Aug 20 2012
Recently, a security blogger put up a post that set the iOS world on fire. That, in and of itself, isn’t exactly a rare occurrence, but this particular problem is pretty serious.
The basic upshot of the post, in plain english, is that someone can send you an SMS text message and make it look like it came from someone else. That means your iPhone would show that the text came from your Mom, even though it came from an attacker instead. The reason this is a problem is that your Mom might ask for sensitive personal information — like your Social Security Number — and you’d be likely to give up that info if someone you think should have it is texting you.
One thing to note before we go forward. The security hole is in SMS itself, not specifically in anything iOS does with text messages. iPhones are simply the first major platform to be publicly outed as being vulnerable to the issue.
So how do you fix it? Well, you cannot directly fix the issue, as it is part of the core code-base of iOS and not something you can fiddle with. Apple may fix it with iOS 6, and so it may not be an issue for much longer, but the fix is NOT in the beta releases so far.
In the meantime — and even if you’re not on Apple gear — you can take some security precautions to protect yourself:
1 – Always assume the person texting you isn’t the person who shows up in the name header of the text itself. Much like with email, it’s just too easy to forge the “From:” field, allowing people to masquerade as whoever they want to be.
2 – Never give out personal information in SMS text messages. This is a basic rule of thumb online, you do not email or text anything that’s private information, even if you DO know who you are talking to. Call the person and tell them the information instead. This goes for Social Security numbers, medical information, system passwords, or anything else you’re not comfortable sharing with the whole world.
So, if Mom does ask for your SSN in a text message, tell her you’ll call her in a few minutes and tell her what it is on the phone.