iOS 12.1 Vulnerability

This is really just to point out that computer security is really hard:

Almost as soon as Apple released iOS 12.1 on Tuesday, a Spanish security researcher discovered a bug that exploits group Facetime calls to give anyone access to an iPhone users' contact information with no need for a passcode.

[...]

A bad actor would need physical access to the phone that they are targeting and has a few options for viewing the victim's contact information. They would need to either call the phone from another iPhone or have the phone call itself. Once the call connects they would need to:

  • Select the Facetime icon
  • Select "Add Person"
  • Select the plus icon
  • Scroll through the contacts and use 3D touch on a name to view all contact information that's stored.

Making the phone call itself without entering a passcode can be accomplished by either telling Siri the phone number or, if they don't know the number, they can say "call my phone." We tested this with both the owners' voice and a strangers voice, in both cases, Siri initiated the call.

Posted on November 8, 2018 at 6:35 AM • 9 Comments

Comments

PseudonNovember 8, 2018 8:33 AM

Turning off Siri when locked (reasonable idea anyway) helps if someone doesn't know your phone number.

TimothyNovember 8, 2018 9:27 AM

The same security researcher who found this flaw, José Rodríguez, also found another 'lock screen bypass flaw' that would allow a researcher/attacker to use Siri (in iOS 12.0.1) to access photos on a locked phone in 13 steps.

According to this article the cause of these flaws is the VoiceOver accessibility feature that can be activated by Siri on a locked phone, allowing users to perform certain tasks without having to unlock the phone.

This feature can be disabled via: “Settings → Siri & Search and turn off Allow Siri when locked.” Here is a tweet that shows the settings page.

The article says that updates from Apple were expected late last month. Has this been updated already?

Here is the security content for the Apple iOS 12.1 update.

Hat tip to @Clive Robinson for mentioning the above in last Friday's squid post. Fun and worthwhile read.

ThunderbirdNovember 8, 2018 10:02 AM

This feature can be disabled via: “Settings → Siri & Search and turn off Allow Siri when locked.”

Interactions between features frequently cause security "surprises." I wonder if turning off "Allow Siri when locked" will prevent using Siri through the car when driving? In spite of the surreal spelling and typographic errors it introduces, many people would probably miss the ability to have texts read to them and to reply verbally.

BradNovember 8, 2018 11:16 AM

"I wonder if turning off "Allow Siri when locked" will prevent using Siri through the car when driving?"

Yes it does, unless it happens to be unlocked (for instance you might use waze in the car which prevents the phone from going to sleep / locking).

Cincinnatus__SPQRNovember 8, 2018 7:18 PM

Let's be blunt: ironclad computer security for internet-connected devices is a pipe-dream. If a device touches, can touch, ever touched, the big collection platform, then it is not secure. That is the uncomfortable truth of the matter.

Clive RobinsonNovember 8, 2018 7:57 PM

@ Thunderbird,

In spite of the surreal spelling and typographic errors it introduces, many people would probably miss the ability to have texts read to them and to reply verbally.

That "voice control" mode whilst driving should be as illegal as "typing when driving". Because the driver is being distracted and is thus much more likely to have an accident than when concentrating on driving.

And yes I'm biased in favour of increasing not decreasing road safety by force of law. If we want a prime area to observe the Duning-Kruger effect in play "Drivers with gadgets" is an easy find.

Having been a cyclist, it was easy to spot bad driving of the slow response to road conditions sort. The only thing that had to be verified was if it was due to "alcohol", "playing with gadgets" or "should never have been licensed". They were all as bad as each other. Playing with gadgets was usually the easiest to spot as they headed towards you with self absorbed abandonment of attention to the road...

Clive RobinsonNovember 8, 2018 8:54 PM

@ Timothy,

According to this article the cause of these flaws is the VoiceOver accessibility feature that can be activated by Siri on a locked phone

I've been "mulling it over" in my head for the past few days and I suspect that the true underlying problem is much broader. That is it's down to a design methodology.

If you have an existing system and you wish to augment it in some way then you have two basic choices,

1, Layer it on.
2, Fully integrate it in.

Generally adding a new feature as a layer ontop of an existing code base is the easiest thing to do as it reduces both "hooks and testing" but it has it's down side in that you loose a lot of "fine control" in the process as well as it being inefficient in the use of resources.

Fully integrating in gives you as much or as little fine control as you want, but it means digging into the existing code base, which is liable to be very much more error prone, take longer to design, produce and test along with involving more people.

However you can not layer on more than one or two augmentations before they become over loaded at the interfaces effectively forcing a compleate redesign to integrate some or all of them...

It will be interesting to find out which approach Apple took.

But it also raises another issue which is one of "natural limits".

In the Physical world there are always limits on what you can do due to amongst many other things "structural strength". Each time you add something you effect the structural integrity. There are enough "disaster examples" around to tell engineers that there are very real limits on what can be done.

The classic example of layering v integrating in the real world was "bolts/rivets v welding" in iron work. However making holes for bolts/rivets reduced structural strength, thus aditional "plates" would have to be added and these in turn degraded structural strength. Welding resolved the hole&plate issue but inturn caused other issues such as "built in stress" which weakened structural integrity in a different way.

In software however software writers tend to view things not in the way of "structural strength", but more "how much can I force in the box".

I've said in the past that if we could see code like a physical object we would be disgusted by what we would see in the way of gaping wounds, festering boils and total disfigurement, that can quickly develop on what might have once been an elegant or atleast acceptable design. But we don't see it, so such Frankenstein augmentation is "out of sight, thus out of mind".

Security has a lot more to do with structural integrity than how much spare space there is in the box. Thus I wonder if security failings are a form of "early warning" like cracks in walls that the entire structure is about to break under it's own weight...

wordragonNovember 9, 2018 10:52 PM

(Parenthetical comment) - As it happens, I loaded 12.1.1(b)2 on Thursday morning, and tried this - it did require authentication before it would show me the contacts.

We'll probably never know, but would LOVE to know when Rodriguez actually found the bug (presuming he had access to the betas), and whether and when he notified Apple. I doubt he loaded the new release, found the issue, and put together a press release in that amount of time, but would really be interested to learn if Apple releases the OS with that kind of known issue.

JohnNovember 12, 2018 2:18 AM

After turning "allow siri on lock screen" off and on again, siri won't listen to the voice of a stranger anymore.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.