• On GameFAQs: The top 10 most tiring games
advertisementClick to Save up to $300/yr on calls
October 7, 2008 2:53 PM PDT

Another iPhone bug?

Posted by Elinor Mills
  • Font size
  • Print

Setting the iPhone to emergency call mode allows someone to see incoming text messages even if the passcode lock is turned on.

(Credit: Karl Kraft)

A 12-year-old who uses his iPhone mostly for texting with his girlfriend has discovered what looks like a new vulnerability with the device.

The unnamed boy, son of blogger Karl Kraft, turns on the passcode lock and disables SMS Preview in order to prevent his parents from seeing any messages, Kraft wrote on his blog.

Those settings block the display of incoming text messages and show an alert saying "New Text Message" if an SMS comes through while the phone is locked. However, if the phone is set to emergency call mode the incoming text messages are previewed.

"Thus all I need to do to intercept the messages from his girlfriend is to place the phone in emergency mode and wait 30 seconds for the next sickly sweet message," Kraft writes.

Apple representatives did not return e-mails seeking comment.

A different security hole related to password-protected iPhones was discovered in August, and last month a researcher disclosed that the iPhone captures all the activities of a user in order to enable the cool fading applications effect.

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor.
Topics:

iPhone

Tags:

Apple,

iPhone,

security,

privacy

Bookmark:
Digg
Del.icio.us
Reddit
Recent posts from Apple
Yes, Apple should sell a $99 iPhone
Google Earth browser plug-in arrives for Mac
Analyst: iPod shortage spreading
Apple looking for Psystar's backers
iPhone app promo codes trickle out
Apple deletes Mac antivirus suggestion
Analyst says iPhone kept smartphone growth alive
Entertainment dominates top iPhone applications
Add a Comment (Log in or register) 49 comments
by BruinGuy October 7, 2008 3:18 PM PDT
The iPhone is starting to resemble I.E. 6.
Reply to this comment
by M C October 7, 2008 3:41 PM PDT
That is, if your friend could come over, get on your computer and personally mess with your IE6 to make it not work right.

The whole point with a locked phone is that NO ONE CAN PICK IT UP AND PUT IT INTO EMERGENCY MODE AGAINST YOUR WILL. Geez.
by rapier1 October 8, 2008 7:48 AM PDT
This somehow makes it acceptable? If the idea that physical access trumps all security concerns then why even bother with passcode locks on any portable device? No, if you are going to implement a feature then you owe it to your users and your investors to do it right.
by goodspeed8701 October 7, 2008 3:19 PM PDT
having you ever eaten an apple with a worm in it? well buy an iphone and you will feel like that.
Reply to this comment
by M C October 7, 2008 3:38 PM PDT
Insert clever joke that only I think is funny here.
Reply to this comment
by EbsanU October 8, 2008 8:20 AM PDT
Haha. I mean of course there are gonna be "massive" security holes in a device that's always at the front of the headlines. All phones have 'em, we just don't care enough.

And seriously, the best security fix to this is to keep your phone with you, and not give your parents the chance to even touch the phone.

On another note, the title of this article is entirely misleading. Looks like the parent found the security hole, not the 12 year old kid.
by jtaylor475 October 7, 2008 4:36 PM PDT
Anybody else wonder how a 12 year old manages to get an iPhone, a girlfriend, and convince his dad he deserves complete privacy? Either the brat is 18 or his dad is an idiot. Or both. In any case I expect a message soon: "Bobby, I'm knocked up. I thought you said if we did it by your iMac I couldn't get pregnant!"
Reply to this comment
by speechup October 7, 2008 9:34 PM PDT
Nice! You got it!
by etiahwhite October 7, 2008 9:56 PM PDT
lol...easily one of the funniest comments eva
by fooldog01 October 8, 2008 6:50 AM PDT
hahahaha
by Lerianis October 8, 2008 1:22 PM PDT
You are an absolute idiot, jtaylor475. The fact is that parents who KNOW WHAT THEIR CHILDREN ARE DOING AND KNOW THAT THEY HAVE A GIRLFRIEND (which, by the way... most children have in ELEMENTARY SCHOOL NOW!) are less likely to have a child get a friend pregnant or get pregnant themselves.

Secondly, I gave my children this much privacy.... and it wasn't a problem. The fact is that children DO DESERVE PRIVACY. If you don't give them that.... they are going to start hiding EVERYTHING from you, and you are going to have quite a few problems.
by jtaylor475 October 10, 2008 9:45 AM PDT
To the parent who called me an "absolute idiot" for believing 12 year olds don't need COMPLETE privacy: thank you for demonstrating something else you're teaching your children: to insult and berate those who don't agree with you.

Way to go!
by bornlikethis38 October 12, 2008 8:39 AM PDT
lol, i love this dude! *clapping repeatedly*
by Muhammad I. October 12, 2008 12:23 PM PDT
What's wrong with a 12 year old having an iPhone, girlfriend, and some privacy?
by azn_maxx300o October 13, 2008 1:12 AM PDT
agree
by 052499 October 22, 2008 12:17 PM PDT
well said!
by jumpjetta October 7, 2008 4:41 PM PDT
Who. Cares.

If ur srsly worried bout some1 c-ing ur im drivel...

...about all the inane things that happen in your life, than you probably really need a reality check, or you're the type that thinks it's okay to send credit card numbers via email, too.

Besides, how many total iPhone "security" issues (if you could actually call this one) have there been? Three?
Reply to this comment
by sflocal October 7, 2008 5:09 PM PDT
I'm still trying to get past the 12-year-old having an iPhone!
Having a girlfriend is a very close second.
Daddy is having priority issues here.
by Hernys October 7, 2008 5:56 PM PDT
What? You call "being able to see confidential messages without being logged in" a non security issue?
You've seriously drinked the kool aid...
And before you say that an SMS is not confidential, think that it is about as confidential as email, and this is in a device that has explicitly been set up not to show SMSs without being logged in.
I think there have been more than three security issues with the iPhone 2.0 (a single update last month alone fixed about eight vulnerabilities), but even if there were three, three in less than two months for a phone is some sort of a record.
by blakestar October 7, 2008 5:06 PM PDT
How do you "place the phone in emergency mode"? If doing so requires physical access to the phone and knowledge of the passcode to get into the device then this doesn't sound like much of a security issue.
Reply to this comment
by newmacgyrrl October 7, 2008 5:18 PM PDT
I agree. I believe all you do is swipe the phone and instead of typing in the passcode you hit "Cancel" and it displays the keypad for emergency phone calls. This really isn't that much of a security hole within the phone itself.
by newmacgyrrl October 7, 2008 5:29 PM PDT
Correction -- after swiping the phone on you hit the Emergency Call button and can then make calls or receive messages.
by Vegaman_Dan October 7, 2008 5:29 PM PDT
The iPhone was never promoted as being a secure device. Anything that allows all applications to run as root cannot be considered as anything other than unsecure.

Once you realize that you have no privacy or security on the device, then it's fine. People should be careful of what they have on there in the first place and place less faith in the device to do the monitoring for them.
Reply to this comment
by ashwinkn October 12, 2008 11:57 AM PDT
When Apple first announced the 2.0 software update, one of the things they were promoting was increased security for enterprise users. I don't know who would use an insecure device in the enterprise.
by sciontcya October 7, 2008 5:41 PM PDT
"Unnamed son" is really Tommy Krazit and now he has no date this weekend.
Good lord, is this really all CNET has?
You're like SNL picking on Palin week after week.
Reply to this comment
by TechSlap October 7, 2008 5:48 PM PDT
alright... Seriously get something better to right about. It seems like your running out of stories. This is far from a security flaw. Nothing really with security nor flaw. Its about a kid and a text message... Yeah... Big news guys.
Reply to this comment
by fdunn3 October 9, 2008 4:42 PM PDT
"Seriously get something better to right about."

I think you meant "Seriously get something better to write about."

When one can't even use the correct words to convey thought I'll dismiss that thought.
by ferretboy88 October 7, 2008 6:38 PM PDT
Like a slice of swiss cheese.
Reply to this comment
by anilsudh October 7, 2008 6:54 PM PDT
Slow news day huh!!! Get a real job
Reply to this comment
by maverick_nick October 8, 2008 4:04 AM PDT
Ha ha... fanboy - LMAO
by rapier1 October 7, 2008 8:45 PM PDT
Generally speaking, people lock phones because they want to prevent other people from being able to access the information on the phone without a passcode. This is, as far as I'm aware of, the expected behaviour. If people who have access to the phone do not need a passcode to access information on the phone then this seems like a problem. I'm not sure how people can argue that this isn't a problem.
Reply to this comment
by anilsudh October 8, 2008 9:59 AM PDT
People who lock their phones are stupid, idiotic, morons
by mikeburek October 7, 2008 11:28 PM PDT
When CNet reports news, they don't just report the one huge story that will impact all life as we know it, they report lots of news items. Some things just aren't huge. What is wrong with reporting lots of things if those things are reported correctly, unbiased, well written, and supported by fact? What did all these people think they would read about in an article title "Another iPhone bug?" Did they think CNet put the wrong title on a story that can predict the stock market?

And yes, when a very widely adopted device says it is secure, but can easily be fooled, then that is a security problem.
Reply to this comment
by dmjossel October 8, 2008 2:01 AM PDT
"Generally speaking, people lock phones because they want to prevent other people from being able to access the information on the phone without a passcode. This is, as far as I'm aware of, the expected behaviour."

All that means is that many people use things for purposes for which they were not intended. Which is true. Phones had locks on them before they ever had any significant amount of "personal" information on them, and in many cases, even then the information was actually stored on the SIM card, and not in the phone's memory. SIM cards usually have their own, separate locks-- but with this, as in all cases, physical access eventually trumps nearly every reasonable security precaution you can put in place.

Phones have locks to prevent unauthorized persons from making calls and thus costing you money. This so-called flaw does not allow that.

This may be a behavior that people don't expect. It may be something Apple should patch. But to call this "insecure" is a real stretch. You shouldn't be sending information that needs to be "secure" in an SMS.

This is a non-issue and a non-story.
Reply to this comment
by rapier1 October 8, 2008 7:45 AM PDT
I have a few hairs I'd like to have split. What are your rates?

Seriously, I do agree with you insome ways - with physical access and a complete dedicated to break any security most any device is insecure. However, passcodes aren't about providing the highest level of security but discouraging the most frequent and most likely security issues. Its not about turning your iPhone into Fort Knox, its about locking the door and closing the windows when you park your car. If *any* company failed to provide this very basic level of functionality they should be taken to task for it.
by BLipman72 October 8, 2008 5:02 AM PDT
There is an emergency call button on the enter passcode screen. You do need physical access to the phone to see the incoming messages. It is not as siginficant as the last bug where your data could be accessed.
Reply to this comment
by tipoo_ October 8, 2008 7:25 AM PDT
how does a 12 year old have an iPhone AND girlfriend?
Reply to this comment
by DigitalFrog October 8, 2008 9:19 AM PDT
Maybe he got the girlfriend because he got an iPhone? I think there was a rumor that GFs were an available option.... :)
by Rick Cavaretti October 8, 2008 7:39 AM PDT
I see no problem. I too would be worried about a 12 year old with a girlfriend, so think about it as a parental security feature.
Reply to this comment
by Lerianis October 8, 2008 1:25 PM PDT
You know, I just LOVE people who are living in the stone age and don't realize that children have girlfriends and boyfriends in ELEMENTARY SCHOOL now! What year are you living in: 1593? Oh wait..... they had girlfriends and boyfriends THEN as well at 12!
by BruinGuy October 8, 2008 7:42 AM PDT
Is there any wonder why business consider Apple products toys and don't deploy them?

Could you imagine the humiliation a CIO who has deployed iPhones is going through right now? Better to leave that tidbit off the resume.
Reply to this comment
by anilsudh October 8, 2008 9:57 AM PDT
I think you company will be the next one to go bankrupt
by shinji257 October 8, 2008 8:30 AM PDT
@blakestar: You do not need the passcode to use emergency mode. Emergency mode is basically you can dial 911 and that is it.

@Vegaman_Dan: Applications do not run as root. There are two users on the iPhone. mobile and root. mobile is what they run as.

@dmjossel: It's an issue because Apple has a switch that allows the user to enable or disable the preview when the screen lock is in use. This is regardless of the passcode. If the screen lock is active the sms messages should not be visable at all (i.e. no preview). Emergency mode still has the screen lock enabled so it should not be showing sms previews.
Reply to this comment
by moshelinho October 8, 2008 10:06 AM PDT
how is that a bug? its a feature, isnt it?
Reply to this comment
 See all 49 Comments >>
advertisement

In the news now

Slowing expectations at a green-tech start-up

Six months ago, biofuels start-up Mascoma had the wind in its sails, as did the rest of the clean-tech sector. Now, the company is treading carefully and scaling back.


With JavaFX, Sun seeks new coders, new revenue

With the launch of JavaFX 1.0, Sun is trying to reclaim Java's strength as a foundation for rich Internet applications. But it's no longer the incumbent.


Tim Lincecum, motion capture star

San Francisco Giants pitcher, who won the Cy Young award last month, dons a motion capture suit for 2K Sports' Major League Baseball 2K9 video game.


About Apple

At the start of the 21st century, there's no tech outfit more influential than Apple. CNET News' Tom Krazit and other reporters will attempt to make sense of the rumors, hype, products, and people that will shape the future of the company. But Apple's not the only game in town, as the established cell phone companies and others strike back against the iPhone. E-mail Tom at Tom.Krazit@cnet.com.

Add this feed to your online news reader

Apple topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
Latest news
Business tech
Green tech
Wireless
Security
Media
Popular topics
Apple iPhone
Apple iPod
CES
Cell phones
Dell
GPS
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
Corrections
Customer Help Center
RSS
What's new
About CNET