Posted on 06/25/2010 12:17:10 PM PDT by PugetSoundSoldier
Do you have a PIN code on your iPhone? Well, while that might protect you from someone making a call or fiddling with your apps, it doesn’t prevent access to your data … as long as the person doing the snooping around is using Ubuntu “Lucid Lynx” 10.04.
Security experts Bernd Marienfeldt and Jim Herbeck discovered something really interesting when they hooked up a non-jailbroken, fully up-to-date iPhone 3GS to a PC running Lucid Lynx …
I uncovered a data protection vulnerability [9], which I could reproduce on 3 other non jail broken 3GS iPhones (MC 131B, MC132B) with different iPhone OS versions installed (3.1.3-7E18 modem firmware 05.12.01 and version 3.1.2 -7D11, modem 05.11.07) , all PIN code protected which means the vulnerability bypasses authentication for various data where people most likely rely on data protection through encryption and do not expect that authentication is not in place.
(Excerpt) Read more at zdnet.com ...
> Looks like you have made up your mind before getting all the facts... Not sure why you'd want to do that. If my phone had this huge security hole I'd be very concerned
The truth or falsehood of this sensationalist claim will come out eventually.
Tech blogs make mistakes all the time, and publish unfounded claims all the time. This one might be true, in which case you'll see it all over in a couple days. Or it might be false, in which case the authors will harrumph their way back to their basement to write another Apple-bashing article.
Patience, my FRiends, patience.
Unproven or not it’s is a pretty big hole (if true). And as in the screen shot you posted it would appear it’s true. Or they are just scamming everyone...in which case that is just wrong. We have enough real world security issues to deal with and don’t need people putting out lies.
You do have a good point. On the iPhone can I control what goes in the public directory? Or will photos always go there by default? and I’d have to move them later to keep snoops out?
Personally everything should go to private on the phone and only after I approve them should they go to public. What if I’m working on a project and took a photo I didn’t want shared? What if I took a photo of my co-worker and I drunk at the bar and I really didn’t want her husband to see it?
You get the gist. A phone should default to being secure. This sounds like the same crap windows did in the past. They defaulted to installing everything and leaving everythign wide open. it was up to the user to lock it down.
I’m not familiar with the iPhone directory structure. What would typically be in each of those folders? Like purchases, downloads, photos, etc...
The screenshot shows nothing private. Just folders. They did not show contents of any of the folders, which could be locked. I'm a skeptic by nature.
"Hey I can access the CIA's secret database!!"
"Prove it!"
"Unproven or not it’s is a pretty big hole (if true)."
Means nothing. Gotta prove it, before it's a hole. If true, then it's a hole. Until then, it's a sensationalist claim on an internet blog, nothing more.
Guys, I gotta run for a few hours, have a good time, I’ll catch back up later.... cheers!
nothing of interest to you or to a "spy"? I honestly don't know. Are you saying these are default folders but never have any data? But if they have any meaningful data I'd say it's of interest.
What if a boyfriend wants to see what photos his girlfriend has been taking? What if you want to see what photos your neighbor has been taking...and you find photos of your wife nakes? Is that not signficant?
I don't even know if that's possible, but it appears the DCIM adn photos folders are public so that's not a good thing at all.
nothing of interest to you or to a "spy"? I honestly don't know. Are you saying these are default folders but never have any data? But if they have any meaningful data I'd say it's of interest.
What if a boyfriend wants to see what photos his girlfriend has been taking? What if you want to see what photos your neighbor has been taking...and you find photos of your wife naked? Is that not signficant?
I don't even know if that's possible, but it appears the DCIM adn photos folders are public so that's not a good thing at all.
BTW: here’s an older article about iOS needing full device encryption. The point of it is that for the enterprise any unauthorized access is very very very bad.
I don't know exactly what their motivation is. I have noticed though, that many of the stong microsoft partisans are unable to distinguish the difference between posting comments about a company, operating system, or program and personal attacks directly at users of other products. If it was just factual statements, positive or negative about issues, products or whatever, that's one thing. It's the constant drumbeat of insults that I'm sick and tired of. You won't hardly find a thread here on FR that is about Apple, or its products where you won't find the same people calling Mac users gay, macbots, cultists, leftists, or worse. You simply don't see that on ms-windows thereads.Yes, you'll find people saying that windows is a virus-laden steaming pile of bovine excrement, but we don't call the users of windows products fools or idiots for continuing to use something that most of us have, thankfully, escaped from.
I'll issue a formal Mea Culpa for allowing myself on a recent thread to get dragged down to their level and responded in kind. This is basically why I decided to finally deploy my filter against them because I'm better than that, and I do not believe such behavior is appropriate to Free Republic. Unfortunately, the powers that be still haven't noticed the difference. for reasons I belive I've already stated.
I’ll try to find a good guide to the iPhone file system.
Meanwhile, here’s an interesting post from an Ubuntu forum two years ago, before Ubuntu could mount the iPhone:
===>
http://ubuntuforums.org/showthread.php?t=627267
Okay, so, looks like the deal is that apple decided to use a custom, non-exposed method of managing files on the device rather than just mounting it as a mass storage device.
They created windows and mac libraries (libmobiledevice.so) to allow software to interact with the iPhone FS, which on a non-jailbroken device is restricted to the media folder.
There are Mac and Windows projects which use aforementioned library to allow file management, but as there is no library for linux yet, we’re somewhat stuck.
The good news: there is a project working on a FUSE module to allow mounting an iPhone under linux without jailbreak/ssh/etc. http://matt.colyer.name/projects/iph...itle=Main_Page
He’s currently working on reverse engineering USB traces to figure out the protocol libmobiledevice uses to talk to the device, so that he can create an equivalent library for linux. Once that’s done, he can use the library and fuse to allow mounting the FS.
So, Apple decided to use a custom, proprietary protocol for which they released windows and mac drivers, but left us out in the cold (typical). In (typical) Linux fashion, some people are working on fixing that, and we should watch and wait for now, or better yet, get involved: if you can dual boot or run a VM, contribute to their efforts by sending in USB traces or help reverse engineer the protocol. Putting pressure on Apple to document the protocol can’t hurt anything either.
Anyway, looks like that’s as far as this is going for now though.
<===
It appears that Ubuntu’s ability to access that media folder spawned from the work mentioned in this post. Do note that bit about “restricted to the media folder”... matches my interpretation.
Meanwhile, http://www.libimobiledevice.org/ is instructive, as this is the actual library used by Ubuntu. Note this comment: “27.05.2010: Some security sites report that even passcode enabled devices get auto-mounted. We could not reproduce this yet. However it might point at some bug during boot in the iPhone OS. Accessing a passcode enabled device the first time does not work in our tests as one would expect. Devices taking more time booting might be affected though, on any OS.”
...I interpret that as reflecting back on the race-condition bug I originally thought was the problem Pug was barking about! WhatEVer... [grin]
Here’s another post suggesting that the misbehavior relates to the boot/race-condition bug: http://blog.sukimashita.com/2010/05/29/passcode-security-flaw-update-its-a-bug-in-the-iphone-os-not-a-hack-of-ubuntulinux/
Looks like many of the macbots will be upset with your finding. If this is in fact a bug and not a feature it means the iPhone has been exploited in the wild.
If it was a feature it would be a weak feature by not putting security first; however, at least then it was a conscience decision to do so. As a bug it means the underlying OS wasn’t inherently secure as many have claimed in the past.
Actually, it can; there is software encryption available for Android to encrypt e-mail, select files, directories, or everything. Android can be locked down as strongly as desired. I've mentioned this to you before, I hope this time you actually get it.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.