Yesterday we reported on an SMS exploit
that could cause iPhone users to send text messages to numbers they haven't selected, and now Apple has responded by warning users to be cautious when using SMS — and pointing to iMessage as a more secure alternative. "Apple takes security very seriously," a company spokesperson told us. "When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks."
As highlighted by iOS hacker pod2g, the vulnerability consists of changing the "reply-to" field in the header of an SMS message. In the iOS Messages app, users see the number specified in the reply-to field as the originator of the message, even if it has come from a different source.
Any replies would then be routed to the actual sender rather than the number shown in the app — without the iPhone owner ever noticing a difference.
It's important to note that the underlying ability to change the reply-to field isn't tied to just the iPhone. "One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone," the spokesperson said, "so we urge customers to be extremely careful if they're directed to an unknown website or address over SMS." That said, with all the attention the matter has been getting, we wouldn't be surprised to see Cupertino tweak the application to try to resolve any confusion before iOS 6 is released later this year.
Update: An earlier version of this story inaccurately described the reply behavior on the iPhone. The Messages app shows users — and sends any replies to — the number that is specified in the reply-to field. This field can be spoofed when sending a message to any phone. However, it's up to the SMS implementation on a given device to determine whether the actual sender or the reply-to information is shown.