If you have an iPad or an iPhone running iOS 7.1.1, then you should take note of a bug that allows an attacker with physical access to the phone to get access to your contacts even if the phone is locked. All they need is access to Siri on the lock screen.
Here’s a video that shows how to pull this off:
To protect yourself, disable Siri on lock screen from the Settings menu. Now that’s not going to be practical if you use Siri in your car or something, but that is the only protection from this bug that’s available at the moment.
Now, there’s a second bug that’s way more serious. Apple states publicly that it uses data encryption to protect email message attachments. However a researcher has discovered that this does not appear to be the case. Andreas Kurtz, has delivered proof that iOS 7.0.4 and later does not include this security feature. Here’s what he told ZDNet:
I verified this issue by restoring an iPhone 4 (GSM) device to the most recent iOS versions (7.1 and 7.1.1) and setting up an IMAP email account1, which provided me with some test emails and attachments. Afterwards, I shut down the device and accessed the file system using well-known techniques (DFU mode, custom ramdisk, SSH over usbmux). Finally, I mounted the iOS data partition and navigated to the actual email folder. Within this folder, I found all attachments accessible without any encryption/restriction.
He reported the bug to Apple and they claim to be working on a fix. Hopefully Apple is also working on a fix for the lock screen bug as well. But these two examples show that Apple really needs to step up their game when it comes to security if they hope to push the iPhone and other iOS devices into the enterprise as major corporations will not stand for these sorts of security failures. And for the record, neither should consumers.
iOS Security Issues Make The News
Posted in Commentary with tags Apple, Security on May 7, 2014 by itnerdIf you have an iPad or an iPhone running iOS 7.1.1, then you should take note of a bug that allows an attacker with physical access to the phone to get access to your contacts even if the phone is locked. All they need is access to Siri on the lock screen.
Here’s a video that shows how to pull this off:
To protect yourself, disable Siri on lock screen from the Settings menu. Now that’s not going to be practical if you use Siri in your car or something, but that is the only protection from this bug that’s available at the moment.
Now, there’s a second bug that’s way more serious. Apple states publicly that it uses data encryption to protect email message attachments. However a researcher has discovered that this does not appear to be the case. Andreas Kurtz, has delivered proof that iOS 7.0.4 and later does not include this security feature. Here’s what he told ZDNet:
I verified this issue by restoring an iPhone 4 (GSM) device to the most recent iOS versions (7.1 and 7.1.1) and setting up an IMAP email account1, which provided me with some test emails and attachments. Afterwards, I shut down the device and accessed the file system using well-known techniques (DFU mode, custom ramdisk, SSH over usbmux). Finally, I mounted the iOS data partition and navigated to the actual email folder. Within this folder, I found all attachments accessible without any encryption/restriction.
He reported the bug to Apple and they claim to be working on a fix. Hopefully Apple is also working on a fix for the lock screen bug as well. But these two examples show that Apple really needs to step up their game when it comes to security if they hope to push the iPhone and other iOS devices into the enterprise as major corporations will not stand for these sorts of security failures. And for the record, neither should consumers.
Leave a comment »