AIM Messages Sent to Unlocked iPhones Routed to Unintended Recipients

[CharBroiled20s]

Stop breaking Apples & AT&T's Terms and Conditions by jailbreaking your phones and you wont have these problems.

Problem Solved.

OH PLEASE!

AT&T IS THE MICROSOFT OF THE CELL PHONE INDUSTRY - they're abusive with fees, their phone support personnel are perhaps the WORST "trained" I've ever encountered and their people's self-important condescending nature makes me think they hate their customers.

I say sprint to T-Mobile! (no pun intended) All those willing should JailBreak, Unlock and run screaming to T-Mobile!!! Their people are courteous, they treat you with respect and they work WITH you to resolve problems... to say nothing of the 40 dollar a month cheaper bill (feature for feature less 3G).

AT&T is piggish and monopolist.... they ARE Microsoft... Microsoft with cell towers... EFF THEM!

And before the flames come rolling in, I have both AT&T (for work) and T-Mobile (for personal). I'd consider cutting off my peen before calling AT&T for assistance with anything.... god forbid a billing issue... T-Mobile though, I'd make that call in a heartbeat... and their people all speak ENGLISH.

 

[2992]

Here's a question... are the keys different every time?

I purchased a new iPhone 3GS. I wiped my iPhone 3G, but after the wipe it wanted to be activated. To get rid of the message, I just popped my new SIM in from my 3GS, waited and after it said it was activated, pulled that SIM out and put it back in my 3GS. I then sold the phone like that.

Curious, if the keys are always different then I'm ok. But if the keys are always the same based on the SIM, then that guy now has my keys on his iPhone unless he does a wipe.

I'm thinking about going to the AT&T store and asking for a new SIM.

And no, neither the 3G nor the 3GS were ever jailbroken or unlocked. But if the keys are generated based on activation and activation is done on two phones with the same SIM, like I just did, are the keys the same? I would suspect not, but I'm not 100% sure.

Then you can start saying "thanks" to Apple and to your operator if the buyer of your phone (and maybe his friends as well) will start receiving your push notifications and viceversa.

They (apple and att) have to think that not all the world is spinning around ATT/US. That is why IS selling the phone "abroad" as well.

Hope Apple will stop playing that stupid game of keeping the push working the way it does now, because now it's just not working as advertised.

 

[Master Chief]

This will be fixed, by Apple, with the OS update we're all waiting for

 

[LagunaSol]

AT&T IS THE MICROSOFT OF THE CELL PHONE INDUSTRY

All cell companies suck rocks. Do you honestly think Verizon is something to be loved?

Apple should take their billions in cash and run their own cell service. Screw the AT&Ts and Verizons of the world. They all suck. Period.

 

[jnic]

How long 'till people start demanding that Apple must fix thi problem that only seems to exist in jailbroken iPhones that are not supported. By Apple? My guess is about 5 seconds.

If you ask me, the jailbreakers should be held responsible for any prolems that exist in their hacked phones.

This sidesteps the issue. If Apple are failing to authenticate devices on their servers then it is possible for an attacker to masquerade as any user and access their push notifications.

This is a serious security vulnerability and Apple really do need to fix it before it's exploited.

 

[buthidae]

This sidesteps the issue. If Apple are failing to authenticate devices on their servers then it is possible for an attacker to masquerade as any user and access their push notifications.

This is a serious security vulnerability and Apple really do need to fix it before it's exploited.

I, as I'm sure is the case with many, would be amazed to hear of any iPhone id's involved that were not deliberately copied and shared by that iPhone's owner or someone with physical access.

The "hack" to get push notification working on an unauthorised iPhone was to copy generated keys from a legitimately activated iPhone. Then later came news that Apple generated the session ID's for push from these keys. And here we are, with these amazing reports of people with unauthorised ("hacktivated") iPhone's getting other peoples AOL messages (and presumably vice versa).

I should have put a bet down!

 

[iphones4evry1]

Uhm, if they gave up control they would have MORE problems like this, not less.

I agree with the idea that Apple should open up a bit more, but the downside of that is more problems like this. Not fewer.

Exactly.

My phone is still locked and my messages work fine. I wouldn't want an unintended recipient receiving my texts - what if I send personal info, like my address to one of my friends? I wouldn't want some creepy felon to receive that info instead of my friend ... this could lead to a lawsuit if anyone gets harmed as a result of this terrible problem.

 

[Surreal]

I think people are getting conused by the words 'security flaw.' maybe a little clarification of where teh flaw originates (not with apple or at&t)

 

[jnic]

I think people are getting conused by the words 'security flaw.' maybe a little clarification of where teh flaw originates (not with apple or at&t)

Based on buthidae's reply, it does indeed appear to be the fault of jailbreakers copying keys in order to re-enable push for jailbroken phones, rather than finding a way to reverse engineer the key generation algorithm (which is presumably non-trivial if Apple's engineers have done their jobs right).

 

[hayesk]

OH PLEASE!

AT&T IS THE MICROSOFT OF THE CELL PHONE INDUSTRY - they're abusive with fees, their phone support personnel are perhaps the WORST "trained" I've ever encountered and their people's self-important condescending nature makes me think they hate their customers.

Then don't buy an iPhone and don't use AT&T.

What? You really want an iPhone - fine, buy it, hack it, and accept the consequences that you brought on yourself.

 

[objc]

I really get sick of the fanboys and their non-facts. It's like watching Bill O'Reilly.
Dear MacHeads:
1. Unlocking a cell phone to work on another network is LEGAL in the U.S.
2. I purchased a used iPhone from a friend who upgraded to the 3G. He fulfilled his contractual obligations. I didn't purchase from att or Apple. I have NO obligations to either company.

 

[MacLover4491]

All the fanboys are dum SO THEY want to pay 70$/month where i only have to pay $36/month w/ internet plan from tmobile. Also I only paid $200 for my iphone 3g 8gb. Who is smarter now? haha

 

[charlituna]

All cell companies suck rocks. Do you honestly think Verizon is something to be loved?

Apple should take their billions in cash and run their own cell service.

if Apple had any desire to be a cell phone carrier, an in house credit card service or an ISP they would have done it. but unlike some companies they choose to keep things somewhat limited, which is why they have ATT, Juniper Visa and your pick of ISPs.

and i personally am glad for that. I would much rather they spend their time and money on making better software etc than trying to be all things

 

[LagunaSol]

and i personally am glad for that. I would much rather they spend their time and money on making better software etc than trying to be all things

I would agree with you 100% if we had more choice than Sucky, Suckier, and Suckiest in the cell phone provider world.

I think Steve Jobs mentioned that the iPhone was born from the complete lack of a product in the category that Apple folks actually wanted to own.

I wish someone with the means would share this "screw 'em all, I'm making my own" attitude and establish a wireless carrier that they would actually like to be serviced by.

T-Mobile is the only provider I have been half-satisfied with, and they're just a bit player.

 

[M2M]

It is for sure a security flaw.

Because I can totally legally buy an iPhone, activate it, make a copy of the certs (legal, but maybe no need to do).

And then sell the iPhone legally, but keep a copy of the certs (probably illegal then) and keep track of the push my victim is getting.

Apple for sure has to fix it. It's like I would make an (illegal) copy of a sim and then get all SMS of the originator (NO thats not working).

Also imagine an App from the App-Store that would (illegally) send your certs to a location (encrypted and disguised). I am not sure if Apple App-Store checking mechanisms would and can track that in every case. For sure Apple would remote-wipe that App when they find out. But maybe thats too late already.