Lesson 1: Do not report security vulnerabilities during beta testing...
then Apple retracted, apologized and told me that it was not allowed to thank by giving gifts for security reports during beta period.
Apple's very latest version of iOS appears to have the same sort of lock-screen bypass that plagued previous versions of the iThing firmware. Researcher Jose Rodriguez told The Register that back in July he discovered how the then-beta-now-gold version of iOS 13 could be fooled into showing an iPhone's address book without …
Do not update your Apple device for at least 6 months after the release of a new version
This is to allow the most egregious and trivial security failures to be addressed, and the software you rely on to be fixed after Apple have once again destroyed it.
Well... considering this has been working for a long time, I do not really think that older devices are not affected (or maybe I misread the text - too early, need more tea to wake up).
The actual lesson is: Do not buy version N.0 of any product. Wait for N.1 or N.2 at least. (though I guess all of ElReg's audience tries to live by that unless $(CORPORATE) decides otherwise - and even then we try to game for more time)
I know of several people who store passwords in their contact lists. Anything from Facebook and Gmail to the PIN-code for their rately used credit card.
Yep it is a stupid idea and they should use a proper password manager, but changing habits from what you did back in the Nokia days is hard.
>I know of several people who store passwords in their contact lists.
>Yep it is a stupid idea and they should use a proper password manager
Not really stupid in concept, in the past I've stored allsorts of stuff in my contacts, such as the key code for the car park at my local sports ground...
However, back in the real world...
I suspect what many people don't realise is just how many app's - explicitly on Android (but probably also on iOS) want to access/browse your contacts ie. look at all information contained in your contacts list. Think about that for a moment, an app looking through all your contacts nicknames etc.
I suspect however, what is required is a combined contacts and passwords manager, with a 'public'contact view and a confidential information view.
Don't do this. It's a very low level of steganography and also "security by obscurity".
Let's say your PIN is 1234. You could create a fake account and store the digits in last 4 numbers with 1 padding number at the end (i.e. 07500 000012340). I used zero padding here, of course you want random numbers and a number that matches your country.
With n contacts and 5 possible position to place the PIN within the number the attacker had to try about n*5 possible solutions. This is not a big key space. But the attacker can narrow it down by just calling the contacts on the list and immediately hang up when someone picks up the phone.
So lets assume you have 5 numbers left because you stored 5 PIN in there. According to our formula this is 5*5 = 25 possible keys. Lets also assume your account locks up after 3 wrong attempts. The attacker could try 2 keys in one session and then stop for 7 days, assuming you will log-in during those days and the log-in counter gets resetted to 0.
So the worst case scenario here is 13 attempts (2 keys in one attempt) with 13 * 7 = 91 days until he found the PIN. This is totally acceptable for an attacker. Of course you have to get the contacts first, but that's not that hard as the article has shown. BOOM! Key unlocked.
"Seems to me it makes it easier for the police. Nice back door to see who you contact"
P.C. poking through my phone (if I had one): "Mr. John, you *REALLY* have absolutely *NOTHING* in your Contacts list? What are you trying to hide? "
Not every access method makes things *easier* for them. :)
Surely this is the very definition of "it's a feature - not a bug."
It might not be the most sensible of features, but Apple have allowed you to pick what you can do from the lock screen for ages now. Whether that's allowing access to the camera before unlocking to allowing Siri - which presumably then has full roam of the phone and the ability to send emails / texts, make calls, get addresses or check your calendar. All without the requirement for a password.
So I'd call it dodgy design, but not a bug, as it's clearly deliberate. Being Apple of course, it's always on by default with the off switch hidden somewhere. Although they're not exactly the only people guilty of doing that.
Have been house-sitting for my Mum this week, and so went to turn on Bluetooth on my iPad (a feature I probably use once a year then turn off). But Apple had magically turned it on again for me. Also had to unplug her Samsung TV which really, really, really wants to pair with everything Bluetooth. To the extent that even after you've paired with it and disconnected it, it still constantly bothers the Bluetooth interface for a connection, causing break-up of the audio on the one you've got. Though that could partly be an Apple bug too - as no two manufacturers implementations of Bluetooth ever seem to match...
Biting the hand that feeds IT © 1998–2020