But really, if it's such a problem for some, why not just email from your phone instead? I often wonder why Americans & Europeans are so hooked on texting.
It is not the sending that is the problem. It is receiving of a spoofed txt that is a security issue. One of the inherent problems with SMS is you cannot control who sends you a message. Here in the US you have to pay $0.20 to receive an SMS even if it is bogus. One of the benefits is that if you are having a quick communication exchange with someone, the message shows up instantly. You don't have to select the title and open it like an email. Also you can see more incoming messages while composing a response. If you are on the move the SMS even shows up on your lock screen, so it is convenient.
I may be an exception, but most of my friends either do not send me messages from an Apple device or they have not updated to iCloud or ML. I still think SMS is the default method of short messaging for most people. iMessage might be great but it ranks right up there with FaceTime as another of the most underused features of Apple devices.
Apple should just say that they are working on a solution - suggesting iMessenger is a viable solution to SMS is just idiotic.
Not as idiotic as people suggesting that Apple can do something to fix the inherent problems with SMS in some way other than creating and trusting only their own app.
It is not the sending that is the problem. It is receiving of a spoofed txt that is a security issue. One of the inherent problems with SMS is you cannot control who sends you a message. Here in the US you have to pay $0.20 to receive an SMS even if it is bogus. One of the benefits is that if you are having a quick communication exchange with someone, the message shows up instantly. You don't have to select the title and open it like an email. Also you can see more incoming messages while composing a response. If you are on the move the SMS even shows up on your lock screen, so it is convenient.
I may be an exception, but most of my friends either do not send me messages from an Apple device or they have not updated to iCloud or ML. I still think SMS is the default method of short messaging for most people. iMessage might be great but it ranks right up there with FaceTime as another of the most underused features of Apple devices.
I think a lot of the issues you listed could, theoretically, be solved with an email client that behaved the way you describe if someone really wanted to make one. But the real problem with emails is that over half of the cell phones in use are not smartphones, so emails won't work in a lot of instances. Also, SMS messages can usually get through in low signal environments were you might not get an email to go through. I have no specific figures, but I suspect an SMS is far less data being exchanged than an email with an equivalent length message. And finally, for email to be a viable option, you have to assume that everyone has push email turned on. (I for one, don't.)
For email to replace SMS, it has to be as universally available. Otherwise every time you want to send a message you need to wonder if the person will actually get it in a timely fashion.
I may be an exception, but most of my friends either do not send me messages from an Apple device or they have not updated to iCloud or ML. I still think SMS is the default method of short messaging for most people. iMessage might be great but it ranks right up there with FaceTime as another of the most underused features of Apple devices.
You're not too rare, it's the same with me. Agree with what you're saying. My list of top people I get texts/messages from is full of people who could be using iMessage but aren't.
When reviewing the settings for messages, it appears that the iPhone with iOS version 5.1.1 defaults to iMessage if possible and only uses SMS when iMessage is unavailable.
So iMessage is the preferred messaging system with 5.1.1. I'd just leave the settings as they are.
This is much to do about nothing even if hacked SMS messages come to your iPhone. Just being aware of this possibility is all that is needed anyway.
Can anyone verify if this is iOS specific? I hate when community flaws are blamed on just one company.
As has been stated repeatedly in this thread, it's not specific to any OS or platform. It's inherent in SMS.
It IS possible to work around it by using the optional features of SMS, but since only a few clients (including iMessage) use them, that's not a real solution.
As has been stated repeatedly in this thread, it's not specific to any OS or platform. It's inherent in SMS.
It IS possible to work around it by using the optional features of SMS, but since only a few clients (including iMessage) use them, that's not a real solution.
I was under the impression that it was an iOS issue because iOS will read the header that contains the bogus from information and correlates it with your contacts list so the bogus message incorrectly states that the message is from someone in your contacts list and not just an unknown phone number. It was my understanding, which can often be wrong, that the problem, although caused by the underlying insecurity of SMS, was never a real issue on older feature phones because they did not read the from 'name' header but instead read the from phone number. I am not aware of the details but something like that was explained in an earlier thread. I also am not sure how Android handles the same situation. Maybe someone with more knowledge can clarify as I am curious as well.
As has been stated repeatedly in this thread, it's not specific to any OS or platform. It's inherent in SMS.
It IS possible to work around it by using the optional features of SMS, but since only a few clients (including iMessage) use them, that's not a real solution.
I was under the impression that it was an iOS issue because iOS will read the header that contains the bogus from information and correlates it with your contacts list so the bogus message incorrectly states that the message is from someone in your contacts list and not just an unknown phone number. It was my understanding, which can often be wrong, that the problem, although caused by the underlying insecurity of SMS, was never a real issue on older feature phones because they did not read the from 'name' header but instead read the from phone number. I am not aware of the details but something like that was explained in an earlier thread. I also am not sure how Android handles the same situation. Maybe someone with more knowledge can clarify as I am curious as well.
The "vulnerability" is inherent in the SMS specification, but currently only manifests itself on iOS devices, because iOS is the only platform that ignores the sender phone number if a reply-to number is specified. A fix is within Apple's power - the iOS SMS app could be modified at least to display the sender number as well as the reply-to number. That would not change the SMS specification, but would alert an iOS user that a spoof may be occurring.
The sender field in the SMS specification is alphanumeric, an SMS central (or a user behind an SMS central that doesn't care about what goes in the messages) can put whatever they wish in there. Current phones (and this is predates the iPhone by a long time) support an additional sender name which obviously can also be spoofed, but to claim that this can be fixed by displaying the information from the sender field in the SMS is retarded. There are loads of SMS providers offering SMS spoofing services, and before news breaks in that the iPhone is also vulnerable to caller ID spoofing, let me be the first to tell you that caller IDs can also be spoofed (that's essentially how unidentified calls work, except they just remove the caller ID rather than replacing it with something arbitrary).
By a real solution I mean a fix for the SMS spoofing so it's not just through iMessage that users are safe. We need it to be safe even if the person you are communicating with doesn't have an iPhone.
You will need to fix the SMS protocol and every carrier in the world.
Eventually SMS will just need to go away. It was ok when you could not do much harm through SMS. Now with smartphones and people sending links through SMS it COULD be a problem. Every smart phone on earth is just as vulnerable as the iPhone. It is not hard to spoof an SMS message sender field. I am not sure why anyone is concerned at all about the reply-to field.
The "vulnerability" is inherent in the SMS specification, but currently only manifests itself on iOS devices, because iOS is the only platform that ignores the sender phone number if a reply-to number is specified. A fix is within Apple's power - the iOS SMS app could be modified at least to display the sender number as well as the reply-to number. That would not change the SMS specification, but would alert an iOS user that a spoof may be occurring.
A scammer will probably just spoof the sender field. It is not hard.
The "vulnerability" is inherent in the SMS specification, but currently only manifests itself on iOS devices, because iOS is the only platform that ignores the sender phone number if a reply-to number is specified. A fix is within Apple's power - the iOS SMS app could be modified at least to display the sender number as well as the reply-to number. That would not change the SMS specification, but would alert an iOS user that a spoof may be occurring.
I was wondering how that came about but even since the iChat days it was possible to send and SMS from a computer which did not have a phone number so they had to enable the 'from name' field in order to identify the sender. Thanks for your clarification. Now we need to wait and see what the solution will be from Apple.
The "vulnerability" is inherent in the SMS specification, but currently only manifests itself on iOS devices, because iOS is the only platform that ignores the sender phone number if a reply-to number is specified. A fix is within Apple's power - the iOS SMS app could be modified at least to display the sender number as well as the reply-to number. That would not change the SMS specification, but would alert an iOS user that a spoof may be occurring.
I was wondering how that came about but even since the iChat days it was possible to send and SMS from a computer which did not have a phone number so they had to enable the 'from name' field in order to identify the sender. Thanks for your clarification. Now we need to wait and see what the solution will be from Apple.
However, as pointed out by others above, if the sender number itself is spoofed then nothing can be done to fix it, and that spoof would work against all platforms.
Also - it is no different than the ability to spoof email via the SMTP protocol, where you can fake any of the headers.
The sender field in the SMS specification is alphanumeric, an SMS central (or a user behind an SMS central that doesn't care about what goes in the messages) can put whatever they wish in there. Current phones (and this is predates the iPhone by a long time) support an additional sender name which obviously can also be spoofed, but to claim that this can be fixed by displaying the information from the sender field in the SMS is retarded. There are loads of SMS providers offering SMS spoofing services, and before news breaks in that the iPhone is also vulnerable to caller ID spoofing, let me be the first to tell you that caller IDs can also be spoofed (that's essentially how unidentified calls work, except they just remove the caller ID rather than replacing it with something arbitrary).
I have received telemarketing calls from 000-000-0000
(Yes, unreliable. I've been notified a week+ after the fact that an iMessage was not delivered, and I don't send many texts at all. I guess Apple can figure out who I am, since there's no one else this has happened to. )
Also - it is no different than the ability to spoof email via the SMTP protocol, where you can fake any of the headers.
The comparison to email has been made a few times in this thread however there are services and applications which can clean out spam almost 100%. As I have mentioned in the past I use mxmatrix.net and they do a fantastic job cleaning out spam. To my knowledge there is no such service for SMS and the vulnerably of SMS is much more personal than typical email spam because in order for it to be threatening the sender needs to know the names of people in your contact list. The ability of apps to capture that data has already been addressed by Apple and I don't personally worry about spoofed SMS as I have really nothing private or secret on my phone and I am now aware of the situation so it poses little threat for me at this point, however others may be at more risk so I think Apple should try to do more to protect users from this hack.
However, as pointed out by others above, if the sender number itself is spoofed then nothing can be done to fix it, and that spoof would work against all platforms.
Also - it is no different than the ability to spoof email via the SMTP protocol, where you can fake any of the headers.
That's a big IF-- IF the sender number itself is spoofed. As far as we know, SMS is not the same as spoofing with SMTP. There is an apparent reluctance on the part of handset makers and/or telecoms to highlight the fact when an SMS sent-by and reply-to addresses differ.
Too bad iMessage is unreliable!
(Yes, unreliable. I've been notified a week+ after the fact that an iMessage was not delivered, and I don't send many texts at all. I guess Apple can figure out who I am, since there's no one else this has happened to. )
Wasn't THE BIG RED EXCLAMATION MARK next to the message just a bit of a giveaway?
Comments
Quote:
Originally Posted by joeblowjapan
But really, if it's such a problem for some, why not just email from your phone instead? I often wonder why Americans & Europeans are so hooked on texting.
It is not the sending that is the problem. It is receiving of a spoofed txt that is a security issue. One of the inherent problems with SMS is you cannot control who sends you a message. Here in the US you have to pay $0.20 to receive an SMS even if it is bogus. One of the benefits is that if you are having a quick communication exchange with someone, the message shows up instantly. You don't have to select the title and open it like an email. Also you can see more incoming messages while composing a response. If you are on the move the SMS even shows up on your lock screen, so it is convenient.
I may be an exception, but most of my friends either do not send me messages from an Apple device or they have not updated to iCloud or ML. I still think SMS is the default method of short messaging for most people. iMessage might be great but it ranks right up there with FaceTime as another of the most underused features of Apple devices.
Not as idiotic as people suggesting that Apple can do something to fix the inherent problems with SMS in some way other than creating and trusting only their own app.
Quote:
Originally Posted by mstone
It is not the sending that is the problem. It is receiving of a spoofed txt that is a security issue. One of the inherent problems with SMS is you cannot control who sends you a message. Here in the US you have to pay $0.20 to receive an SMS even if it is bogus. One of the benefits is that if you are having a quick communication exchange with someone, the message shows up instantly. You don't have to select the title and open it like an email. Also you can see more incoming messages while composing a response. If you are on the move the SMS even shows up on your lock screen, so it is convenient.
I may be an exception, but most of my friends either do not send me messages from an Apple device or they have not updated to iCloud or ML. I still think SMS is the default method of short messaging for most people. iMessage might be great but it ranks right up there with FaceTime as another of the most underused features of Apple devices.
I think a lot of the issues you listed could, theoretically, be solved with an email client that behaved the way you describe if someone really wanted to make one. But the real problem with emails is that over half of the cell phones in use are not smartphones, so emails won't work in a lot of instances. Also, SMS messages can usually get through in low signal environments were you might not get an email to go through. I have no specific figures, but I suspect an SMS is far less data being exchanged than an email with an equivalent length message. And finally, for email to be a viable option, you have to assume that everyone has push email turned on. (I for one, don't.)
For email to replace SMS, it has to be as universally available. Otherwise every time you want to send a message you need to wonder if the person will actually get it in a timely fashion.
Quote:
Originally Posted by mstone
I may be an exception, but most of my friends either do not send me messages from an Apple device or they have not updated to iCloud or ML. I still think SMS is the default method of short messaging for most people. iMessage might be great but it ranks right up there with FaceTime as another of the most underused features of Apple devices.
You're not too rare, it's the same with me. Agree with what you're saying. My list of top people I get texts/messages from is full of people who could be using iMessage but aren't.
When reviewing the settings for messages, it appears that the iPhone with iOS version 5.1.1 defaults to iMessage if possible and only uses SMS when iMessage is unavailable.
So iMessage is the preferred messaging system with 5.1.1. I'd just leave the settings as they are.
This is much to do about nothing even if hacked SMS messages come to your iPhone. Just being aware of this possibility is all that is needed anyway.
As has been stated repeatedly in this thread, it's not specific to any OS or platform. It's inherent in SMS.
It IS possible to work around it by using the optional features of SMS, but since only a few clients (including iMessage) use them, that's not a real solution.
Quote:
Originally Posted by jragosta
As has been stated repeatedly in this thread, it's not specific to any OS or platform. It's inherent in SMS.
It IS possible to work around it by using the optional features of SMS, but since only a few clients (including iMessage) use them, that's not a real solution.
I was under the impression that it was an iOS issue because iOS will read the header that contains the bogus from information and correlates it with your contacts list so the bogus message incorrectly states that the message is from someone in your contacts list and not just an unknown phone number. It was my understanding, which can often be wrong, that the problem, although caused by the underlying insecurity of SMS, was never a real issue on older feature phones because they did not read the from 'name' header but instead read the from phone number. I am not aware of the details but something like that was explained in an earlier thread. I also am not sure how Android handles the same situation. Maybe someone with more knowledge can clarify as I am curious as well.
I've had a couple times where I had to resend the message but it's certainly yards better than standard SMS.
The "vulnerability" is inherent in the SMS specification, but currently only manifests itself on iOS devices, because iOS is the only platform that ignores the sender phone number if a reply-to number is specified. A fix is within Apple's power - the iOS SMS app could be modified at least to display the sender number as well as the reply-to number. That would not change the SMS specification, but would alert an iOS user that a spoof may be occurring.
The sender field in the SMS specification is alphanumeric, an SMS central (or a user behind an SMS central that doesn't care about what goes in the messages) can put whatever they wish in there. Current phones (and this is predates the iPhone by a long time) support an additional sender name which obviously can also be spoofed, but to claim that this can be fixed by displaying the information from the sender field in the SMS is retarded. There are loads of SMS providers offering SMS spoofing services, and before news breaks in that the iPhone is also vulnerable to caller ID spoofing, let me be the first to tell you that caller IDs can also be spoofed (that's essentially how unidentified calls work, except they just remove the caller ID rather than replacing it with something arbitrary).
You will need to fix the SMS protocol and every carrier in the world.
Eventually SMS will just need to go away. It was ok when you could not do much harm through SMS. Now with smartphones and people sending links through SMS it COULD be a problem. Every smart phone on earth is just as vulnerable as the iPhone. It is not hard to spoof an SMS message sender field. I am not sure why anyone is concerned at all about the reply-to field.
A scammer will probably just spoof the sender field. It is not hard.
Quote:
Originally Posted by muppetry
The "vulnerability" is inherent in the SMS specification, but currently only manifests itself on iOS devices, because iOS is the only platform that ignores the sender phone number if a reply-to number is specified. A fix is within Apple's power - the iOS SMS app could be modified at least to display the sender number as well as the reply-to number. That would not change the SMS specification, but would alert an iOS user that a spoof may be occurring.
I was wondering how that came about but even since the iChat days it was possible to send and SMS from a computer which did not have a phone number so they had to enable the 'from name' field in order to identify the sender. Thanks for your clarification. Now we need to wait and see what the solution will be from Apple.
However, as pointed out by others above, if the sender number itself is spoofed then nothing can be done to fix it, and that spoof would work against all platforms.
Also - it is no different than the ability to spoof email via the SMTP protocol, where you can fake any of the headers.
Quote:
Originally Posted by Vaelian
The sender field in the SMS specification is alphanumeric, an SMS central (or a user behind an SMS central that doesn't care about what goes in the messages) can put whatever they wish in there. Current phones (and this is predates the iPhone by a long time) support an additional sender name which obviously can also be spoofed, but to claim that this can be fixed by displaying the information from the sender field in the SMS is retarded. There are loads of SMS providers offering SMS spoofing services, and before news breaks in that the iPhone is also vulnerable to caller ID spoofing, let me be the first to tell you that caller IDs can also be spoofed (that's essentially how unidentified calls work, except they just remove the caller ID rather than replacing it with something arbitrary).
I have received telemarketing calls from 000-000-0000
Too bad iMessage is unreliable!
(Yes, unreliable. I've been notified a week+ after the fact that an iMessage was not delivered, and I don't send many texts at all. I guess Apple can figure out who I am, since there's no one else this has happened to.
The comparison to email has been made a few times in this thread however there are services and applications which can clean out spam almost 100%. As I have mentioned in the past I use mxmatrix.net and they do a fantastic job cleaning out spam. To my knowledge there is no such service for SMS and the vulnerably of SMS is much more personal than typical email spam because in order for it to be threatening the sender needs to know the names of people in your contact list. The ability of apps to capture that data has already been addressed by Apple and I don't personally worry about spoofed SMS as I have really nothing private or secret on my phone and I am now aware of the situation so it poses little threat for me at this point, however others may be at more risk so I think Apple should try to do more to protect users from this hack.
Quote:
Originally Posted by muppetry
However, as pointed out by others above, if the sender number itself is spoofed then nothing can be done to fix it, and that spoof would work against all platforms.
Also - it is no different than the ability to spoof email via the SMTP protocol, where you can fake any of the headers.
That's a big IF-- IF the sender number itself is spoofed. As far as we know, SMS is not the same as spoofing with SMTP. There is an apparent reluctance on the part of handset makers and/or telecoms to highlight the fact when an SMS sent-by and reply-to addresses differ.
Wasn't THE BIG RED EXCLAMATION MARK next to the message just a bit of a giveaway?
????????????