lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 3 Apr 2010 18:38:50 +0000
From: "Thor (Hammer of God)" <Thor@...merofgod.com>
To: "Full-Disclosure@...ts.grok.org.uk" <Full-Disclosure@...ts.grok.org.uk>
Subject: Check those default iPhone settings...

I recently discovered that my iPhone 3Gs' default setting for Voice Dial is set to "on" when the phone is locked.

If you have the 3Gs, you might want to check your settings.  I have my phone set to lock immediately and to wipe upon x number of incorrect unlock attempts, however, I missed the "Voice Dial - OFF" setting since it said "voice dialing is always enabled."   With it enabled (on), when the phone is locked, you can hold the menu button down, invoke the Voice Dial, and tell the phone to "Dial 800-555-1212" and it will.   You can also say "Dial John" or something, and if you have multiple John's (insert "ex" joke here) then it will read them all off to you while displaying their full name on screen.  You can then select whichever one you want and it will dial them.

There are other far-fetched scenarios where you could intercept address entry phone number via GSM mitm or rogue base-station installs without ever unlocking the phone, but that's SciFi conspiracy fodder.   I guess social engineering would be easier with "Call Mom" or "Call work" scenarios, but again, that's more speculation.  Of course, it would be easy to find out someone's cell number by having a locked phone dial your own for caller id, but now I'm just making crap up to sound cool.    The most fun I had was making up crass and disgusting things to say to the phone and seeing who on my list it called.  It is actually uncanny how accurate it was when I called my phone a "limber di** **ck su***r and saw who it dialed. (For all you Deadwood fans out there).

Anyway, check your default settings if you have the iPhone.

t

Timothy "Thor" Mullen
www.hammerofgod.com<http://www.hammerofgod.com>
thor@...merofgod.com<mailto:thor@...merofgod.com>
[cid:image002.jpg@...ACD1E.7BD9BA60]




Content of type "text/html" skipped

Download attachment "image002.jpg" of type "image/jpeg" (713 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists