DS Forums

 
 

iPhone 4s Security vulnerability


Reply
Thread Tools Search this Thread
Old 25-10-2011, 21:05
*Joe*
Forum Member
 
Join Date: Apr 2003
Location: Coventry
Posts: 3,007

I did search and couldn't find a thread on this. Those of you who have a iPhone 4s might want to change your default security settings.

If you normally have a passcode set on your iPhone, you can still activate Siri to send text, emails etc... even when your phone is locked, and without having to enter your passcode

http://www.youtube.com/watch?v=aS2u6ulzdsI

Am surprised this hasn't been mentioned before. Worth watching out for.
*Joe* is offline   Reply With Quote
Please sign in or register to remove this advertisement.
Old 25-10-2011, 22:28
davethorp
Forum Member
 
Join Date: Mar 2007
Location: Preston, Lancashire
Posts: 7,255
It's not really a security vulnerability especially as there is a handy option to turn Siri off if the pass code lock is set in the pass code lock settings. Possibly the only issue is that this option probably should default to off though I'm sure that may come in iOS 5.0.1

Plus I can't say I'm too worried about someone trying to put something in my calendar or write a note if they get hold of my phone
davethorp is offline Follow this poster on Twitter   Reply With Quote
Old 26-10-2011, 10:09
*Joe*
Forum Member
 
Join Date: Apr 2003
Location: Coventry
Posts: 3,007
Plus I can't say I'm too worried about someone trying to put something in my calendar or write a note if they get hold of my phone
I would say that being able to send SMS and emails from a locked phone is quite a big vulnerability, especially for corporate users. It defeats the purpose of locking the phone!
*Joe* is offline   Reply With Quote
Old 26-10-2011, 10:41
Roush
Forum Member
 
Join Date: Mar 2011
Location: Hertfordshire
Posts: 2,937
There's an option to disable Siri when the phone is passcode locked, so what's the problem?

Surely it would only be a security concern if you couldn't turn it off when the phone is passcode locked? But, as you can turn it off in that situation I don't see a problem.
Roush is offline   Reply With Quote
Old 26-10-2011, 10:57
flagpole
Inactive Member
 
Join Date: Jan 2003
Posts: 43,524
There's an option to disable Siri when the phone is passcode locked, so what's the problem?

Surely it would only be a security concern if you couldn't turn it off when the phone is passcode locked? But, as you can turn it off in that situation I don't see a problem.
it's the fact that the default is on. if you think that this issue is a potential security threat then surely you can see that the default position is pertinent.

as in that mitigating it requires someone to read about it on a forum like this and then make a judgement as to whether they want to disable it on security grounds rather than allow it on functionality grounds. generally you start with all the security features enabled and allow the user to make an informed choice about disabling them.

I'm sure this will be changed though.
flagpole is offline   Reply With Quote
Old 26-10-2011, 11:05
*Joe*
Forum Member
 
Join Date: Apr 2003
Location: Coventry
Posts: 3,007
There's an option to disable Siri when the phone is passcode locked, so what's the problem?

Surely it would only be a security concern if you couldn't turn it off when the phone is passcode locked? But, as you can turn it off in that situation I don't see a problem.
Did you know it was a problem until you read this thread?? Possibly not, therefore would you have gone out of your way to change the default setting to off? - That is why it is a problem.

How many users would change it from the default setting - none probably unless they were made aware of it, hence the reason for me starting this thread
*Joe* is offline   Reply With Quote
Old 26-10-2011, 11:48
Thine Wonk
Forum Member
 
Join Date: Mar 2009
Posts: 14,545
OP you need to use the right terminology, it's NOT a security vulnerability. There is an option to turn on or off a pin, would you say having it turned off means there is a security vulnerability in IOS? of course not.

It's something the user should be aware of, but it's absolutely not a security vulnerability.
Thine Wonk is offline   Reply With Quote
Old 26-10-2011, 12:13
davethorp
Forum Member
 
Join Date: Mar 2007
Location: Preston, Lancashire
Posts: 7,255
I would say that being able to send SMS and emails from a locked phone is quite a big vulnerability, especially for corporate users. It defeats the purpose of locking the phone!
As I and others have mentioned the ability to use Siri from a locked phone can very easily be turned off so it's not a security vulnerability but a feature. You'll be claiming the fact that pass code lock is not enabled by default is a security vulnerability next

Edit didn't read all replies to this thread before beginning this reply so missed Thine Wonk making the exact same point
davethorp is offline Follow this poster on Twitter   Reply With Quote
Old 26-10-2011, 12:46
psionic
Forum Member
 
Join Date: May 2002
Location: Crystal Palace TX
Posts: 19,702
There's a few bugs which Apple need to address urgently in iOS 5. Apparently you can bypass the lock screen on the iPad 2 by deft handling of the magnetic smart cover.
psionic is offline Follow this poster on Twitter   Reply With Quote
Old 26-10-2011, 12:53
ACU
Forum Member
 
Join Date: Aug 2009
Posts: 7,916
I can see how the OP can class it as a security flaw. However I think its just a cock up...a pretty major one at that. Mainly because the vast majority of apple users wont mess around with the settings. However it is something that can easily be fixed with an update.
ACU is offline   Reply With Quote
Old 26-10-2011, 12:58
IslandNiles
Forum Member
 
Join Date: Apr 2005
Posts: 13,091
Remember that passcode lock is not enabled by default. To switch it on, you have to go to the very screen that contains the other options relating to passcode lock, presumably including the Siri option.
IslandNiles is offline   Reply With Quote
Old 26-10-2011, 13:02
Stiggles
Forum Member
 
Join Date: Jan 2011
Location: Dundee, Scotland
Posts: 9,292
As I and others have mentioned the ability to use Siri from a locked phone can very easily be turned off so it's not a security vulnerability but a feature. You'll be claiming the fact that pass code lock is not enabled by default is a security vulnerability next

Edit didn't read all replies to this thread before beginning this reply so missed Thine Wonk making the exact same point
When this happened with Windows Vista it was seen as a security issue. This is no different.
Stiggles is offline   Reply With Quote
Old 26-10-2011, 13:04
Inkblot
Forum Member
 
Join Date: Dec 2001
Location: West London
Posts: 24,308
If this vulnerability can only be exploited by someone stealing your phone, shouldn't stopping people stealing phones be the priority?
Inkblot is offline   Reply With Quote
Old 26-10-2011, 13:24
flagpole
Inactive Member
 
Join Date: Jan 2003
Posts: 43,524
If this vulnerability can only be exploited by someone stealing your phone, shouldn't stopping people stealing phones be the priority?
you've not got your apple head on.
flagpole is offline   Reply With Quote
Old 26-10-2011, 14:09
Thine Wonk
Forum Member
 
Join Date: Mar 2009
Posts: 14,545
IETF RFC 2828 define vulnerability as:
A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy

Seeing as the pin on the phone is optional, and seeing as the option to enable siri on the lockscreen or not, I would consider this NOT to be a security vulnerability.

It is an optional security feature which can be enabled if the user is concerned about simple physical unauthorised access.

The feature can be enabled or disabled to reflect the level of security the user requires. There is no weakness in the design or implementation, the features can clearly be turned on or off and by default are off.

I don't bother with a pin on my phone because I keep it in my pocket and never leave it on a desk and walk away. Other people I know at work leave their phones on their desks and then go off to meetings, leaving their colleagues to silence it when it rings etc, annoying!!!
Thine Wonk is offline   Reply With Quote
Old 26-10-2011, 15:43
flagpole
Inactive Member
 
Join Date: Jan 2003
Posts: 43,524
IETF RFC 2828 define vulnerability as:
A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy

Seeing as the pin on the phone is optional, and seeing as the option to enable siri on the lockscreen or not, I would consider this NOT to be a security vulnerability.

It is an optional security feature which can be enabled if the user is concerned about simple physical unauthorised access.

The feature can be enabled or disabled to reflect the level of security the user requires. There is no weakness in the design or implementation, the features can clearly be turned on or off and by default are off.

I don't bother with a pin on my phone because I keep it in my pocket and never leave it on a desk and walk away. Other people I know at work leave their phones on their desks and then go off to meetings, leaving their colleagues to silence it when it rings etc, annoying!!!
that is a somewhat contrived explanation. if windows shipped with DEP, ASLR, firewall, UAC and driver signing all switched off by default you could equally well apply your arguments and definitions to that not being a vulnerability, it's a security feature that is not implemented by default.

and that would be wrong. the obvious thing to do in all these cases is to enable the security feature by default and allow the informed user to turn it off if they wish. you could even prompt the user....
flagpole is offline   Reply With Quote
Old 26-10-2011, 15:44
IvanIV
Forum Member
 
Join Date: May 2006
Posts: 25,199
How does this work? Can somebody next to me tell that electronic woman in the phone to do something, like send an email to my boss saying he's an anchor or is some validation necessary?
IvanIV is offline   Reply With Quote
Old 26-10-2011, 15:50
IslandNiles
Forum Member
 
Join Date: Apr 2005
Posts: 13,091
that is a somewhat contrived explanation. if windows shipped with DEP, ASLR, firewall, UAC and driver signing all switched off by default you could equally well apply your arguments and definitions to that not being a vulnerability, it's a security feature that is not implemented by default.

and that would be wrong. the obvious thing to do in all these cases is to enable the security feature by default and allow the informed user to turn it off if they wish. you could even prompt the user....
A reasonable point, but your logic seems to suggest that you would want passcode lock enabled by default.

How does this work? Can somebody next to me tell that electronic woman in the phone to do something, like send an email to my boss saying he's an anchor or is some validation necessary?
The simple answer to your question is yes, you could do that.

To explain in slightly more detail though, the passcode lock feature is not enabled by default. To enable it, you have to go into a screen which also has options for whether Siri (voice control on older phones) will be available whilst the screen is locked. The default position is on. This isn't new with the 4S, but of course Siri allows you to control much more of the phone than the old voice control did.
IslandNiles is offline   Reply With Quote
Old 26-10-2011, 19:18
Thine Wonk
Forum Member
 
Join Date: Mar 2009
Posts: 14,545
A reasonable point, but your logic seems to suggest that you would want passcode lock enabled by default.
Exactly, a passcode lock is something that doesn't come on Android by default, and that a lot of people don't want. It's not a security vulnerability not to have it on, it's an optional feature, as is Siri commands on the lock screen.
Thine Wonk is offline   Reply With Quote
Old 26-10-2011, 21:09
alanwarwic
Forum Member
 
Join Date: Oct 2003
Location: the wild world web
Posts: 28,132
I thought it only goes to the last used APP which says it's a bug.

Not quite intuitive.
alanwarwic is offline   Reply With Quote
Old 26-10-2011, 22:29
davethorp
Forum Member
 
Join Date: Mar 2007
Location: Preston, Lancashire
Posts: 7,255
I thought it only goes to the last used APP which says it's a bug.

Not quite intuitive.
Think that's the smart cover glitch on iPad 2
davethorp is offline Follow this poster on Twitter   Reply With Quote
Old 27-10-2011, 01:33
psionic
Forum Member
 
Join Date: May 2002
Location: Crystal Palace TX
Posts: 19,702
Think that's the smart cover glitch on iPad 2
Yep. Think iOS 5.01 will be coming soon.
http://9to5mac.com/2011/10/20/anyone...o-your-ipad-2/
psionic is offline Follow this poster on Twitter   Reply With Quote
Old 27-10-2011, 08:05
Smerph
Forum Member
 
Join Date: Mar 2005
Posts: 2,849
Default security settings? Erm no.

Firstly, Siri isn't enabled by default.
Secondly, Siri won't appear on the password lock sceen unless you enable it.
Smerph is offline   Reply With Quote
Old 27-10-2011, 10:06
flagpole
Inactive Member
 
Join Date: Jan 2003
Posts: 43,524
Exactly, a passcode lock is something that doesn't come on Android by default, and that a lot of people don't want. It's not a security vulnerability not to have it on, it's an optional feature, as is Siri commands on the lock screen.
it's funny trying to explain things around the jobsian logic.

the issue is that if someone enables pin it should not be beholden to them to riddle that siri will enable a bypass. i simple on screen prompt or changing of the default options would be fine.
flagpole is offline   Reply With Quote
Old 27-10-2011, 11:36
Rich2k
Forum Member
 
Join Date: Jul 2000
Location: UK
Posts: 3,000
Default security settings? Erm no.

Firstly, Siri isn't enabled by default.
Secondly, Siri won't appear on the password lock sceen unless you enable it.
Exactly and...

Thirdly iOS doesn't have a passcode lock enabled by default either.
Rich2k is offline   Reply With Quote
 
Reply




 
Forum Jump


All times are GMT. The time now is 13:05.