iMessage.
  • Reply 89 of 137
    muppetrymuppetry Posts: 3,328member
    jragosta wrote: »
    muppetry wrote: »
    Agree - with one reservation about something you also alluded to previously and I meant to ask about. When you say that this reinforces Apple's advantage and that iOS is actually better in this regard than other phone systems - what do you mean? iOS is vulnerable to both forms of spoofing - other OSs are vulnerable only to from spoofing. I assume that you are not just referring to the advantages of iMessage over SMS?

    Yes, I'm referring to iMessage's advantage over other SMS clients. In addition to the advantages that others have cited, iMessages displays the 'reply-to' field while most clients display the 'from' field. If 95% of all SMS-capable phones use the 'from' field, most people who want to spoof their message will spoof the 'from' field which would not fool iMessage.

    OK - I see what you mean. Unfortunately, the from spoof would still fool iMessage unless they had, for some curious reason, filled out the"Reply-To" field with their real identity, since, in the absence of a "Reply-To" value, iMessage uses the "From" value, just like all the others.
  • Reply 90 of 137
    inkswampinkswamp Posts: 337member
    jragosta wrote: »
    This is absolutely false. You can also spoof the 'from' field:
    http://www.youspoof.info/textSpoofing.html
    "For example the sender could specify that the recipient's caller ID shows an incoming message is from "The Pope" and the text message reads "Repent!""
    or:
    http://spoofsms.net
    "You can put ANY mobile number or alphanumeric character in the "From" field when sending a message."
    Please stop spreading lies. It's bad enough when all the usual trolls here spread FUD, but you created a new account specifically to post something that's totally false? That's really sad.
    The fact is that there's nothing at all in this that is iOS specific and it can affect EVERY SMS user. The only exception is if you're using iOS and iMessage, you have some warning.
    The really amazing thing is that even though this flaw affects everyone, if you search for 'sms spoof', you have to get near the end of the third page before you find even a single hit that doesn't present it as an iOS flaw.

    All true. I have often entertained co-workers by connecting directly to my company's email gateway and firing off emails to them from Jesus. (He writes some pretty filthy emails, just FYI.)

    Anyway, the person you're responding to doesn't seem to understand that SMS is just bastardized email--or maybe he understands that but doesn't appreciate the full extent of the problems that decision opens SMS up to. If he wants to place blame, he can blame an entire industry for deciding to piggyback on an existing protocol and dragging along all the baggage that entails instead of designing a dedicated protocol for text messages (you know, like, iMessage). But trying to lay the blame at Apple's feet is a little disingenuous.
  • Reply 91 of 137
    jragostajragosta Posts: 10,473member
    muppetry wrote: »
    OK - I see what you mean. Unfortunately, the from spoof would still fool iMessage unless they had, for some curious reason, filled out the"Reply-To" field with their real identity, since, in the absence of a "Reply-To" value, iMessage uses the "From" value, just like all the others.

    So there are two scenarios:
    1. They spoof the 'from' field and do not enter a 'reply to' identity. In that case, iMessage acts exactly like any other client - so Apple is no worse than the rest of the industry.
    2. They spoof the 'from' field and do enter the correct 'reply to' identity - in which case iMessage is better than the other clients.

    So the claim that Apple is somehow worse than anyone else is bogus.

    The only case where Apple could be worse is if they spoof the 'reply to' field but not the 'from' field - which doesn't appear likely. All the spoofing sites I could find spoof the 'from' field since that's the one that 95% of phones or more use.
  • Reply 92 of 137
    froodfrood Posts: 771member

    Quote:

    Originally Posted by nagromme View Post


    Are other smartphones immune from this SMS issue? Is it iPhone-specific? (Some statements imply that this is not an iPhone issue at all, just a carrier issue.)



     


    Hi Nagromme, if you're asking if there is an iPhone specific problem on AppleInsider your answer is almost always going to come back a little dogmatically as"'No, the iPhone has no flaws and is BETTER!" :p  Reading some of these responses that seems to be the direction they are headed and they are wrong in this case.


     


    If my analogy below confuses you, heres a link to more info:  http://www.informationweek.com/security/mobile/android-and-blackberry-safer-than-ios-fo/240006075


     


    Remember 'caller id' on those old fashioned wall phones?  When you called someone from your home phone, if they had caller id, it would automatically tell them it was you calling.  You had no input.  Your carrier had the technology to recognize it was your hardware.  That is the equivalent of 'from' in an SMS message.  It is not impossible, but it is very difficult to spoof- and in an SMS text would usually require knowledge of your victims carrier and access to their carriers' SMSC servers to hack.  It would open the hackers up to substantial criminal penalty.  Any phone, whether android or Apple even using iMessage, would be prone to this attack.  This type of attack isn't common because it is generally traceable and hard to execute.  Those sites listed above do not work in the US or Canada.  Feel free to try them if you wish.  Some use the 'reply to' method (even though it says 'from' on their site) and hope your user has an iPhone- in which case they will work.  Some offer Android apps for you to download in order for them to work.  Your victims (if using Android phones) would need to have that software installed too which renders the attack pretty much useless.


     


    Back to our 'caller id' example.  Imagine if you called someone and your carrier, instead of using the information from your hardware, gave you a message 'please enter your phone number identifying who you are' and you now had to key in your phone number.  Imagine it used the number you yourself keyed in to identify you to whomever you were calling...  Not rocket science here.  You could type in any number you wanted and that is whom it would tell your recipient was calling.  If you looked up Apple's or IBM's corporate phone numbers you could type that in and it would tell your recipient that Apple (or IBM, or whomever) was calling.  Very easy to do.  No hacking required.  That is the equivalent of 'reply to' spoofing.


     


    'Reply To' *is* built into the SMS protocol and is quite useful.  AT&T can send you a promotional SMS message.   Some phones would tell you that the message is FROM: AT&T and that you should REPLY TO: ATTPROMO or something like that.  No problem.  The poor choice Apple made (and I cringe to say that on this site) is that they use the 'Reply To' field that your sender has control of to tell you that is who the message is FROM.  So I can send you a bogus malicious message that you might not normally fall for, but when you look at the FROM field and see that it is 'FROM: facebook.com' you will decide it is safe and fall for it.


     


    With that, the 'vulnerability' is way overblown.  People can't hack your information or take over your phone with it.  They can only fool you into trusting them.  As long as you don't trust anybody sending you texts requiring dubious action on your part- there is no vulnerability.


     


    Apple unfortunately doesn't like to admit error.  They issued a pretty brilliant response as usual, but its a little bit of misdirection.  Their statement is that the 'Reply To' field is built into SMS and is there on all phones- which is an absolutely true statement.  They then say if you use iMessage you will not be prone to the attack- which is also an absolutely true statement.  What they leave out is that the flaw in the iPhone was due to their less than optimal choice of using the 'Reply To' field in the header to tell you that that is where the text came 'From' and that they will (hopefully) correct their mistake in future versions.  Any Android phone that has software that chooses to use the 'Reply To' field as the 'From' indicator would be prone to the same spoofing, but I guess that was one area they chose not to copy Apple. :p


     


    For the record I was a long time Apple user and loved my iPhone until Apple kept insisting that I wanted a puny 3.5" screen.  They were dead wrong and 'forced' me to switch to my giant screen Android phone.  My 'dirty secret' is that I actually think both phones are great so I'm a little out of place on either an Apple or Android site.  If Apple bumps up the screen size a little more and introduces usable mainstream widgets instead of the stone age 'icon grids' I'll be back in line for the iPhone 6  =)  ( as long as Android hasn't implemented a feature that cooks for me and cleans my house )   Hooray competition!

  • Reply 93 of 137
    cpsrocpsro Posts: 2,825member

    Quote:

    Originally Posted by hill60 View Post





    Wasn't THE BIG RED EXCLAMATION MARK next to the message just a bit of a giveaway?

    ????????????


    Oh, yeah, really helpful. with notification coming a WEEK+ AFTER THE FACT. Kapisch???

  • Reply 94 of 137
    tallest skiltallest skil Posts: 43,399member


    Originally Posted by Frood View Post


    If Apple… …introduces usable mainstream widgets… 



     


    What does this even mean? What is the point of this? Live updating icons would do just the same. And I've just had a thought for how… ooh. I gotta write that down and mock it up…


     



    …stone age 'icon grids'… 



     


    Funny how when you have the stone, those without want to steal it from you.


     



    Hooray competition!



     


    *narrows eyes*

  • Reply 95 of 137

    Quote:

    Originally Posted by Cpsro View Post


    Too bad iMessage is unreliable!


    (Yes, unreliable. I've been notified a week+ after the fact that an iMessage was not delivered)



     


    I've had the same thing happen with SMS messages on Verizon.  I can't say I've found iMessage to be any less reliable...


     


    Funny thing is, SMS was the one thing AT&T seemed to do better than Verizon.  I don't recall ever having problems sending or receiving messages in a timely fashion with them.  With Verizon it's a crapshoot, and it has been for years.  Had the same lousy SMS experience when I was with them prior to getting my iPhone in 2009.


     


    Go figure.

  • Reply 96 of 137
    muppetrymuppetry Posts: 3,328member
    jragosta wrote: »
    muppetry wrote: »
    OK - I see what you mean. Unfortunately, the from spoof would still fool iMessage unless they had, for some curious reason, filled out the"Reply-To" field with their real identity, since, in the absence of a "Reply-To" value, iMessage uses the "From" value, just like all the others.

    So there are two scenarios:
    1. They spoof the 'from' field and do not enter a 'reply to' identity. In that case, iMessage acts exactly like any other client - so Apple is no worse than the rest of the industry.
    2. They spoof the 'from' field and do enter the correct 'reply to' identity - in which case iMessage is better than the other clients.

    So the claim that Apple is somehow worse than anyone else is bogus.

    The only case where Apple could be worse is if they spoof the 'reply to' field but not the 'from' field - which doesn't appear likely. All the spoofing sites I could find spoof the 'from' field since that's the one that 95% of phones or more use.

    Well yes - there are 3 scenarios as you listed, and the third one, though it may well be unlikely, is the subject of the report.
  • Reply 97 of 137
    mdriftmeyermdriftmeyer Posts: 7,501member

    Quote:

    Originally Posted by Bwinski View Post



    #next_pages_container { width: 5px; hight: 5px; position: absolute; top: -100px; left: -100px; z-index: 2147483647 !important; }
    Could be, but it certainly feels that way. I've had TWO run ins with the Apple store 'genius' personnel lately in two different locations and IT WAS AWFUL. SO, i speak from a bit of very personal, recent experience...


     



     


    So take your two poor experiences and broadly describe it as the norm. Such hubris.

  • Reply 98 of 137

    Quote:

    Originally Posted by 28jp View Post


    Too bad iMessage is messed up!  I had to turn mine off.  It was taking up to an hour for a message to send with a full signal.  Half the time it would make me send as a text anyway.


     


    It started working really good when i had my 3GS and when I first got my 4s... but the last couple of months the service has totally sucked.  I am not the only one in my area who is complaining.


     


    Even when using Wi-Fi... it sucks!


     


    Numerous calls to AT&T and Apple have been of no help.  So, I just turned off iMessage and have zero problems sending and receiving texts.


     


    If they would acknowledge and fix the problem, I would definitely use it.



    Bullcrap... 1st post to spam/troll... 

  • Reply 99 of 137
    jragostajragosta Posts: 10,473member
    muppetry wrote: »
    Well yes - there are 3 scenarios as you listed, and the third one, though it may well be unlikely, is the subject of the report.

    Not at all. The report (and the thousands of 'me, too' reports) act as though spoofing is something that can only happen to iPhones.

    In reality, the overwhelming majority of spoofs use the 'from' header and therefore affect everyone.
  • Reply 100 of 137
    froodfrood Posts: 771member

    Quote:

    Originally Posted by Tallest Skil View Post


     


    What does this even mean? What is the point of this? Live updating icons would do just the same. And I've just had a thought for how… ooh. I gotta write that down and mock it up…


     


     


    Funny how when you have the stone, those without want to steal it from you.


     


     


    *narrows eyes*



     


    Hi Tallest,   I originally just wanted to say 'I hope apple implements widgets' but then a fan would likely


    point out to me that Apple already has widgets- so I added the 'usable maintstream' qualifiers because the current versions on Apple are neither.  I don't know much about live tiles but I'd guess they are fairly similar to widgets as long as they are resizable and not limited to having a defined structure with just an info update on them (like an email counter going up a number or two)... 


     


    After the big screen, widgets were the big surprise moving from iOS to Android for me.  I had a 'weather app' and a 'stock market app' and 'news app(s)' on my iPhone , but having them executing continuously on my home screen as widgets pretty radically changes how useful they are to me and how I interact with them  The 'stone age' comment wasn't really a slam on Apple as much as encouragging them to progress from it. I still use my iPhone (it has no SIM card) for games for my nieces and as a metronome, but every time I turn it on it seems like I'm 'moving backward..  I still use an icon grid on my Android phone because it is a good way to cram a ton of apps together, but its not until 3 pages removed from my home screen- and I rarely go there- the widgets have me covered for 95% of what I want to do.  Do wish Android would learn the 'smoothness' of Apple though.  With all that going on it does occasionally get a little hitch in its giddy'up when swiping around that my iPhone never had.


     


    Would be a nice touch if they gave the iFive  a smart swipe to unlock as well- ie if you swipe left to right it does what it does now and opens up to home screen.  If you swipe from bottom to top it opens straight to text messaging, if you swipe right to left it opens straight to your phone with your 'favorites showing.' etc.  Looking forward to the iFive release and I'm sure its going to have a trick or two up its sleeve that leaves me a little envious.

Sign In or Register to comment.