Toggle sidebar Toggle sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

iPhone SMS Security Vulnerability to Be Disclosed Today

Scooterman1 said:
But, don't some of your SMS messages (like the ones from AT&T) just have a Code instead of a Phone Number? Like when you send a message to 543542, etc...
Click to expand...
I know companies can register those types of codes (American Idol, Bank of America, etc), but I don't know if a regular person can spoof something like that.
 
The fanboyism is strong in this thread.

This is a priority ONE security hole.

They we're told about it - and have done nothing about it so far.

So are you all saying that Apple should take its sweet time to fix such a huge security hole?!?

If this was Microsoft - I'm sure you all would be changing your tunes.

I am GLAD that they went public with this. What would happen if they didn't go public with this, and then a hacker actually implemented it? I bet you'd see a fix within days.
 
CrownSeven said:
The fanboyism is strong in this thread.

This is a priority ONE security hole.

They we're told about it - and have done nothing about it so far.

So are you all saying that Apple should take its sweet time to fix such a huge security hole?!?

If this was Microsoft - I'm sure you all would be changing your tunes.

I am GLAD that they went public with this. What would happen if they didn't go public with this, and then a hacker actually implemented it? I bet you'd see a fix within days.
Click to expand...

I believe that most on here will agree with this:
1. Go Public with the info in order to Push Apple into fixing the problem.
2. Only go Public if they can do it WITHOUT giving the details of exactly how they accomplish it.
 
uberamd said:
Are you expecting a step by step tutorial on how to implement this attack?
Click to expand...

Perhaps not a "hold your hand" guide on how to take over the world, but I can't see it taking long for a number of hackers to duplicate this exploit (I could be wrong, of course). And with full access to a phone's contacts, one hacker could quickly gain access to a number of other phones.
 
CrownSeven said:
So are you all saying that Apple should take its sweet time to fix such a huge security hole?!?
Click to expand...
You all who? Who here (except for TheSpazz) thinks Apple should take its sweet time?

My only point is that until more information about what Apple has to do to fix it is released, I don't see how anyone here can factually state that Apple's taking too long.
 
aristobrat said:
The only truth to that statement is that it's your opinion, unless you're basing it on some facts that nobody else here is aware of (in regards to the SMS issue).
Click to expand...

I would base that 'opinion' on facts such as a Java vulnerability that was left unpatched on OSX for nearly a year, or the flaw in BIND that wasn't patched properly for nearly three months. In both cases Apple were dead last to the fixing party.

What do you base *your* opinion on?
 
The biggest problem is that like Mr. Miller stated, he notified Apple over 1 month ago with NO response.
And Forbes states that they have called Apple repeatedly with NO response.
WE, iPhone owners, most never know anything about what Apple does until AFTER it's over. Secret stuff........ the consumers don't need to know what Apple does except take or good money, and enjoy it! I know, that was sarcastic, but we DO pay a lot for these phone to not be able to get any news from Apple on something like this.
 
Now they say to turn off your phone if you get a sms with nothing but a sqaure box, for how long am I suppose to leave it off. Anyone know more on that?
 
El indio said:
Now they say to turn off your phone if you get a sms with nothing but a sqaure box, for how long am I suppose to leave it off. Anyone know more on that?
Click to expand...

Don't worry. They'll call you to let you know when to turn it back on...
 
I find it funny how paranoid some people here are. Settle down, no need to get in a frenzy about this.
 
Is it just me, or does the article also suggest (or state explicitly?) that this attack could be designed to show NO visible messages at all? Seems to me that someone with actual malicious intent would opt for that over a visible attack...
 
TheSpaz said:
I just think it's very crappy to only give Apple a month to fix something that has been there for 2 years already. What a jerk.
Click to expand...
On the Internet, a month is an eternity. It doesn't matter how long a bug has gone undiscovered. A month is the maximum time between Microsoft patch days, and they have still been forced to do unscheduled emergency patch releases many times.

Just this week, a bug was found in BIND, which runs most DNS servers. It was found because bad guys were already using it to crash DNS servers. ISC had a fix out immediately.

Face it, Apple is just plain irresponsible when it comes to security holes, just like Microsoft used to be before 2004. The only way to deal with an irresponsible company is to publicly announce their security holes.
 
QCassidy352 said:
...why would they publish this information? I'm not absolving apple of blame here, but come on. Just because you have freedom of speech doesn't mean it's not reckless to use it in a case like this.
Click to expand...


To force Apple into fixing it, before someone else figures it out and uses it maliciously.

Seriously - Apple is properly USELESS at keeping up to date patching its software.
 
aristobrat said:
I wonder how easy it is for hackers to send a SMS message over a network and not be detected.

On every text message I've received with AT&T, it's always shown the phone number that sent it, so it's not as simple as just randomly sending a text message to every phone number in the world, hoping you get an iPhone on the other end?
Click to expand...

If you create what I believe they call an sms gateway (say like the one here) you can give it a bogus email address, which then shows up as 'From:'.
 
TheSpaz said:
It wouldn't be a problem if the guy just told Apple and shut up about it. If he was the only one that knew about the hole, then everyone would be fine.
Click to expand...

Poor logic. There are other hackers out there. Also, companies pay BIG money for people to work for them and find their exploits. If I were this guy I'd probably keep it secret if I was on Apple salary, but if Apple has no plans of hiring him then he can do what he likes with the information to make Apple react.

ArtOfWarfare said:
How do you remove the SMS application from your iPhone anyways? I don't want it at all, I've got so many free solutions (IE, Skype, AIM, Facebook... hell, even eMail,) why would I ever want to pay for SMS when I've got unlimited data?

I never use SMS anyways... I've pushed it off to a back home screen... am I vulnerable anyways?
Click to expand...

You can call your carrier (mine is AT&T) and ask to Opt-Out of SMS messaging. I've done that because I use all the stuff you do to avoid it and I don't want to get any. Doing this has AT&T block all SMS messages to you.
 
TheSpaz said:
It wouldn't be a problem if the guy just told Apple and shut up about it. If he was the only one that knew about the hole, then everyone would be fine.
Click to expand...

Not likely. Considering security holes in smartphones is an area of interest to hackers, you can't figure he is the only guy to have found this bug.

kingtj said:
Then you're going to push that big update out to everyone's iTunes, costing Apple a load of server bandwidth and users a big inconvenience (plus the inevitable flash updates that go wrong, causing bricked phones and support calls).
Click to expand...
That is Apple's problem. They need to join the 1990s and start doing binary patch updates, instead of forcing full re-downloads of an entire program for every small change. Google Chrome does it, Firefox does it, Microsoft does it, anybody who uses RTPatch does it, there are open source programs that do it. APPLE, DO IT!
 
I think Apple deserves to sweat a little over this. They had ample time to fix it, they did not, thus they will pay the consequence. (Today).
 
If I have learned one thing on these forums since joining, it would be that everyone here thinks they know how to run Apple better than its currently being run.
 
PoitNarf said:
Good. As an IT professional one of my biggest headaches is dealing with users that don't keep their systems up to date. Perhaps a looming threat to their precious iPhones will get them to realize that you need to update software and devices frequently and quickly.
Click to expand...

As an IT professional, you should know that YOU are going to be the one that has to deal with this sort of thing, one way or another.

Wishing ill will like this is just petty and if you really want my opinion, ignorant.
 
Amdahl said:
That is Apple's problem. They need to join the 1990s and start doing binary patch updates, instead of forcing full re-downloads of an entire program for every small change. Google Chrome does it, Firefox does it, Microsoft does it, anybody who uses RTPatch does it, there are open source programs that do it. APPLE, DO IT!
Click to expand...
At one point, the dot security releases were simple 10MB downloads. When did that ever change?
 
aristobrat said:
That's exactly my point. I don't have enough information about this issue to base an opinion on if Apple is moving on it fast enough or not.
Click to expand...

Looking at their record they're probably being pretty slow about it. The Java exploit wasn't fixed for how long? How about the BIND one?

Unfortunately, Apple really really sucks when it comes to turn around time for security updates. Until they start increasing the speed of the patches we can only assume the lackluster rate at which they release the updates is the same.

I love Apple but they really need to change the way they handle security patches and the app store approval process (not related but it is basically the only other thing I have a problem with).
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back