Apple recently admitted to a security flaw with the iPhone’s SMS (short message service). The flaw allows nefarious users to spoof a “reply-to” number, which is the only number displayed on the message. This enables phishing, as a con artist can pose as a legitimate financial institution, drawing you in to their web of lies. Email also suffers from this vulnerability. Malicious users can send an email and specify any sender’s address. The difference is, with SMS, the messaging client could display the original number, which is part of the header data. There is a real solution to this vulnerability.
Apple’s solution is to urge iPhone users to send messages with iMessage instead of SMS.
“Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they’re directed to an unknown website or address over SMS.”
This “let them eat cake” suggestion is no real solution. Many people need to communicate with friends and family who are outside of the Apple ecosystem. iMessage only works on Apple devices. Instead of providing a real solution, Apple has taken advantage of a security flaw and used it to drive adoption of their devices.
A solution to this problem is not difficult. Apple would only have to show the number of origin, instead of (or in addition to) the “reply-to” number, which can be changed to anything by the sender. Unfortunately, beta versions of iOS 6 show no solution to this issue. Official Apple communications tell users to just use iMessage, which is not a solution at all. How do you communicate with an Android user via iMessage? How do you communicate with friends and family who have non-smart feature phones? You cannot use iMessage to send SMS messages. Furthermore, this does not prevent malicious users from sending you an SMS. After all, that’s how phishing scams work. As it stands, the iPhone is a conduit for forged SMS messages, and Apple does not want to fix this.
While I do think iMessage is superior, it only works within the Apple ecosystem. This reveals Apple’s desire to dominate everything, imposing closed standards that other vendors cannot adopt. No one other than Apple can develop an iMessage client. While you are waiting for Apple’s world-wide domination of technology, please only communicate with other Apple users…
We can only hope that, much like with EPEAT, Apple eventually faces the reality of the issue. Their SMS app is not secure and people need to send SMS messages. In the meantime, I would recommend being skeptical of SMS messages. If you are chatting with your friend on SMS, it is probably fine. However, it is possible for a malicious user to pose as a “long-lost friend” and attempt to extract sensitive information from you. Of course, you should be weary of any “special offers” from financial institutions transmitted via SMS. Even before this issue, I think most people were skeptical and even annoyed by SMS spam.
I did spend some time searching for alternative SMS apps for the iPhone. There are actually better apps for sending SMS than the stock app. This is not surprising. A lot of the standard iOS apps are not very good. Unfortunately, I have yet to find one that will display message header details, like the original number. They all seem to only display the reply-to number, which can be spoofed.
The other alternative is that your carrier could verify the reply-to number. I wouldn’t hold my breath. It seems like a much more difficult solution than Apple handling it on their client. Unfortunately, Apple is reluctant to make such a simple change, as they are using this vulnerability to drive adoption of iMessage. This is all the more reason Apple should not be allowed to attain hegemony. An Apple-only world is a true dystopia.