It wouldn't be a problem if the guy just told Apple and shut up about it. If he was the only one that knew about the hole, then everyone would be fine.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
iPhone SMS Security Vulnerability to Be Disclosed Today
- Thread starter MacRumors
- Start date
- Sort by reaction score
It wouldn't be a problem if the guy just told Apple and shut up about it. If he was the only one that knew about the hole, then everyone would be fine.
Isn't this about the place some clueless idiot parrots the phrase: "Competition is good," even though it has nothing to do with the subject?
How do you remove the SMS application from your iPhone anyways? I don't want it at all, I've got so many free solutions (IE, Skype, AIM, Facebook... hell, even eMail,) why would I ever want to pay for SMS when I've got unlimited data?
I never use SMS anyways... I've pushed it off to a back home screen... am I vulnerable anyways?
I never use SMS anyways... I've pushed it off to a back home screen... am I vulnerable anyways?
Bad analogy. As you said, in that case, the Administration thought the information was a threat -- but the Times didn't. In this case, the guys who found it agree it's a threat.
I agree apple should fix this, and quickly, but I still say it's irresponsible to publish the information. If someone actually used this, a lot of innocent people would get hurt.
Clearly they've been given enough time to fix it. Clearly they aren't going to unless pressure is placed on them. The only way to put pressure on them is to publish the details of the threat. If they just said "hey apple, we're not going to publish this because, well, we're nice guys." Then what more incentive do they have to fix it quickly?
not too worried
Um remember we can't get SMS here in the US so it's not a big deal yet!
BTW thanks ATT for the KY you send us in our bill each month
Um remember we can't get SMS here in the US so it's not a big deal yet!
BTW thanks ATT for the KY you send us in our bill each month
I see both sides, really ....
On one hand, sure - companies need to be as proactive as possible about addressing security holes.
On the other hand, security issues are popping up more and more often as all the software (and the operating systems) out there increase in complexity and features. Like one of my software developer buddies used to always say, "If I'm 99% accurate in all my coding work, that still means I'm creating an error in every 100 lines of code I write."
Companies like Apple are actively doing relatively large code updates to things like the iPhone's firmware, and trying to get them done on some kind of schedule. The optimal way to handle bug-fixes is normally to submit them on the "to do" list of items to correct by the next official release of the code.
Demanding an immediate security patch for the iPhone essentially means you want them to stop what they're doing, give that bug top priority, AND ensure the change doesn't break anything else either in the *current* code, OR in the rest of the updates they're in the middle of adding. Then you're going to push that big update out to everyone's iTunes, costing Apple a load of server bandwidth and users a big inconvenience (plus the inevitable flash updates that go wrong, causing bricked phones and support calls).
If they know OS 3.1 is due out soon, they're probably taking their chances on putting the security patch in with it, instead -- and I don't necessarily blame them. How many people are likely to really want to blast malicious SMS's out and attempt to illegally take over people's iPhones, all within the time-frame version OS 3.1 is done? Probably less than the number who will have problems doing the upgrade....
On one hand, sure - companies need to be as proactive as possible about addressing security holes.
On the other hand, security issues are popping up more and more often as all the software (and the operating systems) out there increase in complexity and features. Like one of my software developer buddies used to always say, "If I'm 99% accurate in all my coding work, that still means I'm creating an error in every 100 lines of code I write."
Companies like Apple are actively doing relatively large code updates to things like the iPhone's firmware, and trying to get them done on some kind of schedule. The optimal way to handle bug-fixes is normally to submit them on the "to do" list of items to correct by the next official release of the code.
Demanding an immediate security patch for the iPhone essentially means you want them to stop what they're doing, give that bug top priority, AND ensure the change doesn't break anything else either in the *current* code, OR in the rest of the updates they're in the middle of adding. Then you're going to push that big update out to everyone's iTunes, costing Apple a load of server bandwidth and users a big inconvenience (plus the inevitable flash updates that go wrong, causing bricked phones and support calls).
If they know OS 3.1 is due out soon, they're probably taking their chances on putting the security patch in with it, instead -- and I don't necessarily blame them. How many people are likely to really want to blast malicious SMS's out and attempt to illegally take over people's iPhones, all within the time-frame version OS 3.1 is done? Probably less than the number who will have problems doing the upgrade....
What a rotten example. Bush had a problem with anyone but Fox News...
This WILL cause apple to hurry up. If they had fixed it already there would be nothing to report.
Then Charlie Miller wouldn't be getting nearly the same amount of free publicity that he's getting by doing this during the Black Hat convention.
Can you share the facts on which you based that statement? AFAIK, the only fact known is "Charlie Miller told Apple about this 30 days ago". I've seen nobody comment publicly on how big of an issue this is to patch, nor how long it takes to turn around an iPhone security patch in general ... identifying, coding, testing, piloting, and then full world-wide distribution.
1. i haven't read that but i haven't browsed around for more info on it so i'll assume you're correct.
2. it's the nothing has happened part. let's pretend this is a credit card firm like VISA that has a security hole on their website. do you really want them just say "well we haven't been hacked yet so let's just worry about it later". i'd want them to fix the security ASAP.
3. you can't just assume only HE knows about it. but even so are you just going to say then every newspaper/news journalist should also shut up when they do investigations that uncover something?
4. they could always just release a 3.0.1. they don't have to push a 3.1.
What's to stop someone else from discovering the same exact security hole before they patch it? Regardless if it's just one person that knows about a huge security vulnerability, it needs to be patched asap.
If you had a door on your house that even when locked would open if you tapped on it 5 times, and the only person that knew about it said to you "you should get that fixed", would you just leave the door as is because only 1 person knew about it and blindly assume that no one else would find out about the door's vulnerability? Any security expert will tell you obscurity does NOT equal security.
Well at least they can disable/filter SMS reception on Windows Mobile - not sure if this is doable on the iPhone. (I know for sure it can be done easily on the Blackberry and with some external utilities on WinMo.)
couldn't at&t just filter sms messages with the exploit string and prevent anyone from receiving it? it'll give apple more time to release 3.1.
As fast as AT&T seems to be able to move, ... they'd have it figured out by December.
The exploit exists in all released public versions of the iPhone software.
Yeah, that damn constitution! If we could just get rid of that, then America would be safe!
Oh, and your signature is spelled wrong. It should be spelled Democratic. Not Democrat.
As fast as AT&T seems to be able to move, ... they'd have it figured out by December.
The exploit exists in all versions of the iPhone software.
Even 3.1 beta 3?
Sorry, I meant the publicly available ones.
I don't know about 3.1, but I'd really hope it's in there.
software realities
The guy is a jerk, pure and simple. Expecting Apple to release a fix within a month is completely unreasonable. Let me detail just a few of the things that has to happen:
1) Reproduce the "bug"
2) Understand and evaluate the severity
3) Design a fix. Review this fix with other engineers.
4) Implement a fix
5) Develop a test plan and test this fix along with all other comm related features to make sure you didn't break something in the process.
6) Wrap up a 3.01 release which incorporate the fix along with other minor bug fixes already completed in house, keeping this separate from your 3.1 development stream which is not ready yet. Merge all the changes and get the thing to build.
7) Test everything all over again
8) Produce an installer package for this 3.01 release. You need both stand-alone versions for developers and itunes-based updaters.
9) Test the installer/updater
10) Update all your web sites and documentation to now refer to version 3.01. Release new tech docs describing what's new in version 3.01.
11) Educate all your support staff worldwide on who needs 3.01 and why.
12) Possibly grab inventory which is about to be shipped and install the 3.01 patch.
13) Release the new version
I've probably left out several steps. Oh, and many of your key personnel will be out of town because July is a pretty good month to take vacation. The point is, you can't just stop everything and release a quick fix when you have 20+ million devices out there to support, just because some self-serving bozo is claiming the sky is falling. This is just a cheap publicity stunt.
>If they publish the exploit and Apple releases a fix, what about people who haven't updated to 3.0?
Good point, repeat all the steps above for version 1.x and 2.x. Oh, and what about people who don't update at all?!? This jerk has just unleashed a thousand hackers bent on attacking all those people who don't update their devices quick enough.
The guy is a jerk, pure and simple. Expecting Apple to release a fix within a month is completely unreasonable. Let me detail just a few of the things that has to happen:
1) Reproduce the "bug"
2) Understand and evaluate the severity
3) Design a fix. Review this fix with other engineers.
4) Implement a fix
5) Develop a test plan and test this fix along with all other comm related features to make sure you didn't break something in the process.
6) Wrap up a 3.01 release which incorporate the fix along with other minor bug fixes already completed in house, keeping this separate from your 3.1 development stream which is not ready yet. Merge all the changes and get the thing to build.
7) Test everything all over again
8) Produce an installer package for this 3.01 release. You need both stand-alone versions for developers and itunes-based updaters.
9) Test the installer/updater
10) Update all your web sites and documentation to now refer to version 3.01. Release new tech docs describing what's new in version 3.01.
11) Educate all your support staff worldwide on who needs 3.01 and why.
12) Possibly grab inventory which is about to be shipped and install the 3.01 patch.
13) Release the new version
I've probably left out several steps. Oh, and many of your key personnel will be out of town because July is a pretty good month to take vacation. The point is, you can't just stop everything and release a quick fix when you have 20+ million devices out there to support, just because some self-serving bozo is claiming the sky is falling. This is just a cheap publicity stunt.
>If they publish the exploit and Apple releases a fix, what about people who haven't updated to 3.0?
Good point, repeat all the steps above for version 1.x and 2.x. Oh, and what about people who don't update at all?!? This jerk has just unleashed a thousand hackers bent on attacking all those people who don't update their devices quick enough.