Yesterday we broke the news that our friend and iOS hacker pod2g had uncovered a major security flaw in the way the iPhone handles SMS. The exploit basically allows anyone to specify a different “reply-to” phone number when sending you a text message. You can easily imagine various scenarios of how this could be used maliciously.
Today, Apple sent a statement that doesn’t necessarily makes us feel better about the exploit found, but which does insist on the fact that iMessage is more secure than standard text messages…
In a statement sent to Engadget, Apple explains:
Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they’re directed to an unknown website or address over SMS.
Apple is basically telling us two things here:
- iMessage is safer than SMS
- They are not going to do anything about this SMS exploit
Move along, sir. If you expected Apple to take care of this safety concern for you, you’re going to have to rethink your expectations. To be fair though – and noting that I am no SMS expert – it is my understanding that SMS is an international standard that is mostly a carrier responsibility, and I don’t think Apple can do anything about this issue. But again, I’m no SMS/security expert and I might be wrong.
Lesson learned. Do not trust any suspicious text message! But didn’t we already know that?