Apple has released an official statement on reports from hacker Pod2g and others that a serious flaw exists in the SMS protocol that allows spoofing of addresses, meaning that users could receive messages (directing them to websites or phone numbers) that aren’t from the party they appear to be from. Apple’s statement points out that iMessage does not have the same problem.
Although Pod2g’s initial reporting of the flaw (which he has said is likely known to malicious groups) suggested that the problem resided in iOS’s implementation of SMS, Apple’s statement appears to suggest that the problem was known to the company and is inherent in the SMS protocol itself, meaning that the issue could also affect Android, Windows Phone and other platforms, including those used by feature phones.
There are already a number of third-party sites that specifically offer to send SMS messages and hide the real identity of the sender, though they are usually not intended to promote criminal fraud, and work with any carrier, OS or cell phone model.
Apple’s statement says that it takes security very seriously, but notes that “one of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they’re directed to an unknown website or address over SMS.” It also notes that when using iMessage — which works between iOS devices, or between iOS and Macs running OS X Mountain Lion — “addresses are verified, which protects against these kinds of spoofing attacks.”
The statement is Apple’s most direct attack thus far on SMS, the standard for cross-platform texting and a major profit vehicle for carriers. The iPhone maker has promoted iOS 5’s iMessage as a superior alternative for a variety of reasons, even though it is limited to iOS and some Mac users thus far. The feature has proven to be a hit with users, who are able to text (including pictures and other media) even internationally over 3G, LTE and Wi-Fi without affecting their carrier’s texting limitations or incurring roaming charges. Carriers have been vocally unhappy with iMessage, as they believe it eats into the profits they make from texting.
If the issue is truly a problem in the SMS protocol itself, the flaw is likely to hit non-iOS and feature-phone users the hardest, as there is not yet any equivalent to iMessage on those platforms. Given that spoofed texts could tempt users to click on a malicious website or manipulate users with social-engineering type deceptions, users on iOS and other mobile platforms should treat incoming SMS messages — particularly those from official-sounding sites like banks, or those that invite the user to respond to a website or address — with suspicion until more is known about the flaw, or steps are announced to fix the issue.