Apple's response to iPhone SMS security loophole: 'Use iMessage'
Apple (NASDAQ:AAPL) has responded to a security flaw that renders SMS services across iOS devices vulnerable to attack, suggesting that its over-the-top iMessage solution presents a safer alternative than conventional messaging tools.
Late last week, a French hacker identified an iOS loophole enabling scammers to spoof their identities and transmit malicious text messages that appear to originate from banks or other trusted sources. The hacker, who calls himself "pod2g," says the glitch impacts all versions of iOS "since the beginning of the implementation of SMS in the iPhone" and is also present in the current iOS 6 beta 4.
"Apple takes security very seriously," the company said. "When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they're directed to an unknown Web site or address over SMS." Apple did not disclose what steps it plans to take to resolve the issue, if any.
According to pod2g, the spoofing flaw is a byproduct of the process that converts text messages to the Protocol Description Unit mode for delivery. "If you either own a smartphone, or a modem and an account in a SMS gateway, you can send texts in raw PDU format (some services also exist to send a text with an HTTP request in raw PDU format)," pod2g explains. "In the text payload, a section called UDH (User Data Header) is optional but defines lot of advanced features not all mobiles are compatible with. One of these options enables the user to change the reply address of the text. If the destination mobile is compatible with it, and if the receiver tries to answer to the text, he will not respond to the original number, but to the specified one. Most carriers don't check this part of the message, which means one can write whatever he wants in this section: A special number like 911, or the number of somebody else."
Apple suggests using iMessage as an SMS alternative while it fixes the security loophole.
Pod2g states that when UDH is properly implemented, SMS recipients will see the both original phone number and the reply-to number. "On iPhone, when you see the message, it seems to come from the reply-to number, and you lose track of the origin," he adds.
Apple introduced iMessage in October 2011, concurrent with the launch of its iOS 5 operating system update. The service enables users to send free text messages, photos and videos among all iOS devices. Despite the introduction of over-the-top services like iMessage, Facebook, Skype and Twitter, 91 percent of U.S. smartphone owners still actively use SMS, according to a survey conducted this spring by Vanson Bourne on behalf of mobile messaging firm Acision.
- read this Engadget article
Acision: 91 percent of U.S. smartphone owners actively use SMS
Wireless operators and OTT players: friends or foes?
T-Mobile USA passes 1M Bobsled users, 10M free calls
SMS no longer dominates mobile data revenue stream
Ovum: Operator SMS revenues fall $13.9B due to social messaging