Is it just me, or does it seem like stories about Apple’s security woes are beginning to pile up? Today’s story involves the vulnerability of the iPhone’s SMS text messaging system. Apparently, there is a flaw in the phone, unique to Apple, which increases the likelihood of a phishing attack via text, aka smishing.
In the text payload, a section called UDH (User Data Header) is optional but defines lot of advanced features not all mobiles are compatible with. One of these options enables the user to change the reply address of the text. If the destination mobile is compatible with it, and if the receiver tries to answer to the text, he will not respond to the original number, but to the specified one.
Most carriers don't check this part of the message, which means one can write whatever he wants in this section: a special number like 911, or the number of somebody else.
Bottom line, the researcher (or hacker) added: Never trust an SMS received on an iPhone.
The security problem here is thinking you received a message from someone you know — your spouse, your boss, your bank — but the message is spoofed. Thinking you are sending a return message safely, you could be revealing sensitive work information or details about your financial accounts to criminals.
I can see where this is a problem, at least according to my Facebook and Twitter feeds. The announcement of the flaw explains why a number of my friends have sent out posts saying, “If you got a text message from me about a Best Buy deal, don’t respond. I didn’t send it!” I know for a fact that several of those people use iPhones.
Apple, of course, has responded to the problem in what has become an increasingly common manner: The company acknowledged the situation without really doing anything about it. The response sent to Engadget sounds more like Apple is putting the responsibility on the people who receive texts on their iPhones:
Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they're directed to an unknown website or address over SMS.
No, Apple, what you should be saying is enough is enough and you are tired of the bad security publicity. This is not to say that Android or Windows or anything else is without fault, but at least with those companies I feel like someone is taking the problem seriously, instead of just saying, “Be careful.” Otherwise, it is a disaster waiting to happen.