Wednesday, May 29, 2013
Apple iPhone SMS flaw discovered Apples solution use iMessage instead
Last Friday, pod2gs discovered a flaw in the SMS application used in the Apple iPhone. The flaw allows a sender of a malicious address to make it appear that the message comes from a trusted source. This could allow "pirates could send a message that seems to come from the bank of the receiver asking for some private information, or inviting them to go to a dedicated website." This flaw is still present in the latest beta of the next version of iOS6 which will be released together with the next iPhone.
Apples response to the matter has been to effectively say use iMessage instead:
"Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if theyre directed to an unknown website or address over SMS." (Source: Engadget).
The response is a bit odd. Instead of promising a fix, Apple seems to be saying that you really cannot trust a SMS message received on an iPhone. I am not sure if Apple has no plans to fix the problem or simply wants to downplay the issue now, since there is no time to implement a fix before the release of the next iPhone. In any event, using iMessage is not a solution. Not everyone is on an iPhone, and those that are, are not all on unlimited data plans. And what about messages from other people, you cannot always reply by iMessage.
In any event, the nature of the flaw now being public, best advice is do not give complete trust that SMS messages received from your iPhone come from the source indicated in the message. Basically, do not send reply with any sensitive information via SMS and do not click website links in SMS messages you receive.