Apple Admits Text Messages Insecure, Recommends iMessage Instead
An iPhone displaying an iMessage chat.
CREDIT: Apple, Inc.
Your friend just texted you on your iPhone. But how do you really know it's him?
According to a well-known Apple hacker, you can't.
According to Apple, you should be using the Apple-only iMessage service instead.
French iPhone hacker "pod2g" seemed surprised Friday (Aug. 17) when he posted on his blog that he'd figured out a way to "spoof" text messages, also known as SMS messages, so that they appeared to come from someone other than the sender.
"One of [the SMS protocol] options enables the user to change the reply address of the text. If the destination mobile is compatible with it, and if the receiver tries to answer to the text, he will not respond to the original number, but to the specified one," pod2g wrote.
"In a good implementation of this feature, the receiver would see the original phone number and the reply-to one. On iPhone, when you see the message, it seems to come from the reply-to number, and you [lose] track of the origin."
In other words, someone could send you a text message pretending to come from your grandmother, your boss or your best friend. If that someone were malicious, he could send mobile malware as an attached picture or sound file along with that text message.
However, this is not exactly news. SMS spoofing has been around for years, and many websites offer commercial SMS-spoofing services for the use of pranksters and advertisers.
Apple responded to media queries about pod2G's discovery with the public-relations equivalent of "no duh."
"One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they're directed to an unknown website or address over SMS," Apple told the tech blogs Ars Technica, Engadget and The Loop Saturday (Aug. 18).
Apple's solution? iPhone owners should be using Apple's own Internet-based device-to-device proprietary messaging service, iMessage, instead.
"When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks," Apple told the blogs.
Not a perfect solution
It's true that iMessage is more secure than regular SMS messaging, which travels along cellular networks rather than the Internet and was not designed with security in mind.
But it's not clear exactly how much more secure iMessage is, because Apple won't tell anyone how it works.
"And nobody seems to care," noted Matthew Green, a cryptographer at Johns Hopkins University, in a blog posting Saturday.
iMessage is "one of the most widely deployed encrypted text message services in the history of mankind," Green wrote. "It's built into the normal iPhone texting application and turned on by default. When my Mom texts another Apple user, iMessage will automatically route her message over the Internet."
"To me, the disconcerting thing about iMessage is how rapidly it's gone from no deployment to securing billions of text messages for millions of users," Green continued. "And this despite the fact that the full protocol has never been published by Apple or (to my knowledge) vetted by security experts."
Green's concerns may or may not be warranted, but Apple's security has been found to be less than perfect on more than one recent occasion.
As for iMessage itself, its one known security flaw is a strange one that hasn't been explained by Apple.
Some iPhones that have changed hands have been found to be receiving iMessages intended for the phones' former owners. The former owners have themselves gotten iMessages from the old phones' new users — on their own new iPhones.
"iMessage is important. People use it," Green wrote. "We ought to know how secure it is and what risks those people are taking by using it."