Wednesday, 29 August 2012

Apple claims to be serious about security, totally misses the point

Apple has been dealing with a little bit of a security mess since it was revealed last week that a security hole in their SMS messaging service will still be an issue in IOS 6.

The hole allows attackers to send messages to an iPhone with a false sender identity. In other words, you might think your friend Ted is sending you an exciting link to, when in fact, the link points to a malicious website.

The deception works through a feature in SMS protocol that allows a different “Reply to” address than that of the sender. Since the iPhone identifies the sender by the “Reply to”, users would likely think they are receiving the message from the person they would reply to.

Attention to the hole was made public last Friday by a hacker that goes by pod2g. 
"If the destination mobile is compatible with it, and if the receiver tries to answer the text, he will not respond to the original number, but to the specified one. Most carriers don't check this part of the message, which means one can write whatever he wants in this section: a special number like 911, or the number of somebody else," pod2g wrote. "On iPhone, when you see the message, it seems to come from the reply-to number, and you lose track of the origin."
So what’s Apple’s solution? Don’t use SMS.


iPhone to iPhone texting is easily accomplished with Apple’s iMessage protocol that sends messages over the web rather than SMS networks. Because iMessage users are verified against email addresses, the messages are impossible to spoof. The problem is, of course, that not everybody uses an iPhone. Your friends with Androids will still be texting you with SMS. So any hacker with half a brain can still spoof messages as long as the receiver thinks he’s receiving from someone with an non-iPhone.

Apple: You’ve got a big release coming up with the iPhone 5. Pull your act together.

No comments:

Post a Comment