Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Fixes Siri Bug Allowing Access to Photos and Contacts on Locked Device

Am I the only one saying "WTF" about this security fix?

This tells me that every time Siri tells you "You'll need to unlock your phone to do that", it's because they have server side code, which can be changed at any time on a whim, that says they need to do that.

So all that needs to be done to hack your way into any iPhone is to put it on its own network where you can intercept Siri requests, and you can respond with a command that says "It's okay - unlock the iPhone".
 
  • Like
Reactions: Moorepheus, macfacts, Mebsat and 1 other person
maxsix said:
Sour grapes from you. Spreading FUD reveals your lack of awareness when it comes to Android circa 2016.

Nexus smartphones have improved dramatically over the last three years. My ongoing personal experiences with every new Nexus model and Android version since 2007, reveals the many advantages of the current Nexus 5X and 6P models. Smartphones that are wicked fast, super accurate and simply delightful to own.
Click to expand...

It's not FUD. Nexus phones are supported 18 months minimum to 24 months maximum. Calm down.
 
Am I weird for being mildly concerned that my local security can be fixed/compromised due to external services.
wouldn't that potentially leave some kind of "man-in-the-middle" attack possible?
Hey FBI... you could have just made a server that replicates Apple's Siri responses to have gotten in the phone ;) (yes I know it's harder than it sounds with certificates, and other validations)
 
  • Like
Reactions: Benjamin Frost and Lemon Mac
ArtOfWarfare said:
Am I the only one saying "WTF" about this security fix?

This tells me that every time Siri tells you "You'll need to unlock your phone to do that", it's because they have server side code, which can be changed at any time on a whim, that says they need to do that.

So all that needs to be done to hack your way into any iPhone is to put it on its own network where you can intercept Siri requests, and you can respond with a command that says "It's okay - unlock the iPhone".
Click to expand...

Exactly. You are not alone, I did a double WTF?

It suggests something in the 3D Touch API is completely open and needs to be patched too.

It could be inherent to Siri too. If I didn't have Siri turned off because it's useless, I might turn it off for security's sake.
 
  • Like
Reactions: Benjamin Frost
Benjamin Frost said:
Just today, I was typing away, when suddenly a bloody popup window asked me if I wanted to turn on dictation. Just bugger off, Apple. I don't want your foul news, I don't want your cynical music subscription, I don't want your spam forced down my throat.

I wish Donald Trump was CEO of Apple. He'd be a darn sight better than Cook.
Click to expand...

I guess not everyone caught on to this joke! :p
 
[
[doublepost=1459954190][/doublepost]The following patch didn't work for me. Can still get Siri to exploit locked system. Anyone else? I'm running an iPhone 6.

A Siri vulnerability that allowed access to a user's photos and contacts on a locked iPhone running iOS 9.3.1 was patched server-side this afternoon by Apple.
 
spherox said:
Hate Apple or not, but you have to give them props for these security updates. Personally, the fact that I only see this bypass on YouTube a few hours ago and have just seen an article about Apple sending out an update to fix it just amazes me. I remember when I had an LG and I had to beg and pray that I would even get an update, lol.
Click to expand...
Agreed. I don't know how big an issue this was but it was resolved pretty quickly. I remember having a T-Mobile sidekick, Windows SE phones, etc. and you never saw an update...
[doublepost=1459954662][/doublepost]
Benjamin Frost said:
Just today, I was typing away, when suddenly a bloody popup window asked me if I wanted to turn on dictation. Just bugger off, Apple. I don't want your foul news, I don't want your cynical music subscription, I don't want your spam forced down my throat.

I wish Donald Trump was CEO of Apple. He'd be a darn sight better than Cook.
Click to expand...
Lol. I think that you'd be more comfortable with a flip-phone or an old Nokia that I had:
Nokia-5190.jpg
 
"Siri, open Spotify"
"You'll have to unlock your phone to do that"
"Oh, great!!! And you're happy to open iTunes"

"Hey Siri,... Hey Siri"
"Oh great, the phone is in my pocket, even though I'm wearing headphones. She's not even listening."

"Siri, you're bloomin' useless!"

Please Apple, let "Hey Siri" work with headphone and the proximity sensor active. And please allow the user to specify which apps can be opened when it's locked.

This is all I ask! Especially as I'm a cyclist with headphones.
 
ArtOfWarfare said:
Am I the only one saying "WTF" about this security fix?

This tells me that every time Siri tells you "You'll need to unlock your phone to do that", it's because they have server side code, which can be changed at any time on a whim, that says they need to do that.

So all that needs to be done to hack your way into any iPhone is to put it on its own network where you can intercept Siri requests, and you can respond with a command that says "It's okay - unlock the iPhone".
Click to expand...

Probably isnt that simple. If it's https then the data is encrypted and would probably have a token attached for authorization. Not saying it's impossible but you would have to know what the response is meant to be ... encrypt it etc..
 
ArtOfWarfare said:
Am I the only one saying "WTF" about this security fix?

This tells me that every time Siri tells you "You'll need to unlock your phone to do that", it's because they have server side code, which can be changed at any time on a whim, that says they need to do that.

So all that needs to be done to hack your way into any iPhone is to put it on its own network where you can intercept Siri requests, and you can respond with a command that says "It's okay - unlock the iPhone".
Click to expand...

Yes. Good luck with that.:rolleyes:
 
So, let me get this straight, it was a SERVER side fix for SIRI??? So, your telling me, that i am depending on APPLE and their security team to make sure that SIRI doesn't allow anything to happen to my data. So, the change they did to fix this had nothing to do with the physical phone and that if APPLE wanted to, they could have SIRI unlock our phones at any given time????? This is interesting.
 
  • Like
Reactions: Benjamin Frost
djcerla said:
Yeah, only difference Apple will support it for 4, 5 years instead 1.5 or 2 max. AND some bugs get squashed vey late even in new Nexus phones.

There is NO COMPARISON with the level of support Apple provides.
Click to expand...
You really have no idea what you're talking about.
 
MrGuder said:
This is what I like about Apple, they take these things seriously and patch quickly, I'm sure if it was Android it would have taken much longer to patch. Apple's # 1 importance is customer's privacy. Good job Apple!!
Click to expand...

H2SO4 said:
Please tell me you’re joking. There are a myriad of things that Apple has been informed about in the past, (and I mean security issues), that go unpatched for ages.
They are getting better for sure but for you to post that nonsense tells me you haven’t had Apple devices that long, and/or that you don’t read sites like Ars Technica.
Click to expand...

djcerla said:
For "ages". OK, what went unpatched for "ages"? What magnitude of actual damage for users?
Click to expand...

MH01 said:
try google.

example http://krebsonsecurity.com/2011/11/apple-took-3-years-to-fix-finfisher-trojan-hole/

Look, Apple is far from the quickest to patch......speaking from experience.

Also the concept that Google takes forever, its total nonsense.
Click to expand...

Nobody made the claim that Apple is the quickest to patch, though their average response time (from your own source) is pretty solid. Your article explicitly calls out the titular bug as taking significantly longer than is typical for Apple, and it was a *singular* bug, not "a myriad of things that Apple has been informed about in the past, (and I mean security issues), that go unpatched for ages" like the claim H2SO4 made.

While you're correct that it's not Google that takes forever to patch, that's a distinction without a difference for users. It's the myriad of companies using Google's operating system on their phones, who basically release the phones to the market, and then completely wash their hands of them, rarely providing even *critical* security updates. If you don't buy a 'flagship' phone, you're generally screwed.

As an example:
The latest version of Android (Marshmallow) still hasn't broken 5% penetration, while 35.8% are on Lollipop, and 33.4% are on Kit Kat, and 26.2% on older versions (Jellybean, Ice Cream Sandwich, Gingerbread, and Froyo).
The latest version of iOS (9.x) is on 77.5% of iDevices, with the prior two versions 8.x and 7.x on 10.8% and 7.8% respectively, leaving a grand total of 3.9% on iOS 6.x or older). To be fair, iOS 9.x was released about 2 weeks before Marshmallow (mid vs. late September of last year), but the difference in availability at this stage is telling.

I'm pretty sure that Android users, at least in the vast majority of cases, don't intentionally stay on older versions of the OS because it's so much better than the newer versions. Rather, they remain *stuck* on those older versions, because there is no option for them to upgrade through supported channels, and may not even be any option through unsupported channels, either.
[doublepost=1459966343][/doublepost]
Moorepheus said:
So, let me get this straight, it was a SERVER side fix for SIRI??? So, your telling me, that i am depending on APPLE and their security team to make sure that SIRI doesn't allow anything to happen to my data. So, the change they did to fix this had nothing to do with the physical phone and that if APPLE wanted to, they could have SIRI unlock our phones at any given time????? This is interesting.
Click to expand...

It was a server-side fix to disable a server-side *search* from being run while the phone is locked. There will almost certainly *also* be a client-side fix to properly block the results from allowing the display of contacts when it is supposed to be disabled. This quick-fix minimizes the odds of any user data being compromised, by restricting the 'surface area' available for an attack.
 
tbrinkma said:
Nobody made the claim that Apple is the quickest to patch, though their average response time (from your own source) is pretty solid. Your article explicitly calls out the titular bug as taking significantly longer than is typical for Apple, and it was a *singular* bug, not "a myriad of things that Apple has been informed about in the past, (and I mean security issues), that go unpatched for ages" like the claim H2SO4 made.

While you're correct that it's not Google that takes forever to patch, that's a distinction without a difference for users. It's the myriad of companies using Google's operating system on their phones, who basically release the phones to the market, and then completely wash their hands of them, rarely providing even *critical* security updates. If you don't buy a 'flagship' phone, you're generally screwed.

As an example:
The latest version of Android (Marshmallow) still hasn't broken 5% penetration, while 35.8% are on Lollipop, and 33.4% are on Kit Kat, and 26.2% on older versions (Jellybean, Ice Cream Sandwich, Gingerbread, and Froyo).
The latest version of iOS (9.x) is on 77.5% of iDevices, with the prior two versions 8.x and 7.x on 10.8% and 7.8% respectively, leaving a grand total of 3.9% on iOS 6.x or older). To be fair, iOS 9.x was released about 2 weeks before Marshmallow (mid vs. late September of last year), but the difference in availability at this stage is telling.

I'm pretty sure that Android users, at least in the vast majority of cases, don't intentionally stay on older versions of the OS because it's so much better than the newer versions. Rather, they remain *stuck* on those older versions, because there is no option for them to upgrade through supported channels, and may not even be any option through unsupported channels, either.
Click to expand...

The funny thing is that android users don't get an option to upgrade and Apple users don't get an option to downgrade. If Apple users had an option to downgrade thier OS , Apples numbers would take a nice hit. From my experience my iPhone 4 and iPad three, are an awful experience , if I could downgrade them, they could give me a smooth user experience .

Though yes , buying an android handset does put you at the hands of the manufacturer when it comes to updates and support. Though you will find that many of these handsets run a final version of the last supported os, which is in fact more secure and stable than a brand new flagship handset with latest OS. When it comes to bugs and security, running the latest version of a new OS is the most dangerous, hence why big organisations never run the current OS, but a generation or two behind.
 
smacrumon said:
"Hey, Siri. Why doesn't Apple pay at a very minimum 30% tax
in the country where the actual sale is made?"
"Let me check on that..."

"Did you require access to a user's photos and contacts instead?"
Click to expand...

What state do you live in that has 30% tax?
 
SirCheese said:
Apples #1 priority is how much more can they make.
[doublepost=1459948993][/doublepost]
T-Mobile? And no, Sprint most likely would be BOUGHT. Not the other way around. Sprint is piss poor in all aspects.
[doublepost=1459949232][/doublepost]Yes, for many years. Not sure what your point is because there isn't no spam on Android. And if you are referring to ads in games, etc, I get them just as much as Android did. So again, what is your point?
Click to expand...

Lol, overlooking the double negative ("isn't no spam"), it's well documented how much bloatware comes on Android phones. What "spam" do you think there is on Apple devices exactly?
 
alphaod said:
What state do you live in that has 30% tax?
Click to expand...
Apple is a global company. Various countries around the world tax citizens and companies taxation amounts between 15% to 45% (plus or minus a few %). Apple taxes its developers 30% on sales to include apps in the App Store. Apple is primed to pay 30% tax for all sales it makes in the country which it has made the sale. It is fair and it is right.
[doublepost=1460036483][/doublepost]
morcutt11 said:
Agreed. I don't know how big an issue this was but it was resolved pretty quickly. I remember having a T-Mobile sidekick, Windows SE phones, etc. and you never saw an update...
[doublepost=1459954662][/doublepost]
Lol. I think that you'd be more comfortable with a flip-phone or an old Nokia that I had:
Nokia-5190.jpg
Click to expand...
How gross. Pacific Bell logo on a Nokia device. Consumers really need to amp up about this co branding rubbish and tell manufacturers to quit ugly-fying their electronics.
 
GucciPiggy said:
You really have no idea what you're talking about.
Click to expand...

If declaring this makes it true, then you must be a king hey... Please continue deluding yourself.
[doublepost=1460038200][/doublepost]
morcutt11 said:
Agreed. I don't know how big an issue this was but it was resolved pretty quickly. I remember having a T-Mobile sidekick, Windows SE phones, etc. and you never saw an update...
[doublepost=1459954662][/doublepost]
Lol. I think that you'd be more comfortable with a flip-phone or an old Nokia that I had:
Nokia-5190.jpg
Click to expand...

I still have my 1999 Flip phone, a decent model at the time, and just to freak people out at work I take it out for a spin sometimes (they think I'm real weird, especially since I'm a equivalent to VP tech and thus should really be into tech). It still works :).
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back