Apple has responded to recent reports of the vulnerability of its text message service by telling users to be careful when using SMS and to use iMessage instead.
Last week, a French hacker, known as pod2g, wrote a blog post which detailed a flaw in iOS that he deemed to be “severe”. In short, the hacker found it was possible to spoof a text message and manipulate the “reply to” address within the header section of the SMS app. In so doing, the user can be tricked into thinking they are replying to a known contact, when in fact the message is being sent to another unknown recipient without their knowledge.
Pod2g says the security flaw is an issue because it could be used for phishing by sending a message that seems to come from the bank of the receiver asking for some private information, or inviting them to go to a dedicated Web site. “Anything you can imagine that could be utilised to manipulate people, letting them trust somebody or some organisation.”
Pod2g appealed to Apple to fix the flaw before the final release of iOS 6 and told users to never trust any SMS received on an iPhone at first sight. It is notable, however, that the problem is not with iOS alone, and rather with SMS technology itself.
A number of different services exist, which allow hackers to spoof text messages, and any phone that uses SMS, regardless of model, carrier or operating system, can be tricked in a similar way to the iPhone. As a result, it is advisable to always be suspicious of any text message requesting personal information.
The iPhone is particularly vulnerable to this type of attack because the simple interface displays only the name of the sender rather than the number from which the text message was received (and to which the user is replying). So a hacker could conceivably send a message that appears to be from “Mom” or any other contact.
Responding to the reports, Apple issued a statement saying it takes security very seriously and emphasised the security of its iMessage platform.
“When using iMessage instead of SMS, addresses are verified, which protects against these kinds of spoofing attacks.
“One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they're directed to an unknown Web site or address over SMS.”
While iMessage may be a free and secure option for messaging, the service can only be used when sending messages between iOS and Mac OS X users, so it is not an option for users needing to send and receive messages beyond the Apple ecosystem.
Share