page 1 of 2
Apple recently admitted to a security flaw with the iPhone’s SMS (short message service). The flaw allows nefarious users to spoof a “reply-to” number, which is the only number displayed on the message. This enables phishing, as a con artist can pose as a legitimate financial institution, drawing you in to their web of lies. Email also suffers from this vulnerability. Malicious users can send an email and specify any sender’s address. The difference is, with SMS, the messaging client could display the original number, which is part of the header data. There is a real solution to this vulnerability.
“Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they’re directed to an unknown website or address over SMS.”
This “let them eat cake” suggestion is no real solution. Many people need to communicate with friends and family who are outside of the Apple ecosystem. iMessage only works on Apple devices. Instead of providing a real solution, Apple has taken advantage of a security flaw and used it to drive adoption of their devices.
A solution to this problem is not difficult. Apple would only have to show the number of origin, instead of (or in addition to) the “reply-to” number, which can be changed to anything by the sender. Unfortunately, beta versions of iOS 6 show no solution to this issue. Official Apple communications tell users to just use iMessage, which is not a solution at all. How do you communicate with an Android user via iMessage? How do you communicate with friends and family who have non-smart feature phones? You cannot use iMessage to send SMS messages. Furthermore, this does not prevent malicious users from sending you an SMS. After all, that’s how phishing scams work. As it stands, the iPhone is a conduit for forged SMS messages, and Apple does not want to fix this.