back to article Snoops can bypass iOS 13 lock screen to eyeball your address book. Apple hasn't fix it yet. Valid flaw? You decide

Apple's very latest version of iOS appears to have the same sort of lock-screen bypass that plagued previous versions of the iThing firmware. Researcher Jose Rodriguez told The Register that back in July he discovered how the then-beta-now-gold version of iOS 13 could be fooled into showing an iPhone's address book without …

  1. Roland6 Silver badge
    FAIL

    Lesson 1: Do not report security vulnerabilities during beta testing...

    then Apple retracted, apologized and told me that it was not allowed to thank by giving gifts for security reports during beta period.

    1. Richard 12 Silver badge

      Re: Lesson 1: Do not report security vulnerabilities during beta testing...

      Lesson 2:

      Do not update your Apple device for at least 6 months after the release of a new version

      This is to allow the most egregious and trivial security failures to be addressed, and the software you rely on to be fixed after Apple have once again destroyed it.

      1. Joe W Silver badge

        Re: Lesson 1: Do not report security vulnerabilities during beta testing...

        Well... considering this has been working for a long time, I do not really think that older devices are not affected (or maybe I misread the text - too early, need more tea to wake up).

        The actual lesson is: Do not buy version N.0 of any product. Wait for N.1 or N.2 at least. (though I guess all of ElReg's audience tries to live by that unless $(CORPORATE) decides otherwise - and even then we try to game for more time)

        1. Benson's Cycle

          Re: Lesson 1: Do not report security vulnerabilities during beta testing...

          Either version 4.2 or 3.11 depending which world you inhabit, I think.

    2. oiseau Silver badge
      Facepalm

      Re: Lesson 1: Do not report security vulnerabilities during beta testing...

      It's really Lesson 101:

      Do not buy or use Apple's expensive crap devices.

      Ever.

      O.

    3. Anonymous Coward
      Anonymous Coward

      Re: Lesson 1: Do not report security vulnerabilities during beta testing...

      Only if lesson 0 is don't do any work at all without a guarantee of payment beforehand.

      Or is that too old-skool ?

  2. storner
    Unhappy

    Low risk - hmm ...

    I know of several people who store passwords in their contact lists. Anything from Facebook and Gmail to the PIN-code for their rately used credit card.

    Yep it is a stupid idea and they should use a proper password manager, but changing habits from what you did back in the Nokia days is hard.

    1. Roland6 Silver badge

      Re: Low risk - hmm ...

      >I know of several people who store passwords in their contact lists.

      >Yep it is a stupid idea and they should use a proper password manager

      Not really stupid in concept, in the past I've stored allsorts of stuff in my contacts, such as the key code for the car park at my local sports ground...

      However, back in the real world...

      I suspect what many people don't realise is just how many app's - explicitly on Android (but probably also on iOS) want to access/browse your contacts ie. look at all information contained in your contacts list. Think about that for a moment, an app looking through all your contacts nicknames etc.

      I suspect however, what is required is a combined contacts and passwords manager, with a 'public'contact view and a confidential information view.

      1. Roland6 Silver badge

        Re: Low risk - hmm ...

        An additional place for personal data leakage, is the use of the connect using Google/LinkedIn/Facebook to gain access to some sites content. These naturally want to browse your contacts/addressbook...

    2. sum_of_squares Bronze badge
      Alert

      Re: Low risk - hmm ...

      Don't do this. It's a very low level of steganography and also "security by obscurity".

      Let's say your PIN is 1234. You could create a fake account and store the digits in last 4 numbers with 1 padding number at the end (i.e. 07500 000012340). I used zero padding here, of course you want random numbers and a number that matches your country.

      With n contacts and 5 possible position to place the PIN within the number the attacker had to try about n*5 possible solutions. This is not a big key space. But the attacker can narrow it down by just calling the contacts on the list and immediately hang up when someone picks up the phone.

      So lets assume you have 5 numbers left because you stored 5 PIN in there. According to our formula this is 5*5 = 25 possible keys. Lets also assume your account locks up after 3 wrong attempts. The attacker could try 2 keys in one session and then stop for 7 days, assuming you will log-in during those days and the log-in counter gets resetted to 0.

      So the worst case scenario here is 13 attempts (2 keys in one attempt) with 13 * 7 = 91 days until he found the PIN. This is totally acceptable for an attacker. Of course you have to get the contacts first, but that's not that hard as the article has shown. BOOM! Key unlocked.

  3. Anonymous Coward
    Anonymous Coward

    If you can afford the Apple purchase price then you can afford a good lawyer.

    1. simonlb Silver badge

      Are the lawyers costs bundled in with the phone on the 24-month contract?

  4. simonlb Silver badge
    Meh

    "allow access when locked"

    Whether it's a good or bad UI design decision isn't really the issue here. My concern is if it's enabled by default, as most users probably wouldn't know it's there and would prefer to decide for themselves whether to turn it on or not.

    1. Halfmad Silver badge

      Re: "allow access when locked"

      Still needs physical access to the device so personally I don't see this as a huge issue - still an issue though and would prefer it to have to be enabled.

      1. Benson's Cycle

        Re: "allow access when locked"

        Unfortunately criminals now know all about it, making life harder for the police.

        1. James Loughner

          Re: "allow access when locked"

          Seems to me it makes it easier for the police. Nice back door to see who you contact

          1. HelpfulJohn Bronze badge

            Re: "allow access when locked"

            "Seems to me it makes it easier for the police. Nice back door to see who you contact"

            P.C. poking through my phone (if I had one): "Mr. John, you *REALLY* have absolutely *NOTHING* in your Contacts list? What are you trying to hide? "

            Not every access method makes things *easier* for them. :)

    2. EnviableOne Silver badge

      Re: "allow access when locked"

      Another thing to try, walk up to your mate's lock iDevice and hit the siri button, and ask it "who am i" or "what do i have to do this week" and see the personal info spill.

      You can also turn this off, but like this its enabled by default

  5. I ain't Spartacus Gold badge

    Surely this is the very definition of "it's a feature - not a bug."

    It might not be the most sensible of features, but Apple have allowed you to pick what you can do from the lock screen for ages now. Whether that's allowing access to the camera before unlocking to allowing Siri - which presumably then has full roam of the phone and the ability to send emails / texts, make calls, get addresses or check your calendar. All without the requirement for a password.

    So I'd call it dodgy design, but not a bug, as it's clearly deliberate. Being Apple of course, it's always on by default with the off switch hidden somewhere. Although they're not exactly the only people guilty of doing that.

    Have been house-sitting for my Mum this week, and so went to turn on Bluetooth on my iPad (a feature I probably use once a year then turn off). But Apple had magically turned it on again for me. Also had to unplug her Samsung TV which really, really, really wants to pair with everything Bluetooth. To the extent that even after you've paired with it and disconnected it, it still constantly bothers the Bluetooth interface for a connection, causing break-up of the audio on the one you've got. Though that could partly be an Apple bug too - as no two manufacturers implementations of Bluetooth ever seem to match...

    1. FrogsAndChips Silver badge

      Still, why would you change the "To:" when text-replying to a call? And if you really need that, surely you can afford the time to unlock your screen?

      1. David Nash

        Why?

        It's probably not that you would want to change the "To" field, , rather it just drops you into the standard sending text dialog, where changing the "To" is a normal feature.

  6. Scroticus Canis
    Facepalm

    Just RTFM and this is apparent

    ... which is why I just turned it off. Why would you want a phone thief to be able to read and respond to your text messages?

  7. Hugh Jass.
    WTF?

    Apple, you done fucked up.

    Holy shit. If web browsing is possible with the exploit, then we're back in the iPhone 2G days.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020