IOS 13 Lock Screen Lets Anyone See Your Address Book (theregister.co.uk) 45
Slashdot reader dryriver writes:
A security researcher discovered that if you get your hands on someone else's iThing running iOS 13, and place a phone call to it, you can choose to respond with a TXT message, and get to see the contents of the address book on the iThing without actually getting past the lock screen...
The security researcher who found the flaw was not financially rewarded or acknowledged by Apple, but rather given the cold shoulder. The security researcher says all he'd wanted was a $1 Apple Store card to keep as a trophy, according to The Register: The procedure, demonstrated below in a video, involves receiving a call and opting to respond with a text message, and then changing the "to" field of the message, which can be accomplished via voice-over. The "to" field pulls up the owner's contacts list, thus giving an unauthorized miscreant the ability to crawl through the address book without ever needing to actually unlock the phone.
They also report that while the insecure-lock-screen iOS 13 will be officially released on September 19, a fixed version, iOS 13.1, "is due to land on September 30."
The security researcher who found the flaw was not financially rewarded or acknowledged by Apple, but rather given the cold shoulder. The security researcher says all he'd wanted was a $1 Apple Store card to keep as a trophy, according to The Register: The procedure, demonstrated below in a video, involves receiving a call and opting to respond with a text message, and then changing the "to" field of the message, which can be accomplished via voice-over. The "to" field pulls up the owner's contacts list, thus giving an unauthorized miscreant the ability to crawl through the address book without ever needing to actually unlock the phone.
They also report that while the insecure-lock-screen iOS 13 will be officially released on September 19, a fixed version, iOS 13.1, "is due to land on September 30."
Re: (Score:3)
To be fair I think under Jobs this sort of design fault would have never made it out the door. But under the "leadership" of Cook all Apple seems to care about is profit and little else. If they still innovated perhaps one could forgive the less scupulous testing but they haven't had a decent innovation since te iPhone. No, the iWatch doesn't count - Casio were doing smart watches in the 80s and just putting iOS in a watch form with a different GUI isn't innovating, its lazy profiteering from fanboys.
As usual highly exaggerated (Score:2)
Re:As usual highly exaggerated (Score:4, Insightful)
It doesnâ(TM)t let _anyone_ see your address book. Only someone who managed to steal your locked phone, and who knows your phone number. Before you notice that your phone is missing and lock it down remotely.
They don't have to know your phone number, they just need to wait for somebody to call the phone, which is typically one of the first things people do if they lose their phone. But really what this demonstrates is that the security aspects are tacked on afterwards, the phone isn't in a state where the data is actually protected, if the phone is not unlocked then why can the address book be accessed by the messages app at all?
Re: (Score:2)
It doesnâ(TM)t let _anyone_ see your address book
Not anyone, only Jarjar.
convenience has its price (Score:1)
Re: (Score:2, Insightful)
It just goes to show you ... (Score:2)
... it's always something. ~ Gilda Radner
Re: (Score:2)
“What’s all this fuss about endangered feces?”
Mrs. Wilder was one of the best things about the original SNL.
Re: (Score:2)
A true gem. I felt bad for Gene Wilder when she died.
Did he wait? (Score:1)
I donâ(TM)t see any mention that he waited the customary 90 days before blabbing about this low-level vulnerability (have to have the phone in hand, have to receive a call, have to know that you can respond to a call with a text, etc.).
If he did wait, then it was ok to publish; but it is still pretty low on the âoeexploitableâ scale.
And do you actually get access to the entire Contact info, or just the names?
Re: (Score:3)
The video appears to show him accessing the actual contact card, but it wasn’t populated with anything but an email address so there’s no way to tell for sure.
Also, the video shows this working with FaceTime, not a regular call.
Since iOS 13 is still in beta, I would expect Apple to treat reports like this as part of the beta testing process. I’m not sure why anyone here would expect them to pay a bounty.
Re: (Score:3)
Unless the summary is impressively misleading then this flaw is going to be released into the live product. If the version he found the flaw in is so close to release that they can't fix the bug before release then I really don't see why they shouldn't include it in their bounty program; how does it make sense to give people
Re: (Score:2)
I guess the question is that since it's noted as being fixed in 13.1, was it found before he reported it. If it was an already reported issue that was found too late to be fixed in the .0 release, then it makes sense that they wouldn't award him with anything since they already knew about it.
When dealing with Apple (and probably most companies) and major updates its usually best to wait for a patch or two before upgrading anyway. The fixed version will be out a little over a week later, so this could act
Re: (Score:2)
No bounties on beta software (Score:2)
TFS disingenuously fails to mention that Appleâ(TM)s policy is to not pay bounties in Beta Versions of software.
iOS 13 has not been released as of today, and is still in the âoePublic Betaâ status.
He wasnâ(TM)t denied his âoebountyâ because Apple is Mean; he was denied it because iOS is still in Beta.
Typical Slashdot Apple FUD.
Re:No bounties on beta software (Score:5, Insightful)
In other words, the smart thing on his side would have been to wait for them to official release it and then inform them about the bug.
Lesson learned, don't tell Apple about their security problems while their software is still in beta, wait for them to officially release it.
Re: (Score:2)
It was an obvious hole, though. Someone else might well have found it before release. I think announcing it is the smart thing to do here, if the goal is to get something out of the discovery, even though the only thing being gotten is attention.
Re: (Score:3)
Someone else might well have found it before release.
Someone did, that's why TFS reports that the issue is not present in iOS 13.1.
I think I'll wait to upgrade. (Score:1)
They can nag me until the end of September to upgrade, but leaving a known flaw in a major release is criminal, and I'm not taking any chances with whatever ELSE wasn't fixed.
Re: (Score:2)
Let me know when you find bug-free software. I think snipes use it.
Re: (Score:1)
I am well aware that NO software is bug free. On the other hand, there is something
that appeals to their customers' akratic tendencies to glom onto the latest goodies
and very ugly about releasing software with publicly revealed vulnerabilities.
Re: (Score:2)
Re: (Score:1)
Did you READ the article? The September 19 release will have the bug in it. NOT BETA!
Until the end of September, that vuln will be in the public domain.
Re: I think I'll wait to upgrade. (Score:1)
Quite frankly:
1. you donâ(TM)t know what version of iOS 13 iPhones will ship with. There is still time to re-flash phones currently in production. This isnâ(TM)t the 1990s, where discs had to be duplicated. I would imagine that Appleâ(TM)s Contract Manufacturers have custom gang-programming jigs that can program a hundred iPhones simultaneously in a few seconds. Not much âoelead timeâ is needed to get this fix rolled out.
2. As far as vulnerabilities go, this ranks pretty far down on
Re: (Score:1)
I've seen no mention of the amelioration of the bug. If you have a link to a description of the setting, please put it up for to be learned. Thank you.
Re: (Score:2)
Bounty hunting is grinding to a halt... (Score:2)
Re: (Score:2)
Re: (Score:2)
Exactly. If your goal is to make money off your research, you wait until the release and then get paid. The only thing you're risking is not getting the recognition. Unless of course that was the goal of the researcher, then mission accomplished.
Guess what? (Score:2)
Guess what? Every single personal electronic device being sold today has security flaws, at least 3 of which are serious and 1 of which is a fundamental compromise. OK, 1 and 3 are made-up numbers, but the point stands: there is no magic consumer grade [1] super-secure system that is usable and affordable, and there probably never will be. It will be a game of attacker/defender for the next 1000 years.
[1] probably no fundamentally secure nation-state grade system at any cost either, but that is harder t
Is this even really a flaw? (Score:2)
First you have to know the phone number for the iPhone you have. Siri will not tell you without unlocking the phone.
Secondly, even if you did this afterward the person would have a record you had called their phone.
Realistically, why is the best thing to do here - not to let you see your address book to add other people if you are responding to a call as a text?
If someone physically has your phone there are lots of potential avenues for attack, this seems pretty weak.
Re: (Score:2)
First you have to know the phone number for the iPhone you have.
No, you need to receive a call from anybody and typically when people lose their phone calling it is one of the first things they do.
Is this a major issue? No. But it highlights the "tacked on security" model that is being used, it shouldn't be up to app to decide whether or not it can access private data while the
Re: (Score:2)
Re: (Score:2)
No, you need to receive a call from anybody and typically when people lose their phone calling it is one of the first things they do.
How would you CALL your phone when you've just LOST your phone?
You mean the concept that you can make a phone call from a phone other than your own one is foreign to you?
Also, before going on, I feel obliged to ask... do you have any data on that claim, that that's the first thing people typically do? Is that data up to date?
Yes I did extensive studies on this.
I don't think that's what anyone typically does anymore in today's world, even if they ever did, they wouldn't now, especially when one doesn't have the ability to DO that.
Nobody has the ability to call your phone?
If you have an iPhone, unless you're walking around with TWO phones, calling it is NOT the first thing you do because you CAN'T, because you just lost the very thing you'd use to CALL It
You do realise that every call that you receive on your phone comes from phones that are not your phone right?
So if you don't have anything else capable of making phone calls without your (now hypothetically lost) phone, I'm not sure how you would even CALL it if you wanted to.
"Hey friend/relative/co-worker/random person/etc... " ... get the picture?
Re: (Score:2)
All security in an information-providing device that can be physically stolen, is "tacked on". Quite simply because there IS NO security measure that is proof against physical access to the device.
What you are referring to is a deliberate design decision to poke a hole in their security model to provide access to contact information when a call is received. It has nothing to do with the model, and everything to do with how the model is being used.
Ease of access is a legitimate factor in good design, and m
Nostalgia from the department line! (Score:2)
https://www.youtube.com/watch?... [youtube.com]
What happens on iPhone starts on iPhone.... (Score:2)
Re: What happens on iPhone starts on iPhone.... (Score:2)
Well, here's your answer. (Score:2)
Time for a lesson... (Score:2)
The researcher should remind apple about the C.I.A. triad (confidentiality, integrity, availability) and then ask them which one of the following was broken?