Hacker News new | comments | show | ask | jobs | submit login
iOS 7 Bug Lets Anyone Make Calls From Locked iPhones (forbes.com)
66 points by pearjuice on Sept 21, 2013 | hide | past | web | favorite | 39 comments

iOS7 definitely feels rushed. I work doing a lot of mobile web stuff, and the number of bugs in Safari in iOS7 is staggering. Here's hoping we see 7.1 very soon.

While I agree, they did pretty much redo everything on the UI while adding a bunch of features on the backend. They might have some more tricks up their sleeve later as well.

Not to mention a HUGE API diff, with several new (and good) Frameworks.

UIKit Dynamics is pretty cool, and so is Sprite Kit. Two of my favourites.

They are not getting enough credit for that.

Yeah. They deprecated almost the entire Game Center library. I was working on a game and when I update to iOS7 I got tons of warnings. There is still more stuff that I need to update, but I'll do it later.

They aren't getting credit though because unless you're a developer, no one really cares. Most people want to see changes that effect them directly. That is something that I think Steve had a very good understanding of.

Isn't iOS 7.0.1 more likely?

Right, but iOS 7.0.1 is just fixing the critical bugs that should have been caught before release. It'll take more like a point version to fix all the bugs in Mobile Safari: http://www.mobilexweb.com/blog/safari-ios7-html5-problems-ap...

It's not like iOS users can install an alternate browser, either.

Every time the fact of Apple not permitting other browsers is brought up, someone always says "Yes they can" and points out Chrome, Opera, etc. But they can't. Apple won't allow any code interpretation in apps. That means no JavaScript at all. Which means a browser that's pointless on today's internet.

Opera Mini isn't a true browser and offloads processing to external servers because they can't interpret JavaScript locally (thanks to Apple's anti-competitive app store rules). The off-device rendering makes for a less-than-desirable user experience.

Chrome and every other "browser" in the iOS app store is just a custom UI on top of Mobile Safari. And it's not even full-speed instance of it since it can't use the Nitro JavaScript engine. It's hobbled so it's slower than proper Mobile Safari. Chrome does add one other custom bit in that it inserts its own network stack underneath it. But it's still Mobile Safari within Chrome. It's not the Chrome/Blink engine and it likely never will be. Not unless those increasingly high walls start coming down.

They use the same renderer...

iOS 7.0.1 shipped yesterday.

So about 100% likely!

give it time, iOS 7 has been out for just a couple of days.

Android's been out for 5 yrs and it still feels rushed. ;)

There seem to have been several lock screen bypass bugs over the years. Given that, you'd think they'd give it a hammering and find this stuff.

I'm sure I'm missing something, but given how many there have been wouldn't you at least stick an `assert(!isPhoneLocked())` or similar on entry to anything that shouldn't be accessible while locked?

IIRC most of these bugs arise because of things that should be available while the device is unlocked: the dialler and camera for example. Camera is supposed to restrict gallery access and the dialler is supposed to only permit emergency calls. I'd expect that every app trusted with running while the device is locked will have these bugs as Apple goes forward too.

The bugs seem to a bit more nuanced than just testing for a locked device; the attacks seem to rely on performing actions simultaneously to exploit race conditions much like weird glitches in games. This class of bugs is really hard to test for due to the large search space. Model checking might offer a solution, but it's not a magic bullet by any means.

Speaking of games, that's exactly what the humble games tester spends a good chunk of time doing: uncovering bugs by coming up with weird things to try, like spamming input at unexpected moments.

... the company has focused too many of its resources on adding new features to handsets, and not enough ensuring that their basic functions work.

Couldn't have said it better. Crazy that we're only now getting number blocking. (Okay, that's a "new feature," but it's a pretty basic one.)

With this in mind lock screens should be advertised as screensavers with passwords instead of actual lock screens; screens you tend to trust to protect your phone at all cost. Not screens which you can't be 100% certain of they actually lock your screen.

Perhaps this is a "feature" and not a bug. News like this just makes me want to go back to using "dumb" phones. adjusts tin-foil hat Apple knows what they're doing.

I showed this to my girlfriend and she thought it was a feature - seeing that if you /really/ need to phone someone, why not allow this in Emergency Mode, as it's probably an emergency anyway? Yeah, I am not sure about that logic.

Just tested it and It really allows me to make calls even with the phone locked.

Tested it as well. Extremely easy to exploit.

There is no excuse for not having a fuzz-testing framework to catch issues like this. It's straight-up lazy.

Why does responsible disclosure go out the window when it comes to iOS lock screen issues?

Really? Any and all lockscreen bypass go straight to mainstream tech outlets. There have been plenty for Android. The real question is why does Apple have this problem with seemingly every major release? This is not a remote exploit and should be publicly shown.

Beyond that there are many that feel if Apple doesn't want to participate in having a more responsive approach towards security why should people go out of their way to play nice with them? Give and take, Apple has played out the "we don't respond unless it's in the interest of saving public face or potential sales losses" far too long. Being overly secretive is a bad thing today, especially with regard to consumers expectation of going to bat for them when it makes sense. They've continually lost face with me (in this particular regard) over the years in their elitist stance. It's of their own doing and approach. And it's completely in their control to change.

Probably because Apple has never acknowledged a problem with their platform, let alone rewarded one. Apple's outreach to any kind of dev community is nothing short of awful.

I guess the official statement from Apple that they're working on the lock screen bugs is a case of "Apple never acknowledging a problem with their platform"? I guess they don't have a security-announce list where they post many bugs a month[1]. I guess the message to go along with iOS 7 that lists a bunch of security researchers who disclosed bugs to apple shows their awful relationship with developers[2]. What a bunch of FUD.

[1] http://lists.apple.com/archives/security-announce/2013/Sep/i... [2] http://lists.apple.com/archives/security-announce/2013/Sep/m...

Now, now. We wouldn't want to let a pesky thing like reality get in the way of the Apple-hates-developers circle-jerk, would we?

Really? For all these years I follow such things, nothing you said it's true.

Apple regularly posts security updates and notices, and they aknowledge the people who find them.

Heck, even besides security, the claim that "Apple has never acknowledged a problem with their platform" is totally BS.

Steve Jobs himself apologized for the iPhone 4 antenna, and there was also a public statement from Apple about iOS Maps. An of course, they also have the usual recall programs, for things such as faulty batteries, HD and such.

So, FUD much?

Does that change ethical responsibility?

May be because it is a bug not vulnerability? Also, if someone with malice intent can get physical access to your phone then may be you will have much more to worry about?

Well, at least we found out about this the same time the NSA did.

For what it's worth, I'm unable to replicate this on a 5s running 7.0.1.

I tried it on my phone and it indeed works.

Was this fixed in 7.0.1?

I believe 7.0.1 fixed a fingerprint issue with the iPhone 5s.

As usual with Apple, eye-candy is much more important than security. Their BSD foundation is pretty good, and then everything they add on top of it, pretty shoddy as far as security goes.

I'm guessing Gruber and the rest of the Apple-crowd is not going to try to spin this one as vividly as they would have done, had this been an Android-exploit.

'As usual'?!?!

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact