Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Researchers Demonstrate Vulnerability Allowing Theft of iPhone Passwords
- Thread starter MacRumors
- Start date
- Sort by reaction score
BlackBerry Vulnerability
A new study has discovered a major security flaw in BlackBerries that can allow a hacker to take over a BlackBerry server just from sending an email. If the hacker sends an email with an infected PDF file, and the user opens the file, a virus would install malicious software on the server side, allowing the hacker to send spam and collect personal data. Users are urged to disable attachments until the problem is worked out.
Did you just use this as a source? http://www.spamlaws.com/spamlaws_news48.html?p=2
A better link: http://www.pcworld.com/businesscent...s_blackberry_admins_of_bes_security_flaw.html
Young child do not fear! They wont do this with your phone but maybe with some important people's phone. And maybe - just maybe - this person does not survive the robbery.
And stealing your credit card is much easier! Or better, any personal checks you have... now there is a nightmare if you have checks stolen. The check system is really broken and it can go on for months.
What?! Really?!
Im scared now, I knew I shouldn't have gone 50/50 on the camera!
If that profile picture is of you, then you don't have anything to worry about.
Another reason for me to remote-wipe my iPhone if it vanishes! And then when I find it, I just restore from the latest backup.
Still, you cant get that info from a Macs keychain without the master password, so Id hope the same could be true of an iPhoneat least, if you set an unlock passcode. They could use your 4 digit code as (part of) the keychain encryption.
Still, you cant get that info from a Macs keychain without the master password, so Id hope the same could be true of an iPhoneat least, if you set an unlock passcode. They could use your 4 digit code as (part of) the keychain encryption.
The reason for announcing exploits publicly, is because you might not be the only one who found the vulnerability. It's the equivalent of yelling across the street to your neighbor that they left their garage door open - whether he leaves it open is up to him.
http://en.wikipedia.org/wiki/Security_through_obscurity
If some has physical access to your computer, they can do the same thing as has been noted when laptops get stolen containing customer IDs and credit card information.
This "exploit" requires physical access to the phone -- which probably means it was already lost or stolen.
As some else said, every smartphone, blackberry, etc is subject to "exploit" if someone else has physical access to it.
Moving on .....
Not true. I have an admin account password and firmware password on my laptop, and as long as my password is strong enough nobody can access anything on my MacBook.
Imagine you are someone important (like a CEO, politician, etc). I specifically steal your phone because I want your secrets. I *gasp* push the power button and turn it off so you can't wipe it. I take it to my own location, jailbreak it, install this script and I have all your info in about an hour.
That is a big security hole, and one that won't and shouldn't be taken lightly by enterprise or government.
It is not. When a credit card is stolen, one quick call to the CC company closes the account. All unauthorized charges are immediately reversed.
It happened to me. They didn't even get my actual card (it was still in my wallet, which I had), but got my account number and printed their own card. Fraud services called me, I pressed 2, meaning it wasn't me making the purchase of $200 at Chipotle, and I was immediately connected to a rep, who closed my account and reversed all $1,200 worth of unauthorized charges.
Easy.
Not if you close your account after the first unauthorized withdrawal.....or right after you notice your checkbook is missing.
Absolutely--credit card numbers and checking account numbers are far easier to get your hands on--and you don't even know they have them until suspicious activity starts showing up. At least you would be somewhat aware that your iPhone was missing.
As far as detrimental--not for credit card numbers as long as you keep an eye on your account--and the fraud people do a good job as well--it has happened to me several times. They just send you a new card--no big deal.
And we'd like to take this opportunity to thank MacRumors for broadcasting this information to an even larger audience of morins who will take advantage of this opportunity.
No really, thanks very much!
No really, thanks very much!
Reminds me of the Arj Barker joke
"we are America, we have the best military in the world, and NO ONE can know our military secrets.....unless of course they have the discovery channel or something. I mean, they give away everything... 'the only way to destroy this modern tank is to cut this wire right here, and place a small explosive here' 'one thing we definetly dont want terrorists to attack is the power plant in Florida. Because there's a security guard named Dave that usually falls asleep around 9PM, the place isn't guarded at all, if it were attacked it could wipe out the whole eastern seaboard....it's a good thing no one knows about it' then the news also gives away ideas they might've never thought of before 'the airways are heavily patrolled and there's no way to sneak a bomb on there, however........the nations rail system is still unprotected'"
Point being is, shutup!!!
"we are America, we have the best military in the world, and NO ONE can know our military secrets.....unless of course they have the discovery channel or something. I mean, they give away everything... 'the only way to destroy this modern tank is to cut this wire right here, and place a small explosive here' 'one thing we definetly dont want terrorists to attack is the power plant in Florida. Because there's a security guard named Dave that usually falls asleep around 9PM, the place isn't guarded at all, if it were attacked it could wipe out the whole eastern seaboard....it's a good thing no one knows about it' then the news also gives away ideas they might've never thought of before 'the airways are heavily patrolled and there's no way to sneak a bomb on there, however........the nations rail system is still unprotected'"
Point being is, shutup!!!
This is the one thing that keeps me semi-cautious as to how much I put and use on my iphone.
I am not a fan of the rumors about NFC being put into iphones. Once that happens everybody will have to put a passcode on their iphone. If someone gets an iphone that has NFC they have everything. You've got bank apps, ebay apps, paypal apps, etc etc etc. I don't want to have to put in my password every time I want to use the iphone.
Yeah, yeah, yeah, remote wipe. But still, its a hassle, and I hope people back up their iphones weekly or lots of info could be lost.
IDK, I love tech, but we might be going too far.
I am not a fan of the rumors about NFC being put into iphones. Once that happens everybody will have to put a passcode on their iphone. If someone gets an iphone that has NFC they have everything. You've got bank apps, ebay apps, paypal apps, etc etc etc. I don't want to have to put in my password every time I want to use the iphone.
Yeah, yeah, yeah, remote wipe. But still, its a hassle, and I hope people back up their iphones weekly or lots of info could be lost.
IDK, I love tech, but we might be going too far.
At last count, all of the jailbreaks require either a) restoring the device from a custom IPSW, which will wipe the contents of the phone or b) for the JailbreakMe.com one- having an unlocked phone to use to to visit the website.
So, unless they've also stolen your computer that they can use to restore the device from a previous backup after they jailbreak the iPhone, if you have a passcode lock it sounds like you should be fine...
A screwdriver and about 90 seconds is all it takes to get your hard drive out. Your firmware password isn't going to protect anything once your data is connected to another machine.
The moral of this story is that all security bets are off once someone has prolonged physical access to a system.
You're right. BUT, if you're in a position with physical access to the CEO and the ability to steal his phone and keep it for an hour without him noticing, then you could just as easily steal his wallet, car keys, laptop, his employee passcard, etc. and access whatever secrets you want via file servers, limited-access security vault, tapped phone calls, even breaking into his home or car.
It just means that physical access is an ideal attack vector, and that's never going to change.
Hahaha. I'm sorry, but this made me laugh.
Are you seriously running an article on this? Really? At least remove the sensationalist title-- it should include "with a jailbreak"-- you know, the vital caveat. Poor reporting IMO.
How technically inept do you have to be not to realize that yes, if you jailbreak a device, and then SSH it, you will have root access? I mean come on... the default SSH password when JBing is alpine... and sadly most people who JB don't even know what SSH is.
The bottom line is this: ALL "smart" phones suffer from this vulernability. It's called rooting in Android, JBing on the iPhone, etc. If they have the physical device, it's always game over, regardless of what "protection" you have on it-- it's only a matter of patience and time for them to break in through some method.
Are you seriously running an article on this? Really? At least remove the sensationalist title-- it should include "with a jailbreak"-- you know, the vital caveat. Poor reporting IMO.
How technically inept do you have to be not to realize that yes, if you jailbreak a device, and then SSH it, you will have root access? I mean come on... the default SSH password when JBing is alpine... and sadly most people who JB don't even know what SSH is.
The bottom line is this: ALL "smart" phones suffer from this vulernability. It's called rooting in Android, JBing on the iPhone, etc. If they have the physical device, it's always game over, regardless of what "protection" you have on it-- it's only a matter of patience and time for them to break in through some method.
Does remote wipe work, if they remove the sim and deactivate wifi?
cause they don't actually need it online.No, they are reporting that they needed to jailbreak it to install software that allows for the technique. At least, that is what it reads. Maybe I missed something.
I'm not sure why this is a surprise to anyone. If you have a device in your hand, eventually you'll crack it and get what you want. Also, this was already demonstrated a long time ago with jailbroken phones. This was done to people remotely when they installed ssh on a jailbroken phone. Hardly seems like a new technique. They just showing how to do it when you get your hands on a phone and retrieve passwords.
If I get your Mac or PC in my hands, I'll crack that too. So, what's the point of this?
The funny thing is that if Apple makes it tougher to jailbreak, you'll have a long thread about how people are pissed they can't jailbreak their phones. Damn if you do, damn if you don't.
Now, a cool feature would be the "keychain" storage on my phone. Or is there and I'm missing it? Sure, just another level. But, I like to make it a tad easier for thieves.