Apple responds to iPhone SMS security vulnerability

The company says the threat of text message spoofing is a limitation of SMS. Oh, really?

More ways for texts to get yucky. CNET

Yesterday I reported on revelations that iPhones may be particularly vulnerable to an SMS spoofing attack. Basically, because of the way iOS handles text headers, a nasty person could manipulate the "reply-to" number to appear to be someone they're not, like a financial institution.

After a hacker revealed the vulnerability earlier this week, Engadget received this response from Apple on the matter:

Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they're directed to an unknown Web site or address over SMS.

I've never written a messaging app that works with SMS before, but it would seem to me that completely passing the buck on to the technology as Apple seems to be doing here, is a cop-out. As hacker pod2g explained in his post on the vulnerability, the text header contains both the actual originating number of a text, and the reply-to text. Making both fields a little more visible would certainly be a start, although it's true that SMS is far from being iron-clad in terms of security.

With that in mind, continue to be vigilant about text messages and careful about how you use them. There are a number of different ways to do your banking these days -- SMS shouldn't be one of them.

I've contacted Apple for comment and will update this post if and when I hear back.

 

Join the discussion

Conversation powered by Livefyre

Don't Miss
Hot Products
Trending on CNET

HOT ON CNET

Want affordable gadgets for your student?

Everyday finds that will make students' lives easier: chargers, cables, headphones, and even a bona fide gadget or two!