Apple: Misdirected iMessages due to bad configuration, not a software bug

2»

Comments

  • Reply 21 of 39
    ski1ski1 Posts: 251member
    Quote:
    Originally Posted by jnjnjn View Post


    Non of the suggestions are needed in that case. All your data is exposed in that case, unless of course you use the obvious way to protected your information by setting a password.

    You can do a remote wipe to remove all your data.



    J.



    If the thief/finder of your locked iPhone pulls the sim card from it and installs it into their iPhone to activate iMessage, your iMessages will be sent to both the thief's iPhone and your replacement iPhone. And you will never know this is taking place.



    And as I described in an earlier post, this is especially troublesome if your phone is not stolen/lost, but you just have it simply lying around. Even when it's locked, if someone pulls the sim card from it for 30 seconds and uses it to activate iMessage on their iPhone, then places the sim card back into your locked iPhone. Your iMessages will be sent to both your phone and their phone. And you would never know this is happening.
  • Reply 22 of 39
    chiachia Posts: 713member
    Quote:
    Originally Posted by ski1 View Post


    If the thief/finder of your locked iPhone pulls the sim card from it and installs it into their iPhone to activate iMessage, your iMessages will be sent to both the thief's iPhone and your replacement iPhone. And you will never know this is taking place.



    Maybe the answer is to put a PIN code on your SIM, so that a thief/finder won't be able to activate the SIM card in the first place?
  • Reply 23 of 39
    ski1ski1 Posts: 251member
    Quote:
    Originally Posted by ChiA View Post


    Maybe the answer is to put a PIN code on your SIM, so that a thief/finder won't be able to activate the SIM card in the first place?



    The customer shouldn't have to go through this unusual step. Apple needs to stop ignoring this security/privacy issue!
  • Reply 24 of 39
    jnjnjnjnjnjn Posts: 588member
    Quote:
    Originally Posted by ski1 View Post


    If the thief/finder of your locked iPhone pulls the sim card from it and installs it into their iPhone to activate iMessage, your iMessages will be sent to both the thief's iPhone and your replacement iPhone. And you will never know this is taking place.



    And as I described in an earlier post, this is especially troublesome if your phone is not stolen/lost, but you just have it simply lying around. Even when it's locked, if someone pulls the sim card from it for 30 seconds and uses it to activate iMessage on their iPhone, then places the sim card back into your locked iPhone. Your iMessages will be sent to both your phone and their phone. And you would never know this is happening.



    As is already said by ChiA, you sim should be locked. So you always need two passwords to access all the functionality of your iPhone.

    Without the pin code of the sim no one can use it.

    Unless ofcourse they know your pin code.



    As a reminder, full prove security doesn't exist. If your car keys are stolen, someone has access to your car, no matter how advanced your car security is.

    So you should never let your iPhone 'lying around', that's careless and unwise in the same way as letting your credit card lying around.



    J.
  • Reply 25 of 39
    jnjnjnjnjnjn Posts: 588member
    Quote:
    Originally Posted by ski1 View Post


    The customer shouldn't have to go through this unusual step. Apple needs to stop ignoring this security/privacy issue!



    So you admit that this fixes the 'problem'. I can assure you that locking your sim isn't 'unusual' at all.

    It's highly promoted by all carriers I know of and it's the first thing you are instructed to do if you start using a new phone.

    I find it 'unusual' that you blatantly ignore all security measures and complain about security later on.

    I wonder if your care about security is the same for other brands.

    Read my previous post.



    J.
  • Reply 26 of 39
    This started happening to me within the last week and my phone is not misconfigured. Just started between a friend of mine and my phone.

    I would send him a text and his wife's phone would get and she would send back and it would show from his phone.

    It's intermittent since last week.

    Started for no reason and I do not have a new phone. I have a 4 running latest IOS.
  • Reply 27 of 39
    ski1ski1 Posts: 251member
    Quote:
    Originally Posted by jnjnjn View Post


    So you admit that this fixes the 'problem'. I can assure you that locking your sim isn't 'unusual' at all.

    It's highly promoted by all carriers I know of and it's the first thing you are instructed to do if you start using a new phone.

    I find it 'unusual' that you blatantly ignore all security measures and complain about security later on.

    I wonder if your care about security is the same for other brands.

    Read my previous post.



    J.



    I find it 'unusual' that Apple blatantly ignores this security/privacy issue. No other phone has this security/privacy issue. This is a design flaw/bug Apple should fix! If Apple refuses to fix this security/privacy issue, then they need to actively promote locking the sim card for all customers. Because most customers have no idea of the unique iMessage security/privacy risk of not locking the sim card on the iPhone, and most customers (US customers) don't even know it's an option!
  • Reply 28 of 39
    ski1ski1 Posts: 251member
    Quote:
    Originally Posted by jnjnjn View Post


    As a reminder, full prove security doesn't exist. If your car keys are stolen, someone has access to your car, no matter how advanced your car security is.

    So you should never let your iPhone 'lying around', that's careless and unwise in the same way as letting your credit card lying around.



    J.



    Poor analogy! If you have your locked laptop lying around for a minute, you don't have to worry about someone easily & forever hijacking your messages to their laptop, without your knowledge. This is the case with the iPhone and iMessages. Of course nothing is 100% security proof. But this iMessage issue is a major security/privacy risk that needs to be fixed by Apple, instead of them ignoring it.
  • Reply 29 of 39
    jnjnjnjnjnjn Posts: 588member
    Quote:
    Originally Posted by ski1 View Post


    Poor analogy! If you have your locked laptop lying around for a minute, you don't have to worry about someone easily & forever hijacking your messages to their laptop, without your knowledge. This is the case with the iPhone and iMessages. Of course nothing is 100% security proof. But this iMessage issue is a major security/privacy risk that needs to be fixed by Apple, instead of them ignoring it.



    The anology is excellent, it's your thinking that's flawed.

    Every mobile phone with a sim card has the risk that personal data is exposed if the sim card is unlocked. Depending on de capabilities of the phone and the data saved on the card the risk is more or less. So you should never forget to lock your sim.

    And that fixes the security 'issues'.

    I wonder how many creditcards you have lying around.



    J.
  • Reply 30 of 39
    ski1ski1 Posts: 251member
    Quote:
    Originally Posted by jnjnjn View Post


    The anology is excellent, it's your thinking that's flawed.

    Every mobile phone with a sim card has the risk that personal data is exposed if the sim card is unlocked. Depending on de capabilities of the phone and the data saved on the card the risk is more or less. So you should never forget to lock your sim.

    And that fixes the security 'issues'.

    I wonder how many creditcards you have lying around.



    J.



    Sorry, but my analogy & thinking is excellent, it's your analogy and thinking that is flawed on many levels. Correct, every GSM phone has a sim card with inherit security risks. But only an iPhone with iOS 5.0, can a iPhone hijack messages from another iPhone, without the user knowing about it and/or stopping it. On all other phones, if a sim card is lost or stolen, it can be deactivated. And the sim card can no longer be used to receive messages. And only one phone with an installed and valid sim card can receive messages. But on the iPhone, once iMessage is activated with the sim card, it never verifies the sim card again for messaging. Big time flaw! So even when the sim card is removed or deactivated, the phone still receives iMessages! Very big difference! Which is even more troublesome is if someone 'borrows/steals' your sim card for just 30 seconds to activate iMessage on their phone. Even when they replace your sim card back into your phone, their phone will still receive your iMessages. Without your knowledge! No other phone has these issues. Only the iPhone! Apple simply needs to fix this bug/design flaw! Or educate their customers about the unique to iPhone risks of iMessage and highly recommend all customers to pin lock their sim. They have done neither!



    Btw, using your flawed credit card analogy, I will know if someone uses my credit card number. And I can cancel the credit card so it can no longer be used. But with the flawed design of iMessage, I have no way of knowing if someone else is also receiving my iMessages! And deactivating the sim card does not prevent them from still receiving my messages.
  • Reply 31 of 39
    jnjnjnjnjnjn Posts: 588member
    Quote:
    Originally Posted by ski1 View Post


    Sorry, but my analogy & thinking is excellent, it's your analogy and thinking that is flawed ... .



    Repeating your arguments doesn't make your case any better.

    Your wrong about this and if you cannot conclude that from my previous posts (and the posts of others), you never will.



    J.
  • Reply 32 of 39
    ski1ski1 Posts: 251member
    Quote:
    Originally Posted by jnjnjn View Post


    Repeating your arguments doesn't make your case any better.

    Your wrong about this and if you cannot conclude that from my previous posts (and the posts of others), you never will.



    J.



    I have proven my argument is very valid, as have many people in other articles and forums. And I have proven your argument is very flawed. You are wrong about this issue. Sorry you fail to understand why your argument is flawed.
  • Reply 33 of 39
    Quote:
    Originally Posted by ski1 View Post


    It is a bug. The same results happen if you were to sell your phone, or if it's lost or stolen. Below are the details:



    http://arstechnica.com/apple/news/20...rong-place.ars



    and on this Apple forum thread...



    https://discussions.apple.com/message/16858629#16858629



    Quote:
    Originally Posted by Wiggin View Post


    Sounds like a bug to me, based on that story.



    MobleMe had a way to remove clients from the list of synced devices. I guess that was another feature Apple dropped when they replaced MM with iCloud.



    Yup, not the bug they thought was being implied, but a bug nonetheless. If I wipe a device remotely then no data of any kind belonging to me should be re-appearing on the phone, period.
  • Reply 34 of 39
    Quote:
    Originally Posted by ski1 View Post


    I find it absurd that Apple engineers have known about this design flaw/bug for at least two months and they are still blowing off this security issue. Pretty sad.



    LIKE



    Add a like button to posts AI & stop asking me to write over 5 characters. Geesh, short by 1!!
  • Reply 35 of 39
    Quote:
    Originally Posted by Corrections View Post


    Mobile phones aren't IP devices. They're on a custom network that (in GSM land) identifies devices based on their unique device ID stored on the SIM card. If you want to be able to send SMS, you do that through the carrier and it takes care of all that.



    Never said phones were IP devices, don't know where you go that from.

    They could easily end up becoming them, but nothing in my post requires that.



    The problem is that iMessage on the iPhone of someone sending a message does a lookup of the recipient (by mobile number), an routes message via iMessage platform if that number is tied to an iMessage account.



    You are quite correct, the mobile networks are addressing and tracking devices by ID, not by mobile number, but that is not where the security flaw is. The security flaw is due to unthought through handling of "mobile to iMessage user" identifications, and the consequences of not thinking that through - ie a more formal verification method, and auto reverification on a quite frequent interval.



    Quote:

    For Apple to offer iMessage as a more powerful alternative that can bridge the Internet and work with IP connected iPads and Macs, it has to tie device identity to something, and SIM cards supply the unique ID.



    Nobody is criticising the existence of the iMessage platform, indeed it is a step in the direction we are clearly heading (separation of platforms and connectivity provision).



    Further, the security issue we are taking about (let's says issues - as some people are talking about different ones, or certainly different implications / exploits) only relates to the SIM card interplay, and the one issue / aspect of the issue I am talking about relates to iPhones, not other devices.

    Although, the victim need not even be using an iPhone, it is the victims friends who need to be using them.



    Quote:

    Complaining that things didn't work like they did in the 80s when you were swapping SIM cards with your friends is rather silly.



    That is not what I complained about at all.

    I was pointing out that it broke long established conventions on the operation of devices and where separations occur.



    The security issues are a direct result of doing this.



    Quote:

    I you don't want to mix up your devices and IDs, it's pretty simple:



    - don't turn on iMessage and then change your SIM card!

    - if you do decide to swap around SIM cards, disable iMessage first

    - if you sell your phone, turn off iMessage first



    Not exactly rocket science



    We are taking about a serious security flaw enabling pairs of rogue / faked sims, to be used to populate fraudulent entries into the iMessage database, theirby investing SMS messages originating on iPhones AND/ALSO allowing spoofed incoming messages to iOS phones
  • Reply 36 of 39
    Quote:
    Originally Posted by hezetation View Post


    LIKE



    Add a like button to posts AI & stop asking me to write over 5 characters. Geesh, short by 1!!



    The last thing we need is social networking integration.
  • Reply 37 of 39
    Quote:
    Originally Posted by Tallest Skil View Post


    The last thing we need is social networking integration.



    That's actually a pretty standard forum feature. Really it doesn't matter all that much to me, was being a little facetious.
  • Reply 38 of 39
    ski1ski1 Posts: 251member
    Apple Compensates Victim of iMessage Bug for Breach of Privacy -



    http://www.macrumors.com/2012/02/06/...ch-of-privacy/
  • Reply 39 of 39
    Quote:
    Originally Posted by anmily View Post


    I think it's ridiculous, apple engineers at least two months this one design defect/mistakes, but they still blow the security problem



    Would you mind rephrasing that in the form of a sentence, please?
Sign In or Register to comment.