lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <AANLkTikKRrPuC0MVN0Eaj2Hduu-nXgMl7757GV1eLUpM@mail.gmail.com>
Date: Tue, 18 May 2010 15:45:49 -0700
From: "Zach C." <fxchip@...il.com>
To: Bernd Marienfeldt <bernd@...x.net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: iPhone data protection flaw

The iPhone uses proprietary protocols over USB for file operations, syncing
and the like -- only real authentication that I can recall (and I got it
working to begin with ;)) was that the session with lockdownd (kind of a
broker for starting services, etc.) eventually goes SSL... there is also
device pairing but it is really trivial to do and doesn't restrict the
computer at all.

Just so happens that Lucid Lynx might include libimobiledevice,
ifuse/gvfs-afc and all the necessary components now. :)

But yes, as another poster mentioned, you're jailed to your Media directory
unless jailbroken and connecting to afc2.

Sent from my Android phone

On May 17, 2010 3:35 AM, "Bernd Marienfeldt" <bernd@...x.net> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

I've recently upgraded to Ubuntu Lucid Lynx (10.04 LTS) and been
surprised by the iPhone 3GS (3.1.3 - 7E18) mounting behavior:

Fully switch off the iPhone 3GS and then connect it to the Lucid Lynx PC
via USB, the phone turns on and will be automatically mounted without
any authentication challenge (PIN), allowing read/write access to your
various local data, e.g. purchases, DCIM, Downloads, Photos, Recordings etc.

Obviously there are other flaws discovered, see [1] which might be even
worse depending on your security policy and requirements.

Can people confirm same behavior with other iPhone models and OS's ?

Cheers Bernd

[1]
http://marienfeldt.wordpress.com/2010/03/22/iphone-business-security-framework/
or http://tinyurl.com/yyjpfbn

- --
Bernd Marienfeldt (Information Security Officer LINX)
London Internet Exchange Ltd. Trinity Court, Peterborough, PE1 1DA
Registered England and Wales number 3137929

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkvxGlYACgkQuhj/IfS3mc5XegCg6Sh5Twpd/hmsigKBDOPyxU5e
+i4AoNBuLuJKrBkYyK6G/MD+s5PMD5XC
=9PPI
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ