Apple: "Yes, we've heard of it."
A security flaw in iOS 9 allows anyone who has a locked Apple iThing in their hand to view its contacts and photos without having to enter a passcode. A chap called Jose Rodriguez has posted a YouTube video demonstrating the design blunder, which exploits Siri to access information on the handset from the PIN unlock screen. …
Apple: "Yes, we've heard of it."
Apple: "Yes, we've heard of it."
Add to that... "We're using the Microsoft model of testing. Our customers do it for us."
Strange how complicated the world is, that nobody is able to write software without security bugs.
PH for title.
not who writes it.
The more complex you make an OS, the more likely it is that one of the contributors will screw up something. Unfortunately, they mostly don't keep good records of previous gaffes and rarely let the same person(s) do the same work on the new OS. THAT at least would make it difficult to forget "lessons learned". Changing people around like musical chairs doesn't help. "Multi-tasking" is only beneficial for the HR department not anyone else.
And the funny thing is, this same shit happens with Apple, Microsoft, Linux greybeards, Google, etc, etc.
Argh!! Common Sense!! Get the pitchforks and torches!! ;)
Mind.... It *is* a bit ..silly.. that the security of the primary user entry point to [fruity device x] hasn't been triple-checked, followed up by some devious-mind "would it stand up against this?" attempts. Just to be sure.
With complexity as it is, people have come to expect some ratholes in the dusty corners, but to bodge the lock on the front door? Now that's a serious Gaffe.
This sort of bug seems to creep in with every other version.
Anyone remember the "Emergency Pizza" option? Where on the PIN screen you couldn't just dial 911, but any telephone number...
Or 112 for everybody outside of America. ;-)
"not who writes it" [Citation needed]
Not being able to complex write software that is completely free of obscure bugs is one thing; using what must be the equivalent of yellow "police line - do not cross" tape to "block" a front gate instead of an actual proper door and lock is just ludicrous and predictably results in all the headaches you can expect from such a rinky-dink solution. And no, it doesn't get any more excusable because most of the usual
suspects idiots seem to be doing it. It just highlights that NO ONE actually gives a damn about any level of security (except the hackers, natch).
you make an OS, the more likely it is that one of the contributors will screw up something.
Yes, in an old-fashioned monolithic design, but all you bright young things spent ages after coming off your CS degree courses explaining loudly and slowly to us old-timers that the new, ultra-modularized world of OO design would make that a thing of the past because each class would be small, simple and easy to test (and presumably regression test, though I never saw that mentioned in print).
I guess a poor workman still blames his/her tools, even when they have bright'n'shiny new names.
Ah, the good olde fashioned Nokia 3310 could come out of retirement soon.
At least Nokia was reliable and secure in it's day.
Android and iOS both seem to be shite at security nowadays.
At least on Android you don't get to look at photos when you bring up your camera app. It politely asks you to enter your pin or swipe pattern to unlock.
Similar with IOS. (when it's working correctly!) You only get to use the camera when locked if the owner has enabled it, and when using the camera while locked, you only get to review the pictures you just took, not any already on the device.
No, you just need to enter a really long password and then you can bypass the lock screen ENTIRELY and have access to everything! At least Apple users will have a fix for this bug in a few weeks at most. How long will you have to wait for the lock screen bug to be fixed on your phone? Assuming you ever get a firmware update for it?
Oh wait, just read below that iOS 9.0.1 is already out and fixes it today. Pretty funny to see Android users slinging arrows at iPhone users over security, since we don't have to wait months or forever to for fixes!
I have to admit that this is where Apple's model comes in to its own. How many devices can run iOS 9, and therefor need testing, compared to Android? Google can't test them all, so it's down to the manufacturers - they get android for free, after all. The flip side of that is that there's no dodging the blame here by Apple.
Exactly! Apple will issue a fix and 100% of devices with hardware capable of running iOS9 and/or with iOS 9 can be upgraded within a matter of days.
Pity about android.
That's weird... My friends iPhone has iOS 9.0.1 on it and I've just managed to post a status to her Facebook account using this bug. Fixed it is not.
If you are entering your pin incorrectly and then asking Siri to tell you the time, you are obviously doing it wrong. Just don't do those things and your device won't be vulnerable....
Getting a bit tedious.
Can't think of anything original to say?
Either show the original quote, from Apple, regarding "holding it wrong", or stop your OCD, will you?
"Either show the original quote, from Apple, regarding "holding it wrong", or stop your OCD, will you?"
In which case, the correct quip should be "Avoid entering the wrong PIN".
Freetards: Here's how to use adverbs.
Siri took our coin
Have apple just pushed out a silent patch?
About an hour ago I was able to exploit the flaw as described in the article. Now when I select Message or Mail etc. in the share screen (previously allowing me to enter that App and subsequently see the photos and contacts etc.) the phone bounces me straight to a screen asking for Touch ID or Passcode.
Looks like some regression.
There used to be a bug that let you browse photos after pulling up the camera, without onlocking the phone. Many years ago.
and trying the home button pin bypass did not work.
If this does indeed fix the bug, then it looks like it took them several hours to do so. No doubt everyone will still harp on endlessly about it.
(Not an apple fan particularly, just amused at the tedious name-calling.)
No, half of them will harp on and on about how it's not important because it was patched quickly.
(Not an apple hater particularly, just amused by the tedious excuses.)
Bugs like these can't be found by chance... Anyone releasing the trick to the public is being paid by competitors or a competitor employee to do it on purpose. Someone had illegal access to the iOS source code and undisclosed list of known errata..
Or maybe, just maybe, someone's passing on the access tricks to the public that Apple Passed to certain agencies?
No, they probably can't be found by chance. They can, however, be found by someone with a lot of time on their hands and the willingness to try a huge number of random prods at the system to see if it has any holes, in exchange for some momentary fame on the intarwebs. Such people do exist: 35 years ago they were pressing random buttons on calculators to get them into funny and interesting states and solving Rubik's cubes, today they poke at phones. I think doing interesting things to calculators and cubes was, well, more interesting, sadly.
And presumably no-one get's struck by lightning by chance either. Anyone struck by lightning must be being paid by lightning competitors or doing it on purpose. Someone had heretical access to God's Great Weather Plan and stood in a spot where they knew they would get struck.
Funny thing about chance... of the "1 in a XXXX" expression of probability, that "1" is a dead certainty... on that one occasion.
And in the case of a repeatable phenomenon, you only need be aware of what's happening on that 1 time and then you can repeat it without running into those pesky odds each time.
...happen 9 times out of 10
(with apologies to the late, great Sir Terry Pratchett)
Like Eadon for Apple instead of linux. DFTT.
How did they figure that sequence out would unlock the phone.
Got too much time on their hands some people
No, they didn't have the time. They had to ask Siri for it. That's how they found the bug.
Hey, Siri, tell me about all the bugs...
The more complex the product....
The longer it takes to write...
And to fix...
The longer it takes to get to market....
Marketing and Sales can't wait to do it properly so....
PHBs step in and demand a release ASAP before the devs can test it thoroughly and *BINGO* there you have an utterly ridiculous and avoidable security risk!
Which in turn ensures that with bad press means the marketing dept gets to do double shifts stamping out the fires, 'cos as we all know marketing depts are always the boil on the bum of any company, have neither scruples nor morals!
Locked should really mean locked - not some sort of reduced functionality mode.
Locked with lots of access to "important" stuff e.g. music controls should be a separate state entirely.
The Apple fans should quietly accept the abuse they now receive. It's not so easy once you start to pump some real volume is it?
Just go ahead and say it fanbois: "We were loudmouthed twits when MSFT had a problem and now we will silently suffer our just returns."
Or MSFT fanbois like you could rise above it and claim the moral high ground instead of being vindictive little pricks.
The phone is being unlocked when he hit the home button, his finger has registered on the phone and reconised(unlocking the phone) , try this technique using a finger that has not been registered by the phone, it won't work... this video is a fraud.
DTraceunder the GPL
Biting the hand that feeds IT © 1998–2018