dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1525
share rss forum feed


Steve
I know your IP address
Consultant
join:2001-03-10
Foothill Ranch, CA
kudos:5

Security risks of security hyper-awareness

Most of you know me as a longtime participant in the Security forum, and I think I mostly have at least a little clue about security in the digital world.

Today I lost my iPhone 4 — it disappeared in the course of three minutes from a known location — and I did not have the Find My iPhone App installed which probably would have helped me find it in short order within the facility. Under the circumstances, a phone "lost" at this location that was not located in an hour is certainly gone for good. Crap.

The reason I didn't have the Find My iPhone app is that when I got my phone ~5 months ago, I knew very little about the whole Apple ecosystem, and I was quite paranoid that my own ignorance would lead to massive information leakage.

We see stories all the time about how Apple or Microsoft or Google or Nokia leverage their customer base in ways that their customers may not be quite so happy about, and though I don't mind some information leakage, I do mind information leakage I have no clue about.

So I was excruciatingly careful about what kind of applications I would allow onto my phone, in part because if I lost my phone, I couldn't risk compromising customer information.

I never logged into Facebook from my phone, did not set up email, and did not even install my SSH keys into the vSSH secure shell application. "I don't know enough" was my mantra. I even avoided the Apple iCloud offering because I just didn't know enough.

Remember: if you're not paying for a service, you are the product, and you probably don't know their angle. So I avoided intersections with other angles.

Even though find-my-iPhone is offered by Apple, anything free comes with a potential angle, and since I'd have to agree to give it access to Location Services, I was not sure that Apple wouldn't use this as license to track me all over Hell and back at all times. So I avoided it for the time being.

Over time I've gotten a decent sense for what's what in this thing, and if I were presented with a choice yesterday (or at 1:15PM today), I'd probably have grudgingly allowed it.

So here I sit, with a fighting chance at having avoided having my privacy violated, nevertheless being out the ~$500 for a new iPhone I'll be buying tomorrow. The old one was subsidized, the next one won't be.

Note #1: those who suggest I avoid an iPhone altogether have to trust that I made my choice for a very good reason.

Note #2: I am normally exceptionally vigilant about my phone, but at the time I was refilling an ATM with thousands of dollars of cash, in public, and it appears that my vigilance around ATM refills (which may impact my personal safety) trumps the vigilance about my $500 phone. How about that.

In life you cannot do only one thing, and it appears that my hyper-vigilance surrounding my phone cost me the ability to locate that phone.

Bummer.

Steve
--
Stephen J. Friedl | Unix Wizard | Security Consultant | Orange County, California USA | my web site


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Time Warner Cable
·Clearwire Wireless

1 recommendation

Sorry to hear about a ~$500 hit.
I'll take an educated guess that whatever value you place on your ability to know what's going on under the hood it's considerably more than $500.
I hope so, no, I know so.
Would you use a free iphone preloaded with unknown apps if offered to you to save the $500?
You'd consider the source of the free offer then decline it.
Obviously at a junction you made a choice to be out $500 than compromised.
IMO, that's still the right choice.
It only takes one app to turn you upside down while the definition of "rogue app" is still being written.

So you use the find my phone app & get your phone back from places unknown.
That leaves you with a phone that can't be trusted.
/opinion


Wildcatboy
Invisible
Premium,Mod
join:2000-10-30
Toronto, ON
kudos:3

1 recommendation

reply to Steve

I'm not an Iphone fan and I don't know much about them either so I have to ask: Does Iphone have a feature like Android, which enables you to lock it and wipe all its data remotely?
--
You can catch the Devil, but you can't hold him long.

BlitzenZeus
Burnt Out Cynic
Premium
join:2000-01-13
kudos:3
reply to Steve
Well chances are somebody took it, and you wouldn't see it again anyway as the gps information is pretty useless to even police, just like that sprint story where a poor guy has all sorts of people thinking they have their phone.

Apple also has made it to easy to enable thieves of iphones in the past, and I'm not sure if they have changed their policies.
--
I distrust those people who know so well what god wants them to do because I notice it always coincides with their own desires- Susan B. Anthony
Yesterday we obeyed kings, and bent our necks before emperors. But today we kneel only to the truth- Kahlil G.


sbconslt

join:2009-07-28
Los Angeles, CA
reply to Steve
Report the IMEI. Or does that not do anything?

[edit] Hmm well, it won't hurt. They recommend it here, to both your carrier and the police. »www.fcc.gov/guides/stolen-and-lo···-devices


ashrc4
Premium
join:2009-02-06
australia

2 edits

1 recommendation

reply to Steve
Did you record the phone ID info and report it?
An option would be to report it to apple first. (the unique apple device ID) If the new owner decides to use Itunes etc they may use their credit card. If you report it properly the device will just get locked out of a particular area's cell use. Not sure how this would go.

This is specific advice only for Steve
Try ringing the phone phone first.
Report the sim card as stolen only first.
The see if apple can/will play ball and agree to notify you if devive get's verified online. To register the device requires a lot of identifying to register. If the new owner assumes that the purchase was legit or that it will work on cell network that it was never reported stolen and may risk attaching it to iTunes.
Once Apple anknowleges that the device is active you then report that to Police.
Report it stolen after say 1 month if no contact from Apple.


Steve
I know your IP address
Consultant
join:2001-03-10
Foothill Ranch, CA
kudos:5

1 recommendation

reply to Steve
said by Wildcatboy:

Does Iphone have a feature like Android, which enables you to lock it and wipe all its data remotely?

I believe there's a remote wipe facility but it would have required setting up in advance — which I'm pretty sure I didn't do — but in any case I had always operated the device assuming I would lose it, and didn't keep anything terribly sensitive on it. Thankfully it was backed up regularly onto my desktop (but not into the cloud). We'll see just how much I get back.

The find-my-iPhone app really does work well, but as I looked into it, it requires another iOS device in order to activate it. I don't own another iOS device, so perhaps I'd not have been able to really jump on this. Maybe there's a web-based way, I don't know. I'll certainly find out with the next one.

I know enough now to be OK with the find-my-iPhone app, but at first I was uncharacteristically humbled by my own dearth of knowledge about the device - I didn't know what I didn't know.

At one point I had texted a friend, who noticed immediately "Oh! You got an iPhone!". Apparently the text message app has a regular text message mode, plus a direct iPhone-to-iPhone mode, and the recipient can tell which is which. I had no idea that this information leaked: I didn't mind, I just didn't know.

Those who have been around here a long time won't count many occasions where I admit humility ("My second best quality is humility, just after awesomeness").
said by sbconslt:

Report the IMEI. Or does that not do anything?

I reported the phone lost to my carrier (Verizon), and I presume they know all the various numbers associated with it. They deactivated that phone and re-activated my old junky dumb phone, as well as having put the iPhone on the "negative list" - they won't activate that phone on their network. They don't share that data with other carriers, but the rep told me that the particular phone only works on their network anyway. I don't know enough to believe that or not.
said by BlitzenZeus:

Apple also has made it to easy to enable thieves of iphones in the past, and I'm not sure if they have changed their policies

said by Apple :

If you have lost or found an Apple product, please contact your local law enforcement agency to report it. Although Apple does not have a process to track or flag lost or stolen product, you can use My Support Profile to find a list of serial numbers that have been purchased or registered with your Apple ID.

Thanks a lot, Apple.

I do have all the paperwork for the phone and will be filing a police report, but at this point I assume the phone is gone and will move on and get a new phone today.

Ugh.


planet

join:2001-11-05
Oz
kudos:1
Reviews:
·Cox HSI
Perhaps I'm reading this wrong:
»itunes.apple.com/us/app/find-my-···648?mt=8

Can't you install this app onto another iOS device to track and/or disable your device after a loss:

"If you misplace your iPhone, iPad, iPod touch, or Mac, the Find My iPhone app will let you use another iOS device to find it and protect your data. Simply install this free app on another iOS device, open it, and sign in with your Apple ID. Find My iPhone will help you locate your missing device on a map, play a sound, display a message, remotely lock your device, or erase all the data on it."

On my Ipad, there is a find my Ipad setting that is ON by default. I didn't think I needed to install an app before a loss.

Edit:
I do see this too now.."Please note that Find My iPhone must be enabled in the iCloud settings on your device for you to locate it with this app."

Sorry Steve, thanks for sharing this with me so I can be mindful of how my security hypervigilance can trip me up. Sounds like you've got your bases covered.

Fickey
Terrorists target your backbone

join:2004-05-31
reply to Steve
Sorry man, that sucks, but sounds like your were almost as prepared as you could have been, and certainly more so than most.
said by Steve:

Note #1: those who suggest I avoid an iPhone altogether have to trust that I made my choice for a very good reason.

No fair, you took the wind outa my sails! I know little about Apple products, but just in case it affects your future phone decisions, know that the right rooted Android phone offers significant control over your personal info. There's no requirement to sync calendars, contacts, etc with Google, they can be local on the phone & sync only to your PC. Also, you can selectively control (or even fake) what individual apps have access to including camera, mic, contacts, sim, IMEI, wifi, 3g/4g/roaming, etc. Theoretically, you can even find a lost/stolen phone with no prior preparation, although not easily. That's a level of control I can't live without. Of course, it takes time to learn & become comfortable with all that, too.
--
Government controlled healthcare? Name one thing government does efficiently and effectively!


Steve
I know your IP address
Consultant
join:2001-03-10
Foothill Ranch, CA
kudos:5
said by Fickey:

No fair, you took the wind outa my sails!

My reasons for getting an iPhone had very little to do with the features of the iPhone itself or my own personal needs.

If I said I needed to get up to speed on the Apple ecosystem in order to help a customer with a security project, that would be pretty close.

Steve
--
Stephen J. Friedl | Unix Wizard | Security Consultant | Orange County, California USA | my web site


Dude111
An Awesome Dude
Premium
join:2003-08-04
USA
kudos:12
reply to Steve

 

Im sorry Steve,i hope you somehow can find it buddy!!



Good luck


leibold
Premium,MVM
join:2002-07-09
Sunnyvale, CA
kudos:10
Reviews:
·SONIC.NET
reply to Steve

Re: Security risks of security hyper-awareness

said by Steve:

I never logged into Facebook from my phone, did not set up email, and did not even install my SSH keys into the vSSH secure shell application.

The "did not set up email" (if you meant *any* email account) prevents you from wiping the phone remotely using an exchange email server (as an alternative to the phone locator and remote wipe services available through icloud which you didn't setup either).

With so much effort put into ensuring that you don't recover your phone one has to ask: was the phone really lost/stolen or did you throw it away
--
Got some spare cpu cycles ? Join Team Helix or Team Starfire!


AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1
said by leibold:

was the phone really lost/stolen or did you throw it away

or to put it nicer: was anything of value on the phone to begin with?
--
* seek help if having trouble coping
--Standard disclaimers apply.--


Ctrl Alt Del
Premium
join:2002-02-18
kudos:1
reply to Steve
Unfortunately, you can't find or wipe your old iPhone if you never setup and enabled Find My iPhone on the device itself. However, here's a few notes to help you out with your new iPhone:

Firstly, the Find my iPhone feature is built into the iOS operating system and is different than the Find my iPhone app that you download in the App Store. The app is for using a second iOS device to track your lost first iOS device. You do not need to use the app at all, you can instead use the »www.icloud.com website.

The Find my iPhone feature built into the OS uses location services and a data connection (cellular or previously connected WiFi) to remotely track your device. If the iPhone is powered off then it will not work. By default Find my iPhone is disabled and does not track you. To enable it you will need an iCloud account and enable the Find my iPhone feature in iCloud settings on the device. If you don't have an iCloud account you can create one right on the iPhone during setup. Once enabled, you can then go to »www.icloud.com and log in to remotely track or wipe your iPhone (or use the Find my iPhone app on another iOS device).

If you have a full backup of your old iPhone in iTunes, then when you connect your new iPhone to iTunes, it will ask if you want to restore your backup. This will get you back almost all of your stuff, both settings and data like text messages, apps, etc. I'm not sure if the backup includes music and pictures. You can pretty much pickup where you left off with your old iPhone.

The reason your friend knew you were using an iPhone is because of a feature called iMessage. By default this is enabled and requires the both of you to use an iOS device and have an iCloud account. When you are using the Messages app (which previously only did SMS and MMS), it figures out in the background if your recipient is another iOS device. If the recipient is, it will change your text message into an iMessage. Visibly the chat bubble becomes blue and you'll see the text iMessage in the chat log. Everyone else gets a text message green bubble and the text Text Message in the chat log.

Behind the scenes, a text message gets sent the same way it always has: through the cellular connection. But an iMessage gets sent as an Apple Push Notification and uses the data connection (either cellular data or WiFi). So an iMessage is a data packet sent over TCP/IP through Apple's push notification network. This means that iMessages do not count against your text message limit. There are also some additional benefits, like delivery notification and read notification, so you know if the iMessage made it to the destination. You can turn on/off iMessage in Settings > Messages, as well as control read receipts.

Anything else need clarifying?
--
less talk, more music


Phoenix22
Death From Above
Premium
join:2001-12-11
SOG C&C Nrth
reply to Steve
sorry steve it sucz .....i know.......these l,owLifes keep popin' up


DarkSithPro

join:2005-02-12
Tempe, AZ
kudos:2
reply to Steve
A co-worker of mine had two iPhone's stolen from him at work while he had it plugged in to charge. One right by his work area and one by a microwave at the employee cafeteria. Both times he walked away for only a few minutes to go to the bathroom. My iPhone remedy? I use a 2100mah iPhone charger case. Just enough to keep the iPhone in my pocket so it's not charging in plain view for the taking...


planbapp

@comcast.net
reply to Steve
I don't know if they offer this for Apple but for Droid there is the Birth Control Pill called PlanB.
»play.google.com/store/apps/detai···nb&hl=en


morningafter

@comcast.net
reply to Steve
I know that $500 is hard to swallow that's why they made the morning after pill called Plan B.

»www.ollapp.com/app/plan-b/iphone


mouse
Premium
join:2007-03-29
australia

1 recommendation

reply to DarkSithPro
I would hate to work in an environment where my co-workers are stealing my stuff.


AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1
reply to morningafter
said by morningafter :

I know that $500 is hard to swallow that's why they made the morning after pill called Plan B.

»www.ollapp.com/app/plan-b/iphone

only for android so far
--
* seek help if having trouble coping
--Standard disclaimers apply.--


DarkSithPro

join:2005-02-12
Tempe, AZ
kudos:2
reply to mouse
said by mouse:

I would hate to work in an environment where my co-workers are stealing my stuff.

It seems when it comes to smartphones, stealing them is not a big deal anymore. Interestingly enough they stole a Verizon phone from Steve, which doesn't use sim cards. Most people won't waste their time stealing CDMA phones, because once they're reported they're pretty much a brick afterwords. I bet the phone was thrown away after they learned it didn't have a sim card and was on Verizon. He said iPhone 4, not the 4s, so it's useless as a cell after being reported.


HA Nut
Premium
join:2004-05-13
USA
reply to Steve
I am far, far from being any kind of expert but I have setup numerous iPhones and Androids for friends. A couple of random thoughts (not necessarily aimed at you Steve)...

There are location privilege level adjustments by app in the Settings section on the iPhone (something that doesn't appear natively in Android from what I've seen.) This should give some granularity in location sharing control.

As already pointed out, Find My iPhone does not require another i-device (or a 3rd party app.) Just set it up on the phone (under Settings) and if the phone needs locating, log into the iCloud webpage. A user must create an Apple ID but if the user doesn't trust Apple to be able to do that, then one shouldn't buy an iPhone (I feel the same about Android and Google, but I know many out there don't share my opinion!) After all, Apple makes the phone and the OS!! (BTW, it's easy to setup an Apple ID without a credit card. Just download a free app (which can be deleted later if desired) on the phone. Before you download the app, you are directed to create an Apple ID and while doing so, skip the bank card step. This same ID will then be good for the iCloud account.) (FWIW, Android does require 3rd party apps for lost/stolen location. There are many available with varying options.)

IMO, if a cell phone (smart or even less than smart) allows remote location/wiping, it should be on and available. Even if a phone owner has taken great pains to minimize the amount of personal/private info on a phone, it still contains phone numbers and other info that's likely best kept private.

BlitzenZeus
Burnt Out Cynic
Premium
join:2000-01-13
kudos:3
A while back a journalist got hacked, and what did they do? They remote wiped all his idevices...


Steve
I know your IP address
Consultant
join:2001-03-10
Foothill Ranch, CA
kudos:5
said by BlitzenZeus:

A while back a journalist got hacked, and what did they do? They remote wiped all his idevices...

Hence backing up your devices.

For me it turns out this is unusually easy: I listen to audiocourses all the time, so I connect my iPhone to my PC a coupla times a week to update my content, so I usually run a backup at the same time. When I got my new iPhone, I was restored to within the last 2 or 3 days: I'm lucky that my personal habits aligned with best practices.

But they don't always.

For exercise, I take power walks in the hills near my house, some of them quite strenuous, and I have a killer exercise app that runs on my phone. Tracks my progress with GPS, alerts, etc. Love it.

But the auto-lock was making me crazy when I was out on a walk: I'd look down to see how I was doing and would have to unlock it, all while huffing and puffing. So I turned off the PIN code and the auto-lock. This is a terrible idea, of course, but since I really don't have anything really sensitive on the device (on purpose), and since I never let it out of my sight, I figured it wouldn't be so bad. Oops.

It turns out I had just discovered a feature of my walking app that disables the auto-lock while there was route in progress, which does *exactly* what I want, but I had not re-enabled all that stuff yet.

On the new phone, I now have all the security features enabled: auto-lock, a PIN code, and find-my-phone. Since I now know that backing up is something I actually do, I enabled the wipe-on-10-wrong-PINs feature.

Live and learn.

Steve
--
Stephen J. Friedl | Unix Wizard | Security Consultant | Orange County, California USA | my web site


sivran
Seamonkey's back
Premium
join:2003-09-15
Irving, TX
kudos:1
I did something similar with my phone, except rather than disabling lock (it's easy to unlock, just slide the display up) I disabled password protection on it. Even with the keyboard, it got annoying to keep entering the password. (And it's connected to my company email. Go me.)

Luckily I had it with me the day someone broke into my house and swiped my personal laptop, which, being my personal laptop and not containing any truly sensitive info, was not encrypted. It was protected only by a Windows (XP) password and a power-on password. It was also in sleep mode when it was taken. Much like your phone, I didn't even have anything running on it that I could use to locate it remotely.
--
Think Outside the Fox.