Apple urges users to stick with iMessage to avoid iPhone SMS spoofing

12346

Comments

  • Reply 101 of 137
    muppetrymuppetry Posts: 3,331member
    jragosta wrote: »
    muppetry wrote: »
    Well yes - there are 3 scenarios as you listed, and the third one, though it may well be unlikely, is the subject of the report.

    Not at all. The report (and the thousands of 'me, too' reports) act as though spoofing is something that can only happen to iPhones.

    In reality, the overwhelming majority of spoofs use the 'from' header and therefore affect everyone.

    Not at all what? Yes, I completely agree with your assessment that it does not make sense to focus on iOS, but the issue in question, if you read the original blog, is specifically about this vulnerability on iOS, and that is the subject of the article and that is what was being discussed. Not whether other phones are vulnerable to other spoofs.
  • Reply 102 of 137
    froodfrood Posts: 771member

    Quote:

    Originally Posted by Tallest Skil View Post


     


    Wait, do they? I genuinely don't know what people mean by "widgets" unless they're talking about those two-space things you sometimes see on Android phones. I just don't get the benefit of those over app icons that update to show you content (sort of like The Interface Formerly Known As Metro, but simpler). 


     


     


    Oh, and I can understand that, certainly. Why the Weather app on iOS hasn't always (since iPhone OS 1!) shown the current weather of your leftmost city, I'll never know. And seeing your topmost stock's current status would be great.


     


     


    … I thought that was just an auto-correct gaffe until I saw it again and realized what you were talking about. I seethed. 


     


    But I can't stay mad at you, you zarkin' frood. image


     


    Anyway, about that idea, it's interesting, but I don't see Apple doing it when it happens also through notifications. I realize you have to receive a notification to get that to be available, but I also think that their desire is to make sure the user knows exactly what will happen when they perform an action, which is something that multi-directional swiping would make more blurry.



     


    Sorry on the iFive.  I thought it was kind of cool and even catchy.  If its a cause for 'seething' I'll call it the iPhone 5 moving forward.  Glad you got the Hitchhiker's reference =) 


     


    And on the widgets, I think you are still thinking small:


    Why the Weather app on iOS hasn't always (since iPhone OS 1!) shown the current weather of your leftmost city, I'll never know. And seeing your topmost stock's current status would be great.


     


    For current weather I look out the window :p  My widget shows me the next 5 days in graphical display.  I rarely used my weather app- mostly because it just never hit me to check whether until I went outside and found it was raining :/  With it on my home screen I'm always using it because its hard to miss.  My stock widget doesn't look like an icon and just show me my topmost stocks status- it is implemented as an actual stock ticker that scrolls across my screen with options to show daily highs/lows etc.  Instead of scrolling whole indexes, I have it set to only show stocks that are actually in my portfolio so all the info is relevant to me.  If I notice one moved (hopefully upward) I just have to touch it and it opens up the actual app where it has all the latest news on that particular stock available.


     


    Nothing I couldn't do on my iPhone, but the implementation is just more natural since the information is continually right there.

  • Reply 103 of 137
    tallest skiltallest skil Posts: 43,388member


    Originally Posted by Frood View Post

    Sorry on the iFive.  I thought it was kind of cool and even catchy.  If its a cause for 'seething' I'll call it the iPhone 5 moving forward.  Glad you got the Hitchhiker's reference =) 


     


    I'd prefer you'd drop the number entirely. image


     



    For current weather I look out the window :p  My widget shows me the next 5 days in graphical display.



     


    It'd have to be pretty long for that, eh? Ooh! how about this, a corner (or top bar/percent of) of the icon changes to the NOAA standard color for whatever watch or warning is in effect for the area? So severe thunderstorm watch would be a yellow highlight, tornado warning a red, flood a green, etc… 

  • Reply 104 of 137
    lightknightlightknight Posts: 2,312member

    Quote:

    Originally Posted by mdriftmeyer View Post


     


    iMessage works well. Too bad you comment and don't specifically detail how you come to that comment's conclusion.





    Well, he does specifically state that iMessage does NOT work well for him, and explains why. Being God, I guess you know better?

  • Reply 105 of 137
    lightknightlightknight Posts: 2,312member

    Quote:

    Originally Posted by jragosta View Post





    Not at all. The report (and the thousands of 'me, too' reports) act as though spoofing is something that can only happen to iPhones.

    In reality, the overwhelming majority of spoofs use the 'from' header and therefore affect everyone.




    The problem, as Apple stated, lies with the SMS specification. However, unless you're texting to another iPhone which has iMessage, you can't use iMessage.


    The "solution" probably is to type in numbers by hand/selection from address book.

  • Reply 106 of 137
    vadaniavadania Posts: 425member
    So right?

    I'm going to be doing this at volleyball this week...

    "Yo Android!". (and this has been shouted believe it or not.). "Don't be texting me your spam a$$ $hit!".

    Co-Ed on volley ball means 5 guys and one girl.

    I play with 3 robots!

    I'll have to text them a link here first...
  • Reply 107 of 137
    lightknightlightknight Posts: 2,312member

    Quote:

    Originally Posted by muppetry View Post





    The "vulnerability" is inherent in the SMS specification, but currently only manifests itself on iOS devices, because iOS is the only platform that ignores the sender phone number if a reply-to number is specified. A fix is within Apple's power - the iOS SMS app could be modified at least to display the sender number as well as the reply-to number. That would not change the SMS specification, but would alert an iOS user that a spoof may be occurring.




    Hmmm, that's a very interesting post. It would definitely make the problem lie with Apple, even though, of course, the spec is still insecure.

  • Reply 108 of 137
    lightknightlightknight Posts: 2,312member

    Quote:

    Originally Posted by Tallest Skil View Post


     


    I'd prefer you'd drop the number entirely. image


     



     


    What's wrong with the sixth iPhone being called iPhone 5 really? As long as it just works? What I can tell you is I was talking phones (and perfume, but it's unrelated) with a group of girls saturday and they all are waiting for iPhone 5...

  • Reply 109 of 137
    vadaniavadania Posts: 425member

    Well, he does specifically state that iMessage does NOT work well for him, and explains why. Being God, I guess you know better?

    He is not a god, because god does not exist. (I say he based on previous posts)

    Don't bring that word (god) into a tech site/discussion.

    Also if god did exist, she would almost certainly be a woman.

    Edit: spelling. How does previous turn into precious? Only on iPad...
  • Reply 110 of 137
    vadaniavadania Posts: 425member
    Wait, do they? I genuinely don't know what people mean by "widgets" unless they're talking about those two-space things you sometimes see on Android phones. I just don't get the benefit of those over app icons that update to show you content (sort of like The Interface Formerly Known As Metro, but

    Really? Yea, other phones have constantly updated material on them. Just like "widgets" that you apparently don't know about that are on OSX. So when you swipe up on your track pad to see your "widgets", that's what people have on their phones now.

    Trust me I get called out on that all the time. Some how it's turned into a 'pick up' line.

    Edit: swipe right. I changed mine because of multi monitors (which has been seriously messed up with Mountain Lion)
  • Reply 111 of 137
    vadaniavadania Posts: 425member
    What's wrong with the sixth iPhone being called iPhone 5 really? As long as it just works? What I can tell you is I was talking phones (and perfume, but it's unrelated) with a group of girls saturday and they all are waiting for iPhone 5...

    Vey true. Almost everyone I speak with are looking forward to iPhone 5. Also, women my age don't care. They don't use it for anything other than texting and the occasional call. Most people do not know it syncs with your play lists, contacts or anything else. I tell my friends "buy it from Apple and you will have everything on that phone on a phone like mine". (meaning all their contacts. They are all worried about losing the number from the guy they slept with last night)

    Apple could call it what ever they want.
  • Reply 112 of 137
    jragostajragosta Posts: 10,473member
    vadania wrote: »
    He is not a god, because god does not exist. (I say he based on previous posts)
    Don't bring that word (god) into a tech site/discussion.
    Also if god did exist, she would almost certainly be a woman.

    No, Jesus was definitely an Irish male:
    - He lived with his mother
    - He had 12 drinking buddies
    - His mother thought he was God.

    The problem, as Apple stated, lies with the SMS specification. However, unless you're texting to another iPhone which has iMessage, you can't use iMessage.
    The "solution" probably is to type in numbers by hand/selection from address book.

    That doesn't solve anything. Even if you use your address book, you know that the numbers you are sending to are legitimate. The problem is identifying whether a RECEIVED message is spoofed - and typing in your numbers manually does nothing to address that problem.
  • Reply 113 of 137
    muppetrymuppetry Posts: 3,331member
    muppetry wrote: »
    The "vulnerability" is inherent in the SMS specification, but currently only manifests itself on iOS devices, because iOS is the only platform that ignores the sender phone number if a reply-to number is specified. A fix is within Apple's power - the iOS SMS app could be modified at least to display the sender number as well as the reply-to number. That would not change the SMS specification, but would alert an iOS user that a spoof may be occurring.


    Hmmm, that's a very interesting post. It would definitely make the problem lie with Apple, even though, of course, the spec is still insecure.

    Yes - but note also jragosta's point that this is somewhat moot, since most spoofers would spoof the "From" field, rather than the "Reply-To" field, and there is nothing anyone can do to fix that.
  • Reply 114 of 137
    conrailconrail Posts: 489member

    Quote:

    Originally Posted by dagta View Post


    I love iMessage, but many messages have to be sent as SMS, and it seems to be random when it works and when it doesn't. Most of the time it works, but I will say that it doesn't about 10-15% of the time. Both sender and receiver have wifi and iPhone 4S. Even worse is pictures ("MMS") which 95% of the time doesn't work with iMessage. I've experienced it taking 15 minutes to send 3 pictures with iMessage on a 12MBit/s wifi. Using real MMS sending the same pictures takes about 15 seconds. But the real problem here is that most of the time it doesn't work at all. I'm from Norway and I have normal 3G and wifi without other problems.



    So why exactly do you "love" it?   

  • Reply 115 of 137

    Quote:

    Originally Posted by JohnnyW2001 View Post



    This IS an Apple/iPhone issue.

    There's a lot of weird misinformation in this thread, so let me clear it up: When you send an SMS message, you have two fields. FROM and REPLY-TO. You can only alter the REPLY-TO, and not FROM. The problem is that the iPhone hides the FROM (which is correct) and replaces it with the REPLY-TO field if it's present. It's a really dumb thing to do, and it's entirely a decision by Apple. (Other phones may do this, too, but that's completely besides the point - it's entirely up to the software developer.)

    Also, it's not a "vulnerability" in the SMS system, as the REPLY-TO field is designed to filled with whatever the user wants... but it's known that this information could be false, so it's supposed to be used as a request by the sender. As in, "Yes, I know this message was sent from X, but it would be better for me if you replied to Y. Thanks".

    Anyone suggesting everyone use iMessage is beyond idiotic for all the obvious reasons people have pointed out. A simple tweak to iOS so that messages are only ever seen to be coming from the FROM field would fix the issue.

    Hopefully the final version of iOS 6 will fix this issue.


    No, it is an SMS problem - its exactly the same problem that plagues SMTP but you don't see people throwing bricks at Microsoft's house over outlook. I've owned loads of phones (both feature and smart) including the iPhone and I've gotten spoof SMS messages on all of them. Weather or not the reply-to field is present and is or is not removing the From field from the user's view is irrelevant - if "Reply-To" is set, it will reply to that address, if its not, it will use the address in the "From" field - who you are replying too (and therefore who you are potentially giving money by texting) is far more important than the automated spam bot that processed it. On the iPhone and Windows Phone 7 (to name two) where the message came from is clearly displayed in the list of message threads anyway in big bold letters! But that is also irrelevant because the From field can be spoofed as well and its alarmingly easy. All I have to do is write the following in the header section of an SMS message before sending:


     


    From: <number>


     


    The problem lies with the carriers who should implement spam checking on SMS messages before they are delivered to your inbox.


     


    The only thing Apple are guilty of right now is using the already present scare mongering media drivel to dupe thick-headed yahoo's into using iMessage with the weak excuse of "ish sayfur".


     


    Disclaimer: I use a Windows Phone


     


    EDIT: You also stated that the Reply-To field is supposed to be filled by the user. No, it isn't. The nature of SMS does not allow that. You have three options: Delete, Forward or Send. Technically, in SMS, there is no such thing as a Reply function - There is nothing to show if a message is a response to a previous one. The only thing you have to go on is the originating user - this is how threads are organised on any phone.

  • Reply 116 of 137

    So is the problem lying with Apple or not in the end?
  • Reply 117 of 137

    Quote:

    Originally Posted by benanderson89 View Post


    No, it is an SMS problem - its exactly the same problem that plagues SMTP but you don't see people throwing bricks at Microsoft's house over outlook.


     



    People ARE throwing bricks at MS over Hotmail though ^^

  • Reply 118 of 137


    Found the guy who uses the word "Yahoo".


     


     


    Quote:

    Originally Posted by benanderson89 View Post


     thick-headed yahoo's 


  • Reply 119 of 137

    Quote:

    Originally Posted by jragosta View Post





    This is absolutely false. You can also spoof the 'from' field:

    http://www.youspoof.info/textSpoofing.html

    "For example the sender could specify that the recipient's caller ID shows an incoming message is from "The Pope" and the text message reads "Repent!""

    or:

    http://spoofsms.net

    "You can put ANY mobile number or alphanumeric character in the "From" field when sending a message."

    Please stop spreading lies. It's bad enough when all the usual trolls here spread FUD, but you created a new account specifically to post something that's totally false? That's really sad.

    The fact is that there's nothing at all in this that is iOS specific and it can affect EVERY SMS user. The only exception is if you're using iOS and iMessage, you have some warning.

    The really amazing thing is that even though this flaw affects everyone, if you search for 'sms spoof', you have to get near the end of the third page before you find even a single hit that doesn't present it as an iOS flaw.


     


    I'm sorry but you're entirely incorrect. The issue was raised by a blogger called pod2g, and that's the issue I described. It's also the issue that AppleInsider reported about, and it's the issue which Apple themselves are responding to.


     


    You can read the original blog post here: http://pod2g-ios.blogspot.co.uk/2012/08/never-trust-sms-ios-text-spoofing.html


    You can read AppleInsider's original news post here: http://www.appleinsider.com/articles/12/08/17/hacker_discovers_iphone_sms_spoofing_issue_asks_apple_to_fix_for_ios_6.html


    And you can read Apple's original statement to Engadget, which makes reference to this REPLY-TO field issue: http://www.engadget.com/2012/08/18/apple-responds-to-iphone-text-message-spoofing/


     


    This is nothing to do with the SMS standard.


     


    Once again, this is entirely Apple's fault.

  • Reply 120 of 137


    On an unrelated note: It's also worth pointing out that Email has many anti-spam and verification processes. I'm not entirely sure why everyone is regurgitating the nonsense that it doesn't. Technologies like DKIM and Domain Keys, as well as server blacklists, have been verifying the origin servers for years.

Sign In or Register to comment.