3

edit

Based on comments and answers, there seems to be some misconception. Allow me to clarify:

  • I have of course searched for REG-RESP on Google prior to writing this question, but what is to be found is not helpful, or from what I can tell, even related (other than incidentially having the keyword in the text). There are a hundred thousand hits of some users wanting to use FaceTime or iMessage having trouble activating the service. This is not my issue.
  • I do not want to use FaceTime/iMessage, and I do not want to troubleshoot why FaceTime isn't properly activating or whatever. I explicitly deactivated both FaceTime and iMessage along with everything else that can be deactivated and isn't necessary to use the phone as a phone ("speak into the little hole, listen on the other side").
  • The phone has been working fine with no disturbances in this configuration since mid/end of April, until suddenly messages started coming in 3-4 days ago for no obvious reason. I did not use FaceTime or iMessage, or attempt to use it, nor register/activate or request anything.
  • No longer getting messages now. I didn't do anything to fix it.

/edit

Since about three days, I'm getting suspicious SMS sent to my phone (iPhone) in 12 hour intervals (seemingly from a UK number, but it's quite possibly, even probably, spoofed).
There is no "obvious reason" from my side why I should be getting these. The phone is a corporate phone, number is not "publicly listed", the phone is not being used for "anything not business", in particular none of this modern social media share-everything crap (facebook, twitter, and whatever you call it).

Newest firmware, bare minimum of apps installed on the phone (even removed anything Apple installs by default that you can remove, disabled what you cannot remove), every setting is, to the best of my knowledge, set to "paranoia mode". I did not contact anyone (not anyone not-within-corp) recently, nor disclose my number to some internet merchant or similar.

Thus, the only logical explanation seems someone is script-kiddying random phone numbers with some unknown-to-me kind of exploit (but if someone is probing random numbers, why am I getting these over and over again in 12 hour intervals?).

The Messages look like this:

REG-RESP?v=3;r=123456789;n=+491234567890
s=123456789ABCDEFFFFFFFFF01234567890ABC
01234567890...

(I replaced the digits with 12345... in case they're something "sensitive" -- for all I know these messages might as well be some highly illegal unilateral communication accidentially sent to the wrong guy's phone. The obscure 48-digit number might be a code for "terror strike tomorrow" to this scary Maghreb guy living down the road, you never know. So I wouldn't want to publish the actual numbers on the internet.)

The first number is seemingly random, the second number is the phone's number including country code, and the last number is an always-constant prefix of 10 hex digits followed by FFFFFFFF, followed by a seemingly random 48-character hex number.

The messages somewhat look like a query string that you would expect to be sent to a REST service (without host or path). Except my cell phone is, well, a cell phone, not a public web server.
The iPhone doesn't seem to know what to make of the messages either, it simply displays the message text as-is (well, luckily...).

There does not seem to be any suspicious outgoing communication from the phone. Turning off WLAN, the bandwidth quota shown by the provider does not seem to grow. With WLAN turned on and wiretapping on the router, one of the other odd connection to Apple is made every now and then (probably checking updates?), and nothing else.

Is this kind of request aiming at a known exploit in some phones? Seeing how the Apple phone doesn't seem to understand it, maybe Android phones?

Otherwise, any idea what this may be? Botnet control messages?

Community
  • 1
Damon
  • 5,211
  • 1
  • 21
  • 26
  • When I Google "REG-RESP?v=3" I get a ton of helpful resources, like: http://forums.macrumors.com/threads/imessage-uk-o2-receiving-automated-sms-but-not-activating.1641410/ – schroeder Dec 07 '16 at 07:39
  • Our whole point (and the point of the Google links) is that this is not an exploit but an expected message. Talk to your work's tech support. iMessage and FaceTime are built-in Apple services to your phone. I'm confused that you Googled the message, but then came to the conclusion that this was some script kiddy or terrorist message. It is obviously an Apple internal service message and the format is identical to what you found on Google. – schroeder Dec 07 '16 at 09:03
  • @schroeder: Well, only because something looks like something, it doesn't have to be of that kind. That being said, the link that I've emailed you to verify your bank password is perfectly legitimate, please click on it :-) No, seriously, what makes these messages suspicious to me is that the messages came "out of the blue", without my interaction (those users found by Google know, or should know, why they're suddenly getting them -- they enabled the service and clicked on the "activate" button). And now they've stopped coming in, without me doing anything at all. Ah well :-) – Damon Dec 07 '16 at 17:36
  • This is an iMessage response text Apple uses to validate your number. It's supposed to be intercepted by iOS and thus invisible, however its format gets altered on the way to your device and no longer looks like the standard verification text, so the OS doesn't recognize it and instead displays it to you. – André Borie Feb 19 '17 at 02:11

1 Answers1

4

It is your phone attempting to connect to facetime or imessage. You can turn this off if you wish. I don't like to assume, but my assumption here would probably be that there's nothing malicious going on.

Try this : If you get an error when trying to activate iMessage or FaceTime

As an aside: There's a lot on Google for this. It would've taken you a lot less time to google "REG-RESP?v=3", for example, than it took to write your question.

GAD3R
  • 2,231
  • 3
  • 18
  • 38
  • 1
    That's right, but the thing is... I have FaceTime disabled (I don't even know what it is, but the name sounds like some facebook stuff that I don't want!). I checked again right now, and yes, it is absolutely positively disabled. I have never used that service (nor iMessage, I wouldn't know what that is), nor have I initiated the "activation process" indicated on that Apple help site you linked to. In the config screen where you turn it off, it explicitly says "no activation", too. – Damon Dec 06 '16 at 13:23
  • I'm not going to try and troubleshoot why Apple is doing this since it's not the question you asked and there are too many config-specific variables to take into account, but I'm (fairly) certain that that's what's going on. My answer to your question Otherwise, any idea what this may be? Botnet control messages? is that yes - I have an idea, I think (for some reason) you have visibility of your device's attempt to connect.I suspect (I don't know for certain) that all of your other concerns are well off the mark. I don't think this is some sort of 'botnet control message' or attack of sorts. –  Dec 06 '16 at 14:07
  • Also, FaceTime is Apple's video calling feature. iMessage is Apple's messaging service. When enabled, your device will send an iMessage to any recipients who also have iMessage enabled. Otherwise it'll fall back to SMS. –  Dec 06 '16 at 14:08
  • @Damon See this answer on Apple Support Communities – GAD3R Dec 06 '16 at 14:36