Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
IOS Iphone Security Apple

IOS 13 Lock Screen Lets Anyone See Your Address Book (theregister.co.uk) 45

Slashdot reader dryriver writes: A security researcher discovered that if you get your hands on someone else's iThing running iOS 13, and place a phone call to it, you can choose to respond with a TXT message, and get to see the contents of the address book on the iThing without actually getting past the lock screen...

The security researcher who found the flaw was not financially rewarded or acknowledged by Apple, but rather given the cold shoulder.
The security researcher says all he'd wanted was a $1 Apple Store card to keep as a trophy, according to The Register: The procedure, demonstrated below in a video, involves receiving a call and opting to respond with a text message, and then changing the "to" field of the message, which can be accomplished via voice-over. The "to" field pulls up the owner's contacts list, thus giving an unauthorized miscreant the ability to crawl through the address book without ever needing to actually unlock the phone.
They also report that while the insecure-lock-screen iOS 13 will be officially released on September 19, a fixed version, iOS 13.1, "is due to land on September 30."
This discussion has been archived. No new comments can be posted.

IOS 13 Lock Screen Lets Anyone See Your Address Book

Comments Filter:
  • I wonder how could they possibly miss such a thing
    • Re: (Score:2, Insightful)

      by Anonymous Coward
      They didn't miss it. The price of putting convenience over security is courage.
  • ... it's always something. ~ Gilda Radner

  • I donâ(TM)t see any mention that he waited the customary 90 days before blabbing about this low-level vulnerability (have to have the phone in hand, have to receive a call, have to know that you can respond to a call with a text, etc.).

    If he did wait, then it was ok to publish; but it is still pretty low on the âoeexploitableâ scale.

    And do you actually get access to the entire Contact info, or just the names?

    • The video appears to show him accessing the actual contact card, but it wasn’t populated with anything but an email address so there’s no way to tell for sure.

      Also, the video shows this working with FaceTime, not a regular call.

      Since iOS 13 is still in beta, I would expect Apple to treat reports like this as part of the beta testing process. I’m not sure why anyone here would expect them to pay a bounty.

      • by N1AK ( 864906 )

        Since iOS 13 is still in beta, I would expect Apple to treat reports like this as part of the beta testing process. I’m not sure why anyone here would expect them to pay a bounty.

        Unless the summary is impressively misleading then this flaw is going to be released into the live product. If the version he found the flaw in is so close to release that they can't fix the bug before release then I really don't see why they shouldn't include it in their bounty program; how does it make sense to give people

        • by tk77 ( 1774336 )

          I guess the question is that since it's noted as being fixed in 13.1, was it found before he reported it. If it was an already reported issue that was found too late to be fixed in the .0 release, then it makes sense that they wouldn't award him with anything since they already knew about it.

          When dealing with Apple (and probably most companies) and major updates its usually best to wait for a patch or two before upgrading anyway. The fixed version will be out a little over a week later, so this could act

          • by N1AK ( 864906 )
            The issue with waiting a patch or two is that if there's a security flaw in a previous release you are depriving yourself of that fix for an extended period. So you're just swapping one risk for another. Even putting that aside I doubt many people would effectively check and manage iOS updates manually, based on relatively extensive experience with corporate devices, and unless they do then setting it to auto-update is almost certainly the better option.
  • TFS disingenuously fails to mention that Appleâ(TM)s policy is to not pay bounties in Beta Versions of software.

    iOS 13 has not been released as of today, and is still in the âoePublic Betaâ status.

    He wasnâ(TM)t denied his âoebountyâ because Apple is Mean; he was denied it because iOS is still in Beta.

    Typical Slashdot Apple FUD.

    • by Opportunist ( 166417 ) on Sunday September 15, 2019 @12:10PM (#59196826)

      In other words, the smart thing on his side would have been to wait for them to official release it and then inform them about the bug.

      Lesson learned, don't tell Apple about their security problems while their software is still in beta, wait for them to officially release it.

      • It was an obvious hole, though. Someone else might well have found it before release. I think announcing it is the smart thing to do here, if the goal is to get something out of the discovery, even though the only thing being gotten is attention.

        • Someone else might well have found it before release.

          Someone did, that's why TFS reports that the issue is not present in iOS 13.1.

  • They can nag me until the end of September to upgrade, but leaving a known flaw in a major release is criminal, and I'm not taking any chances with whatever ELSE wasn't fixed.

    • Let me know when you find bug-free software. I think snipes use it.

      • by sehlat ( 180760 )

        I am well aware that NO software is bug free. On the other hand, there is something
        that appeals to their customers' akratic tendencies to glom onto the latest goodies
        and very ugly about releasing software with publicly revealed vulnerabilities.

    • Comment removed based on user account deletion
      • by sehlat ( 180760 )

        Did you READ the article? The September 19 release will have the bug in it. NOT BETA!

        Until the end of September, that vuln will be in the public domain.

        • Quite frankly:

          1. you donâ(TM)t know what version of iOS 13 iPhones will ship with. There is still time to re-flash phones currently in production. This isnâ(TM)t the 1990s, where discs had to be duplicated. I would imagine that Appleâ(TM)s Contract Manufacturers have custom gang-programming jigs that can program a hundred iPhones simultaneously in a few seconds. Not much âoelead timeâ is needed to get this fix rolled out.

          2. As far as vulnerabilities go, this ranks pretty far down on

          • by sehlat ( 180760 )

            I've seen no mention of the amelioration of the bug. If you have a link to a description of the setting, please put it up for to be learned. Thank you.

        • Comment removed based on user account deletion
  • Keep screwing over your bounty hunters by not delivering, you know what's coming? They're going to get their money some other way.
    • Comment removed based on user account deletion
      • Exactly. If your goal is to make money off your research, you wait until the release and then get paid. The only thing you're risking is not getting the recognition. Unless of course that was the goal of the researcher, then mission accomplished.

  • Guess what? Every single personal electronic device being sold today has security flaws, at least 3 of which are serious and 1 of which is a fundamental compromise. OK, 1 and 3 are made-up numbers, but the point stands: there is no magic consumer grade [1] super-secure system that is usable and affordable, and there probably never will be. It will be a game of attacker/defender for the next 1000 years.

    [1] probably no fundamentally secure nation-state grade system at any cost either, but that is harder t

  • First you have to know the phone number for the iPhone you have. Siri will not tell you without unlocking the phone.

    Secondly, even if you did this afterward the person would have a record you had called their phone.

    Realistically, why is the best thing to do here - not to let you see your address book to add other people if you are responding to a call as a text?

    If someone physically has your phone there are lots of potential avenues for attack, this seems pretty weak.

    • Firstly "Is this even really a flaw?", yes, of course it is. It's fixed in iOS 13.1 because it is a flaw. The messages app should not be able to access the address book while the phone is locked.

      First you have to know the phone number for the iPhone you have.

      No, you need to receive a call from anybody and typically when people lose their phone calling it is one of the first things they do.

      Is this a major issue? No. But it highlights the "tacked on security" model that is being used, it shouldn't be up to app to decide whether or not it can access private data while the

      • Comment removed based on user account deletion
        • No, you need to receive a call from anybody and typically when people lose their phone calling it is one of the first things they do.

          How would you CALL your phone when you've just LOST your phone?

          You mean the concept that you can make a phone call from a phone other than your own one is foreign to you?

          Also, before going on, I feel obliged to ask... do you have any data on that claim, that that's the first thing people typically do? Is that data up to date?

          Yes I did extensive studies on this.

          I don't think that's what anyone typically does anymore in today's world, even if they ever did, they wouldn't now, especially when one doesn't have the ability to DO that.

          Nobody has the ability to call your phone?

          If you have an iPhone, unless you're walking around with TWO phones, calling it is NOT the first thing you do because you CAN'T, because you just lost the very thing you'd use to CALL It

          You do realise that every call that you receive on your phone comes from phones that are not your phone right?

          So if you don't have anything else capable of making phone calls without your (now hypothetically lost) phone, I'm not sure how you would even CALL it if you wanted to.

          "Hey friend/relative/co-worker/random person/etc... " ... get the picture?

      • by garote ( 682822 )

        All security in an information-providing device that can be physically stolen, is "tacked on". Quite simply because there IS NO security measure that is proof against physical access to the device.

        What you are referring to is a deliberate design decision to poke a hole in their security model to provide access to contact information when a call is received. It has nothing to do with the model, and everything to do with how the model is being used.

        Ease of access is a legitimate factor in good design, and m

  • 3-2-1! Contact -- is the secret -- is the moment -- when everything happens...

    https://www.youtube.com/watch?... [youtube.com]
  • .... Except when it doesn't.
  • A couple of articles above this one asks, "Can the lack of privacy be weaponized?", well I guess the answer is yes.
  • The researcher should remind apple about the C.I.A. triad (confidentiality, integrity, availability) and then ask them which one of the following was broken?

Avoid strange women and temporary variables.

Working...