Apple warns of SMS spoofs – but is iMessage any better?
Apple has advised iPhone owners to use its own iMessage instead of SMS, following warnings over text message spoofing – raising questions about how its own system is secured.
A security researcher calling himself “pod2g” reported that it was easy to send spoofed text messages to iOS devices, as the operating system doesn’t clearly show the source of an SMS – meaning a text could appear to come from a bank or friend, and actually come from someone else.
Apple acknowledged the weak point, but said using iMessage avoids the problem. “Apple takes security very seriously,” Apple said in response. “When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks.”
One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they’re directed to an unknown website or address over SMS
“One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they’re directed to an unknown website or address over SMS,” it added.
Apple isn’t just making excuses, according to Real World Columnist Davey Winder. “The truth of the matter is that this is not an Apple, an iPhone or an iOS issue at all: it’s a SMS issue,” he noted on DaniWeb. “The entire SMS text message system has pretty much nothing by way of useful authenticity checking along the way built in, it was never developed as a ‘secure’ messaging system.”
“You only have to go Google for SMS spoofing sites on the web to discover that there are plenty which provide the service, either for free or for a fee, and the recipient phone handset matters not one jot,” he pointed out. “As long as the handset itself allows that UDH [User Data Header] indicator for the alternative reply-to address to be changed then all bets are off.”
However, as the original researcher pointed out, iOS does allow User Data Header data to be edited – calling for Apple to fix it. “In a good implementation of this feature, the receiver would see the original phone number and the reply-to one,” pod2g noted. “On iPhone, when you see the message, it seems to come from the reply-to number, and you [lose] track of the origin.”
Apple’s suggested solution has one notable flaw: to use its iMessage system, all your friends and family will also need to be iOS users.
However, it is an improvement on text messaging in terms of security, researchers said. “iMessage is certainly far more secure than SMS,” Pod2G noted via Twitter. “I’ve no doubt about it.”
Another expert, Professor Matthew Green from Johns Hopkins University, agreed that iMessage appeared to be a security improvement, but while Apple promises “secure encryption” for iMessage, it isn’t open about how the protocol actually works.
“We ought to know how secure it is and what risks those people are taking by using it,” Green said in a blog post. “The best solution would be for Apple to simply release a detailed specification for the protocol – even if they need to hold back a few key details. But if that’s not possible, maybe we in the community should be doing more to find out.”