Sunday, August 19, 2012

In light of SMS security hole, Apple pushes users to iMessage

Apple is great at this: turning a negative into a positive. The company's SMS client implementation on its iOS platform was taken to task on Friday, when a security researcher detailed his findings on how it could easily be spoofed. Ah, but Apple's only response so far pushes users to an app that the company wants them to use.

While not admitting an issue (yet), Apple pointed out that its relatively new iMessage service was secure and cannot be spoofed.

"Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they're directed to an unknown website or address over SMS."

It's also true that with iMessage, you're not using text messaging, per se, so you're not being charged against your text message plan. iMessage is similar to BlackBerry Messenger, in that way.

Of course, you can also use any number of chat services, such as WhatsApp, or even AIM, Yahoo Messenger, or Google Talk, all via an app on your iPhone (or Android, if you use Google's platform).

Here's the big problem: SMS rides on the carrier signal for cellular for free. It doesn't require data connectivity. It's for this reason that authorities say you should text, not call, during an emergency such as a natural disaster. All these other services would be more likely to be knocked out during that sort of event.

Naturally, we can expect Verizon, AT&T, Vodafone, Sprint, etc. to immediately ask Apple for a fix. After all, SMS plans are their cash cow, as it rides for free on their carrier signal, as we indicated above. If people move further toward other services, it will cut into the bottom lines of carriers.

To be clear though: SMS is still the most reliable way to send short messages. You don't need data connectivity; if you have a signal, it will probably work.

The security hole, still unconfirmed, discovered by pod2G is that the "sending phone number" on an SMS message can be spoofed on iOS. This means you might think a text message came from your bank, when it instead came from John Q. Hacker.

The vulnerability appears to have been in iOS since its first release, said pod2G. He also added that the issue isn't isolated to just iOS, although he did not specfically mention Android or Windows Phone.

Of course, a little common sense can safeguard against spoofing. Don't click on links in them, just as you are not supposed to click on links in emails from "your bank."  You don't, do you?

No comments: