13 comments

[ 4.8 ms ] story [ 37.9 ms ] thread
Never trust any SMS you received on your iPhone at first sight.

Perhaps I don't understand, but why single out the iPhone? Isn't every phone that receives SMS vulnerable? Couldn't you perform this "attack" with any phone or modem capable of sending SMS?

I remember something a while back where you could spoof SMS to send tweets to Twitter as someone else. I assume that's also still possible?

It's incredibly simple to send an SMS from any number, or indeed non-numeric text, to anybody.
Perhaps because the author found a flaw specific to iOS.
(comment deleted)
"In a good implementation of this feature, the receiver would see the original phone number and the reply-to one. On iPhone, when you see the message, it seems to come from the reply-to number, and you loose track of the origin."
What device currently out there does display the from/reply-to?

Spoofing the reply-to or what number a message came from is easy, and has been used before to fake post messages to peoples twitter account for instance, same could probably be done with Facebook if someone has the SMS feature turned on.

I don't remember any of my phones ever having a feature that allowed me to see the Sender/Reply-to for any text message I've received. One thing I do know is that I trust SMS about as far as I trust my carriers and I don't trust them at all. Even if a "bank" were to text me I wouldn't use the information provided in the text to make my next move.

(comment deleted)
> On iPhone, when you see the message, it seems to come from the reply-to number, and you loose track of the origin.

This is a typo right? I could understand the issue if the reply-to is different from the apparent sender (and hidden), but if they are the same what is the issue? As stated by other commenters practically any SMS gateway allows you to set whatever originator (sender) you like.

Well, it certainly should say 'lose'.
IOS runs on Cisco routers. You're thinking of iOS.

/pedantry

The Hacker News software capitalize the title of the posts, thus transforming the correct "iOS" (as seen in the title of the blog post itself) in "IOS". I believe pg added some exceptions since I've seen "iPhone" and "iPad" properly capitalized in the past, but it seems "iOS" is not in that list yet.
The trick is to put a space before the first word of the title.
It's useful pedantry though.

The title got me scratching my head about how IOS even deals with SMS