Go Back   MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Reply
 
Thread Tools Search this Thread Display Modes
Old May 5, 2014, 09:28 AM   #1
MacRumors
macrumors bot
 
Join Date: Apr 2001
iOS 7 Security Flaw Leaves Stored Email Attachments Unencrypted [Updated]




Apple states that it uses data encryption to protect email message attachments, but a report from security researcher Andreas Kurtz, via ZDNet, claims iOS 7.0.4 and later does not include this security feature.

Kurtz detected this flaw in iOS by accessing the file system on an iPhone 4 running iOS 7.1 and 7.1.1. Browsing through the email folder for an IMAP account, Kurtz discovered that the email attachments were stored in an unencrypted state. Besides the iPhone 4, Kurtz also was able to reproduce this vulnerability on an iPhone 5s and an iPad 2 running iOS 7.0.4.
Quote:
I verified this issue by restoring an iPhone 4 (GSM) device to the most recent iOS versions (7.1 and 7.1.1) and setting up an IMAP email account1, which provided me with some test emails and attachments. Afterwards, I shut down the device and accessed the file system using well-known techniques (DFU mode, custom ramdisk, SSH over usbmux). Finally, I mounted the iOS data partition and navigated to the actual email folder. Within this folder, I found all attachments accessible without any encryption/restriction
Kurtz reported this issue to Apple, which acknowledged the flaw, but provided no timetable for patching it. This isn't the first security issue Apple has faced this year. The company recently patched a serious SSL connection verification flaw in both iOS and OS X that allowed an attacker with a "privileged network position" to capture data protected by SSL/TLS.

Update 3:11 PM PT: In a statement given to iMore, an Apple spokesperson said the company is working on a fix for the issue.
Quote:
"We're aware of the issue," an Apple spokeswoman told iMore, "and are working on a fix which we will deliver in a future software update."
Article Link: iOS 7 Security Flaw Leaves Stored Email Attachments Unencrypted [Updated]
MacRumors is offline   0 Reply With Quote
Old May 5, 2014, 09:31 AM   #2
ouimetnick
macrumors 68020
 
ouimetnick's Avatar
 
Join Date: Aug 2008
Location: Beverly, Massachusetts
Send a message via AIM to ouimetnick Send a message via Yahoo to ouimetnick Send a message via Skype™ to ouimetnick
So iOS versions 7.0.3 and below encrypted attachments? Why would they drop that feature?
__________________
ACMT
MacBook Pro 13" (Mid 2010) 2.4GHz C2D, 4GB RAM, 750GB HD; Mac Pro Mid 2007; various MacBooks; Power Mac G5; iPhone 4s; iPhone 5s
ouimetnick is offline   11 Reply With Quote
Old May 5, 2014, 09:32 AM   #3
yjchua95
macrumors 68040
 
Join Date: Apr 2011
Location: Queenstown, NZ and Melbourne, VIC, Australia (current location)
Send a message via Skype™ to yjchua95
I predict that an NSA agent working for Apple will bang his head on his table, while thinking: "How many more loopholes that I inserted will be discovered by the public?"
__________________
2 13" late-2013 rMBPs (base+maxed), maxed late-2013 rMBP 15", maxed early-2011 15", 2010 17", 2 maxed Haswell iMacs (21.5" and 27"), maxed 2012 mini, 2 12-core nMPs, maxed 2013 13" MBA
yjchua95 is offline   25 Reply With Quote
Old May 5, 2014, 09:33 AM   #4
DipDog3
macrumors 6502a
 
DipDog3's Avatar
 
Join Date: Sep 2002
 
Quote:
Originally Posted by ouimetnick View Post
So iOS versions 7.0.3 and below encrypted attachments? Why would they drop that feature?
Apple's new motto:
If things aren't broken, fix them till they're broken.
__________________

Interactive Phone - Try out the new Virtual iPhone 5s (Download Code @ RedRome.com)
DipDog3 is offline   28 Reply With Quote
Old May 5, 2014, 09:37 AM   #5
H2SO4
macrumors 65816
 
Join Date: Nov 2008
One of Apples biggest problems is that they remain schtum.
People want some acknowledgement and feedback, this along with the regular changing of OS versions will prevent them from ever being the major force in enterprise.
__________________
MP1,1. 30"ACD. 11GB
H2SO4 is offline   6 Reply With Quote
Old May 5, 2014, 09:41 AM   #6
Lennholm
macrumors 6502a
 
Join Date: Sep 2010
Another opportunity to force users to upgrade to iOS 7?
Lennholm is offline   3 Reply With Quote
Old May 5, 2014, 09:42 AM   #7
marvz
macrumors 6502a
 
marvz's Avatar
 
Join Date: Aug 2012
Location: Berlin
Oh noes... if someone steals my iPhone and then is using some not so easy technique to access the file system of my iPhone then navigating to my email folder can then read my email attachments......

Probably this security flaw affects 0.0001% of iOS users but everyone will think "OMG another security flaw!!!11"
__________________
Apple 
marvz is offline   34 Reply With Quote
Old May 5, 2014, 09:43 AM   #8
GeneralChang
macrumors 6502
 
Join Date: Dec 2013
Every time someone says “This consumer electronic device isn’t secure for (x) reason!” and then follows it up with a description that pretty much requires direct hardware access, I have to wonder. How easy do you think it is to steal stuff in my pockets?
GeneralChang is offline   19 Reply With Quote
Old May 5, 2014, 09:44 AM   #9
MyopicPaideia
macrumors 6502a
 
MyopicPaideia's Avatar
 
Join Date: Mar 2011
Location: Trollhättan, Sweden
Really disappointing.

So 7.1.2 will have to come out to reinsert security code something that was accidentally removed from in 7.0.3?

Not especially reassuring - lots of security problems of late.
__________________
|2010 1TB 16GB RAM 2.66GHz C2D Mac Mini Server|2011 11" 256GB SSD 4GB RAM 1.8GHz dual core i7 Macbook Air|
|128GB Silver LTE iPad Air 2|128GB Silver iPhone 6+|2TB Airport Time Capsule|ATV2|ATV3|
MyopicPaideia is offline   3 Reply With Quote
Old May 5, 2014, 09:45 AM   #10
spazzcat
macrumors 68000
 
spazzcat's Avatar
 
Join Date: Jun 2007
When you email an attachment its not encrypted.
spazzcat is offline   24 Reply With Quote
Old May 5, 2014, 09:46 AM   #11
Rogifan
macrumors G3
 
Rogifan's Avatar
 
Join Date: Nov 2011
Quote:
Originally Posted by marvz View Post
Oh noes... if someone steals my iPhone and then is using some not so easy technique to access the file system of my iPhone then navigating to my email folder can then read my email attachments......

Probably this security flaw affects 0.0001% of iOS users but everyone will think "OMG another security flaw!!!11"
Good click bait.
__________________
"I have a very optimistic view of individuals. As individuals, people are inherently good. I have a somewhat more pessimistic view of people in groups." -- Steve Jobs , Wired interview
Rogifan is offline   5 Reply With Quote
Old May 5, 2014, 09:49 AM   #12
MyopicPaideia
macrumors 6502a
 
MyopicPaideia's Avatar
 
Join Date: Mar 2011
Location: Trollhättan, Sweden
Quote:
Originally Posted by marvz View Post
Oh noes... if someone steals my iPhone and then is using some not so easy technique to access the file system of my iPhone then navigating to my email folder can then read my email attachments......

Probably this security flaw affects 0.0001% of iOS users but everyone will think "OMG another security flaw!!!11"
Hmmm...pretty sure he only used that method to verify the weakness was real. My thinking is that anyone capable of accessing your phone remotely (via the SSL weakness that was recently fixed, for example) could have exploited this weakness as well had it been present.

Very happy to be proven wrong by someone with creditable knowledge of the subject?
__________________
|2010 1TB 16GB RAM 2.66GHz C2D Mac Mini Server|2011 11" 256GB SSD 4GB RAM 1.8GHz dual core i7 Macbook Air|
|128GB Silver LTE iPad Air 2|128GB Silver iPhone 6+|2TB Airport Time Capsule|ATV2|ATV3|
MyopicPaideia is offline   3 Reply With Quote
Old May 5, 2014, 09:55 AM   #13
556fmjoe
macrumors 6502a
 
Join Date: Apr 2014
Quote:
Originally Posted by GeneralChang View Post
Every time someone says “This consumer electronic device isn’t secure for (x) reason!” and then follows it up with a description that pretty much requires direct hardware access, I have to wonder. How easy do you think it is to steal stuff in my pockets?
Not very hard when there's a gun or knife pointed at your face. Although, most criminals would just try to sell it, so they probably won't be trying to view your emails.

However, in many countries, your phone can simply be confiscated and searched by the police with no real reason. This is a genuine problem as far as privacy is concerned, and becomes more serious when you're dealing with oppressive governments.

Apple needs to fix this.
__________________
12" PowerBook G4, running OpenBSD -current
13" 2011 MacBookPro i7, back on Arch Linux
556fmjoe is online now   6 Reply With Quote
Old May 5, 2014, 09:55 AM   #14
jrswizzle
macrumors 603
 
jrswizzle's Avatar
 
Join Date: Aug 2012
Location: McKinney, TX
Quote:
Originally Posted by MyopicPaideia View Post
Hmmm...pretty sure he only used that method to verify the weakness was real. My thinking is that anyone capable of accessing your phone remotely (via the SSL weakness that was recently fixed, for example) could have exploited this weakness as well had it been present.

Very happy to be proven wrong by someone with creditable knowledge of the subject?
But even that was a tough sell - one had to be within your vicinity and had to be connected to the same network as you were.

Point being, public wireless networks are often not the best place to do online banking and such. That's the case for everyone - not just Apple.

Moral of the story - if someone has the know how and determination, no matter of security patches and software will keep them out. For 99.9999% of iPhone users, its a secure device.

Maybe this would affect Apple's contract with government workers....I don't know.

Still - to have to be able to have access to the file system on the iPhone (either physically possessing it or remotely) seems like a relatively difficult task in and of itself.
__________________
Nexus 5 | iPhone 6+, 6, 5S, 2G | Lumia 635 | iPad Air | Kindle Fire 7" HDX
"Innovation, my ass!" -Phil Schiller
jrswizzle is offline   2 Reply With Quote
Old May 5, 2014, 09:56 AM   #15
00sjsl
macrumors member
 
Join Date: Jul 2011
Location: UK
I'm not sure why there would be encryption specific to emails / attachments. I always assumed that it would have whole disk encryption or none at all.
00sjsl is offline   1 Reply With Quote
Old May 5, 2014, 09:58 AM   #16
jrswizzle
macrumors 603
 
jrswizzle's Avatar
 
Join Date: Aug 2012
Location: McKinney, TX
Quote:
Originally Posted by 556fmjoe View Post
Not very hard when there's a gun or knife pointed at your face. Although, most criminals would just try to sell it, so they probably won't be trying to view your emails.
So added security patches will fix you not giving up information at gun/knife point? I'm pretty sure they could just ASK you what they wanted to know without having you give up your phone so they can hack it....

Quote:
However, in many countries, your phone can simply be confiscated and searched by the police with no real reason. This is a genuine problem as far as privacy is concerned, and becomes more serious when you're dealing with oppressive governments.

Apple needs to fix this.
I agree Apple needs to fix it - and they always do. But to blow this out of proportion as some massive issue we all should be afraid of is propaganda. The people with the means and know how are going to do what they want to do. Fortunately, this doesn't affect the VAST majority of iPhone users.
__________________
Nexus 5 | iPhone 6+, 6, 5S, 2G | Lumia 635 | iPad Air | Kindle Fire 7" HDX
"Innovation, my ass!" -Phil Schiller
jrswizzle is offline   5 Reply With Quote
Old May 5, 2014, 09:59 AM   #17
TEG
macrumors 604
 
TEG's Avatar
 
Join Date: Jan 2002
Location: Langley, Washington
Send a message via ICQ to TEG Send a message via AIM to TEG Send a message via MSN to TEG Send a message via Yahoo to TEG Send a message via Skype™ to TEG
Meh.

I don't see where this is a big deal. They aren't encrypted on your computer either, and it is much more difficult to hack into a phone for the average person than a computer.
__________________
Apple and Dell are the only ones in this industry making money. They make it by being Wal-Mart. We make it by innovation, - Steve Jobs
The Tegian Zone-Glass Onion Radio
TEG is offline   7 Reply With Quote
Old May 5, 2014, 09:59 AM   #18
Oletros
macrumors 603
 
Oletros's Avatar
 
Join Date: Jul 2009
Location: Premià de Mar
Bugs happen
__________________
There are four kinds of lies: Lies, damned lies, statistics, and analyst projections.
Oletros is offline   2 Reply With Quote
Old May 5, 2014, 09:59 AM   #19
stuffradio
macrumors 6502a
 
Join Date: Mar 2009
Quote:
Originally Posted by ouimetnick View Post
So iOS versions 7.0.3 and below encrypted attachments? Why would they drop that feature?
Don't question Apple. They know what's best for your emails!
stuffradio is offline   1 Reply With Quote
Old May 5, 2014, 10:00 AM   #20
SmileyDude
macrumors regular
 
Join Date: Jul 2002
Location: MA
Send a message via AIM to SmileyDude
Quote:
Originally Posted by spazzcat View Post
When you email an attachment its not encrypted.
This is a huge point that is being ignored. Sure, it would probably be marginally better if attachments are encrypted on the device, but it was transmitted over an insecure channel to begin with.

Another point missed -- on iOS, the entire filesystem is encrypted and can't be accessed if there is a pincode or fingerprint securing the device. In this case, the files are unencrypted on the filesystem, but the front door to the house was left unlocked.

For average users, the filesystem encryption is more than enough security. This is just nitpicking now.
__________________
dennis
SmileyDude is offline   6 Reply With Quote
Old May 5, 2014, 10:03 AM   #21
itickings
macrumors 6502a
 
itickings's Avatar
 
Join Date: Apr 2007
Quote:
Originally Posted by marvz View Post
Oh noes... if someone steals my iPhone and then is using some not so easy technique to access the file system of my iPhone then navigating to my email folder can then read my email attachments......

Probably this security flaw affects 0.0001% of iOS users but everyone will think "OMG another security flaw!!!11"
They also need your passcode in order to access the file system...

Quote:
Originally Posted by Aluminum213 View Post
It just works
Well, it actually does. It is just that some people can't read properly and assumes that it works in another way than it says.
__________________
Rawr!
itickings is offline   2 Reply With Quote
Old May 5, 2014, 10:03 AM   #22
HenryDJP
macrumors 68030
 
Join Date: Nov 2012
Location: United States
Quote:
Originally Posted by stuffradio View Post
Don't question Apple. They know what's best for your emails!
You're also ignoring the fact that unless you're working in a enterprise environment where they have the software tools to encrypt emails the majority of people send attachments that are not encrypted. Thanks for that "comical" post.
HenryDJP is offline   3 Reply With Quote
Old May 5, 2014, 10:04 AM   #23
The Doctor11
macrumors 68030
 
The Doctor11's Avatar
 
Join Date: Dec 2013
Location: USA
And the number of attachments in my box is...0
__________________
iPhone 6, iPad 3rd gen, Apple TV, Airport Express
Ebola?! Kiss your ass good bye!!!
Please subscribe to me on YouTube
The Doctor11 is offline   0 Reply With Quote
Old May 5, 2014, 10:06 AM   #24
BruiserB
macrumors 6502a
 
Join Date: Aug 2008
I agree this shouldn't be blown out of proportion. The likelihood of an individual being affected is low.

With that being said, I'm guessing it's not just the physical phone that would be vulnerable....wouldn't backup files either on a PC/Mac or in iCloud also have the same unencrypted attachment issue? Or is the whole backup file encrypted again as it is archived?
BruiserB is online now   1 Reply With Quote
Old May 5, 2014, 10:07 AM   #25
Traverse
macrumors 68000
 
Traverse's Avatar
 
Join Date: Mar 2013
Location: Here
I wonder if this vulnerability is present in OSX...
Traverse is offline   1 Reply With Quote

Reply
MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Apple Leaves Users Vulnerable By Not Fixing iOS and OS X Security Issues Simultaneously MacRumors MacRumors.com News Discussion 141 Apr 26, 2014 09:47 PM
Resolved: iPhone 5s / iOS 7 security flaw ctross iPhone 2 Sep 24, 2013 04:12 AM
New iPhone Passcode Security Flaw Discovered in iOS 6.1.3 MacRumors iOS Blog Discussion 92 Mar 25, 2013 04:42 PM
Major iOS security flaw. CylonGlitch iOS 6 21 Feb 16, 2013 02:47 AM
I have just discovered a major security flaw in iOS 6.1 S1RiOS iPhone 71 Feb 15, 2013 10:20 AM

Forum Jump

All times are GMT -5. The time now is 08:15 AM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC