I have to say, if you can't manage to keep your iPhone secureon, and on your person (or in a safe place), you've already failed.

Anybody that ignores actual physical security for sensitive data is a fool and deserves exactly what they get, you can't really put that one on Apple.

Enochrewt

I read the news about this "flaw" the other day and thought it minor myself. I mean, who is going to really go to all this effort to get info from a phone they found - and then why would they care who is in your favorites list?

ramman345

This is such an overblown issue. Apple can push a fix whenever they feel like it as far as I'm concerned.

bobdobbs

@Jesus Diaz: A week? Hey come on, this is not Windows Update we're talking here.

ripfire

@robpruitt: Hmm, now that you mention it (I mention it) I hate Apples too! Fuck that, it's grape time!

The Magnificen7

Thats worse than that Sprint flaw IMO.

[consumerist.com]

midwestkel

Oh Jesus, you're such a journalist.

StupidityTries

@Skyyboy: So what are you saying? That even though Apple made fun of Microsoft for falling behind deadlines, that it has a history of falling behind too? Apple would never engage in such hypocrisy.

OMG! Ponies!

@ The Magnificen7: "Anti Apple guys".

I hate Apples!!! The texture hurts my teeth and whats with the yellow turning brown after just a few minutes air exposure. I'm sure of it, I hate apples.

robpruitt

So wait this means if someone got a hold of your phone and made it look like he's calling 911, they can access all your email and info? Thats pretty messed up, I take back my first post since I clearly didn't know what I was talking about, my bad.

Crash Override 777

@nutbastard: So my doctor's diagnosis of "acute nutbastardy" was off then? Are you calling my doctor a liar?!

strangepork

Remember that the iPhone SDK was set to be announced in February & wound up being in March, and the App Store was set to launch late June & wound up being July.
Don't hold your breath that September actually means September.
I think Cupertino may be in a different time zone than the rest of the world...

Skyyboy

Maybe I'm taking this too lightly since I don't have an iPhone.

Crash Override 777

Oh boy, here come the anti-Apple guys. Maybe you should keep an eye on your phone.

The Magnificen7

@rockstar: as you say yourself, this hasn't been well handled. Good that they have acknowledged it, but to minimize it helps nobody.

Jesus Diaz

@Crash Override 777:
How about admitting to a BIG problem and not calling it a "minor iPhone security issue".

TerryinSt.Paul

@Crash Override 777: No. I expected them to deliver an update this week to fix a massive security hole. Simple as that. Not call it minor and give a vague september release date.

Jesus Diaz

Jesus, how many users password protect their phone anymore. I don't think that many.
But yes apple is handling it poorly.

rockstar

@Crash Override 777: No I expect tem to release a fix yesterday.. What kind of popcorn stand they got over there?

IMWylde

What do you want them to say? "OMG your iPhone is compromised you are teh doomed!"

Crash Override 777

@nutbastard:

im just glad none of my names sound like some sort of detrimental phallic medical condition...

nutbastard

h h, y sd "Bwcck"...

nutbastard

seriously, this really IS pretty minor, since you can just change the button function to fix it before the update. You guys are making a bigger deal out of it than it really is.

Benjaminx

First of all, there is a DIY fix for the home button default, which does render this a somewhat minor issue. Second, any would-be hacker needs *physical access* to your phone. Just protect your phone! Do you leave it lying around where potential wrongdoers could steal it? I don't. And if the issue is enterprise security, your company can remotely wipe the device as soon as you report it lost. I think there is a little bit of an overreaction here.

bandit

I assume the iFruit Phone would never have such a security flaw. :3

jackfrost132

How is this any different than the normal Apple response? OH, thats right, they were kind enough to at least acknowledge this one. Screw you too, Steve.

wills916

That's it, I'm switching to Fruit. [gizmodo.com]

jackfrost132

Hey, hand-ringers, do this: Take your standard, un-jail-broken iPhone and passcode-lock it. Download PhoneView from ecamm.com and install it. Plug in your "passcode-protected" iPhone and see what info is available (hint: it's everything).

See? The boogey-man doesn't need to double-tap.

bobdobbs

Downplaying the situation is not cool. If this was any other mobile platform, it would have ended up as a joke in the next apple commercial.

Joseph

It'll never be a minor issue EVER! What is wrong with people who say it is??? Stop being so ignorant.

Derek Devine

I tend to agree with others and Apple when they state that this is minor. One must have physical access and opportunity to do this and if the user simply changes the function of the "double-button push" it is taken care of.

However, good on ya for sleuthing it and doing the right thing by notifying users and Apple, as well as those who might want to take advantage of it. ;)

Illuminator

@nutbastard: I still can't figure out what you mean't to say. I thought I would still be able to maybe figure one of these out but nope....

@Crash Override 777: Even though you got totally reamed for your first comment, I literally lol'd in my school's library upon reading "teh doomed"

jakebathman

@Benjaminx: Agreed. Not only are few affected by it, but it's easily avoided. I read that here on Gizmodo. "Here's the flaw. Here's how to avoid it." Seems to me Gizmodo and others have already defused the situation. Thanks.

sumocat

As a developer, as we review someone else's code, we often catch a huge error a developer makes. What does that cause? That causes us to go back into everything that person wrote to see exactly what else they fucked up.

This seems to be very similar. If they were able to not think of this scenario and leave such a big security hole, then what else did they miss? This might not matter to you, but what it shows is the coding ability of a particular component writer. What else was that developer responsible for? Did that developer think of all possible scenarios through as they wrote the code? Was this just a one time thing? Those are all questions that we cannot answer, but they are all very important ones.

diabolusunknownTheSecond

Apple recently took 4 days to send me an automated reply. No Kidding. So .. no surprise here on their glacial pace of addressing problems.

bingosabi

@rockstar: I...password protect my phone...it's an easy one, but I still do it!

KarinDiscoGirl

@Katoejoe:Please, get a course on Security 101 then come back and comment. Thank you very much, drive thru.

Jesus Diaz

Speaking of fixes, can Giz please put the "Friends Activity" link back on the header. Thats usually how I spot the good threads, with a little help from my friends. ;)

Curves

I really don't want to burst Jesus' bubble, but really, this "Huge Security Flaw," isn't all that huge at all. As I saw some posters mentioning in the initial post on this, sure, it would suck if somebody got into your phone and had access to mail, contacts, etc, but honestly, would it be life changing? I think the answer to that would be no. While it is a problem for some, and it was very smart of Apple to acknowledge and promise to fix it, I think everybody just needs to relax about the whole thing. Apple will take care of it for you, now in the meantime, change your home button functionality, and don't let anybody who you don't trust play with your iPhone. Oh, and don't lose it or leave it lying around in public places either. Follow those simple steps and your "huge flaw" becomes little more than a just a slight nuisance.

Katoejoe

Hehe Jones looks cute on there.

Nintenboy01

@Jesus Diaz: I'll be the first to say that I'm no security expert, just wanted to give my two cents. Sorry if you took offense to my comment or anything like that because I really didn't intend for you to feel offended. To be honest, maybe you have things on your phone that would be catastrophic for you if somebody were to get into them. Like I said, I do see how this could be a problem for others, even if it isn't one for myself. You do make a good point in that it's definitely an issue, however my main gripe was, and still is your wording to be honest. I could see "huge" being applied to a security flaw that would allow people to access your private data from anywhere in the world. Considering that somebody would need to physically have your phone in order to exploit this flaw just makes the problem seem a lot smaller to me. Again, I could be wrong about that since I'm no master of security or anything of the like. Hopefully this proves my point better than before and undoes any hard feelings I may have caused.

Katoejoe

Turns out your wallet has a major security flaw too. Whenever it's not with you, it has the potential to be stolen.

JustEaton

@mruler360: Which reminds me- If it's broke already, don't break it even more Apple!

mruler360

I agree with her- It's only a small bug. What makes it a major security flaw is the fact that what could fix it is a DEFAULT SETTING that makes it a problem in the first place.

mruler360

@Jesus Diaz: Jesus, seriously: Physical access to any machine means it's owned. Even if this is gets fixed (and I'm betting the "fix" is to make double-tapping the home button default to something else) there are an infinite number of other ways to access every bit stored inside an iPhone (and nearly any other consumer electronics device). I'm sorry, but you're really taking sensational journalism to new levels. This almost seems like a thinly-veiled attempt to counteract reader-criticism that Giz is a bunch of Apple fanboys.

bobdobbs

OMG! what!? apply is downplaying a flaw!? Hello they've done this for years. everyone complains that MS has so many bugs, but they fix them right away... apply NEVER fixes their flaws right away. Here is just one example [www.itwire.com] PC mag also did a write up on how fast MS fixes bugs vs Apple.

simplegreen

A massive security hole? You can close it in like 5 seconds. Its unfortunate, it should be fixed, but its not massive.

krizoitz

Awww, so good to see you kids playing along.

But I agree with most -- I understand how this is a big deal, blah blah blah, Apple's handling this like a bunch of pretentious pricks (and this is news how??), blah blah...

...but most of all it's the wording that probably throws most people. Big deal, yes, but the original headline, as well as the approach in the article reeks of sensationalism and world-ending fearmongering. Even if Ms. Underplaying PR Lady gave us her email address and password, that's really not a fair comparison since we could open any browser on any computer to access it, whereas to take advantage of this glitch we would have to actually get a hold of her phone.

Again, I know this is a big issue, especially in light of what "Security" consists of, and Apple should treat this a lot more seriously. *However*, there are security flaws out there that are much more devastating than this, and these are the kind to which -- I feel -- the diction used in this article and the previous story's headline should be saved for.

rcast1986

The crux of this problem is that no brute force (IOW, _time_) is needed for this.

Corporate espionage is very real, and it does not take long for someone to get your sales/supplier contacts with this method (long before you notice it gone and then do a remote wipe). With a good pickpocket, you would never know it was gone for the 5-10 minutes or so this would take.

And if you don't think this crap goes on all the time, you are simply a victim-to-be. Tradeshows, and the ample parties/free booze that go with them, are the worst place for shenanigans like this.

And as JesusModo pointed out in the article, not everyone with an iPhone knows the user-fix. Heck, I doubt three-quarters of the iPhone users even know about the problem yet. No slam intended on those users, it's just that we gizAddicts are just way ahead on stuff like this. And so are the shady private dicks that companies hire for getting their competitor's secrets.

There is no doubt that Apple's response to this will be counted as a big negative in IT departments choices of whether or not to allow/roll-out the iPhone to employees.

Bottom Line: there should have been a text blast with details on how to do the user-fix until a firmware update can be released. Corporations have accepted that new-ish devices and software can be buggy/have security problems, so the problem itself will not be remembered as much as Apple's response.

hypereric

@Curves: "...can Giz please put the "Friends Activity" link back on the header."

Yes! And while you are at it, could you also please put back the the thumbnail avatars that usd to show on that "Friends Activity" page? That's another way to quickly scan up and down the listings to find folks.

bosskev

Did anyone really expect Apple to admit this was/is a huge security hole? Gheesh, they won't even admit to future product refreshes in fear of losing a today sale.

I think bobdobbs above hit the nail on the head.

Ed

edblor

Well it doesn't sounds like a HUUUUUGEEEE security flaw...just a security flaw nothing more or less...just don't let anyone use your iphone and do not borrow it to anyone you don't know and you should be fine.

Mike918

@Jesus Diaz: Seriously, leveling a personal attack at Katoejoe is not professional, and does not help your case, especially when you are wrong and he is right.

Gizmodo, Macrumors, and Wired can claim that this is "major" all they want, but there is no serious security professional in the world who is going to call this "major" because it requires physical access and because there is a published workaround.

If you could get all the info off the phone just by knowing its phone number, or IMSI, or IP, then yes this would be major. If you could only get this by physical access, but there was no published workaround, then yes, it would (probably) be major.

Is it frustrating that Apple seems to have a cavalier attitude about handing out information about this stuff? Heck yeah I'm still waiting on more info about whether the next update will resolve my reception issues, and thinking about taking the phone back.
Does it demonstrate that they've got very immature 2.0 software that was released too soon and without adequate testing? Heck yeah.

But none of those things make this a "major" issue, as far as anyone in the security community would be concerned. Go ask the OpenBSD guys who brag about when their last *remote* exploit was.

Harshing on some poor commenter, regardless of how simple his worldview and complete his devotion to Apple, does not prove your point.

max_k

@Jesus Diaz:
I'm sorry, there a way bigger issues than this. First of all, I have absolutely nothing to hide on my iPhone (minus some pictures of titties and other NSFW stuff) and that stupid thing never leaves my hand or pocket. I have never once left it on a counter top, table, desk- anything in a public place ever- because it is an expensive device. If you have top secret government files, or crazy stock market strategies or the tele-play for the season finale of lost, HOLD ONTO YOUR PHONE.

If someone was to grab your phone and you couldn't stop them from holding it then they are probably going to take the device and run anyway; in which case they will get the information anyways, flaw or not. In such an event the last worry on my mind would be someone reading my emails but more along the lines of I need a new phone.

What is a serious issue is the fact that the unit as a whole does not function. The keyboard lags, the thing crashes like a chinese driver, and sometimes you can't even play a song without it skipping. It's an iPod... with a phone, It shouldn't do that. I wouldn't expect them to admit that the security flaw is a big deal if they cant even admit how fucked 2.0 is.

Balls.

beardedkid

^whatev.....errrrr

iomatic

This is why Apple sucks. They have lost my trust is every product they release, and I will NEVER buy an apple product again.

You are pathetic Apple!

th3gh05t

Wow Jesus. Is the next step desemvoweling those who threaten gizmodo of Apple-worship? Because JSS S WRNG can only be read a few times before we get what it means. But then again if my iPhone fell into the hands of someone with less than ethical plans for it between now and the update than I spose I'd sing a different song...But until then I guess we'll just crucify you! lol jk...had to do it...oh my...please don't hurt me

doobiebros2two

@hypereric: Heck, I doubt three-quarters of the iPhone users even know about the problem yet.

Seriously. Here in the valley, it seems everyone has one of the damn things, and the only person I know that kept it locked was an Apple employee with prerelease software on it.

someToast

I agree with Apple.

Minor security fix because there is an easy way to fix it.

Change your home button preferences.

Done.

Neone

You know, in the defense of Apple, if you weren't publicizing the error, that many less people would know about it. Just a thought.

ChelseaCosta

@WinkMe: No.

Jesus Diaz

So Jesus, does this mean I was right? it ISNT THAT BIG OF A DEAL. Life Moves on

WinkMe

why cant the home screen and the kepad always show your wallpaper like this screen???

id much rather have that than this fix

scout121

As someone that does do IT Security as part of my job, I have to say that:

a) this needs to be fixed and
b) it's not "huge" as security problems go.

Rule number one of information security is that when you've lost control of physical access to a machine, you're pretty screwed.

Most *servers* filled with sensitive data can be completely compromised with physical access and a boot disk in about 60 seconds.

A "major" security hole for a device does not require physical access to gain full control of the system in question. For the iPhone that would be something like a hacked cell-frequency signal that caused the phone to link to a remote server and transfer its data to that server. THAT would be major and deserving of huge press.

So Apple needs to fix this. In the meantime use the workaround. Regardless, though, if you have information that must remain secure you should consider yourself screwed with ANY device if you lose control of physical access to the device.

gunnk

It's a good thing iPhone users don't have any information that is actually important. Otherwise, the ability to get past an entire security system by pressing the only button on the phone would be a very huge issue.

jjreilly1

A security flaw where the person needs physical access to your phone doesn't seem all that huge to me. Sure, it needs to be fixed but september is a few days away. You'd never make it five seconds as a PR person. Find me one employable PR person who'd say "we have a massive security flaw" (even if it is in no way "massive"). I hope you save some of that moral outrage that you have here for things that matter in life.

BellaRook

@gunnk:

I also have a job that includes IT Security, and I have to disagree.

Any possible client information that can be so easily compromised is completely unacceptable. Absolutely, once you have lost the device you must consider the information compromised. However, you must also be able to feel reasonably that you have implemented reasonable security precautions: disk encryption, etc.

Apple has made that impossible here, and their attitude is a slap in the face to enterprise users.

tmed

I love how often Apple kicks out the new gadgets over the last few years. But the speed of gadget release VS quality control ration has obviously been shifting rapidly. Gone are the days of a rock-solid gadget from Apple. Here are the days of amazing new (seriously flawed) gadgets every few months.

What's worse? It's really a question of "progress vs usability" for the users, and "income vs character" for apple.

navvywavvy

At first, I ready to blast Apple, because 1, I thought this was a Major security flaw... and 2, it's so easy to hate Apple due to their, "I'm better then you" smugness.

But after thinking about this more and more... It's easy to come to the conclusion that this issue, albeit a definite security flaw, is relatively minor. Why? Simple... It requires PHYSICAL ACCESS to your device. That fact alone makes this issue MINOR.

If any product is in the hands of someone who wants to exploit the user's information, it will get exploited... Enough said. Not to beat a dead horse here... But the only way this issue would be considered MAJOR... is if this flaw could exploited in a remote, ie: with out physical access, way.

Sorry Jesus... I own an iPhone... and hate Apple as much as the next PC Fanboy... But you have to admit that this is not as "Massive" as you want to pretend it is.

SkoGoody

@gunnk: I agree and disagree (right now, in 2008). Yester-year, I would have agreed completely. Tomorrow-year, I have to disagree completely.

The proliferation of encryption options on laptops, thumb drives, cryptainer/trueCrypt style software, etc. would suggest that we are moving away (rightly or wrongly) from a centralized storage of sensitive data to cells of sensitive data floating through the real-world ether (no |_33+ pun intended) via those devices.

The headlines are a good barometer of this. It's almost every other day somebody is losing/having-stolen a laptop or thumb drive with gubbermint or financial data on it. Smart phones are not far behind in this.

So while Rule #1 is still, and will always be, in effect since 99.9% of devices are hackable with direct access, security is becoming a 1.1:1 ratio to how sensitive your data is. IOW, how much is the data worth? You just have to make sure your encryption/data-wipe-ability is .1 ahead of that value.

My phone? Feh, take it. Just make sure to call my mom once in awhile :-)

hypereric

If this was some remote hack, then fair enough.

But you have to physically have the iPhone in your hands - and the user has to have not set the home button to the iPod screen.

Seems a pretty tenuous 'issue' at best - but then the Jobs haters need something to point and scream at like 5th graders....

I do note that Zune doesn't have this flaw - BECAUSE IT CAN"T DO WEB, EMAIL, OR MAKE PHONE CALLS!

LMMacAO!!

MINI Driver

Hah! This is beautiful. I love how the apple Kool Aid drinkers are having to back pedal and make excuses. This is almost as laughable as the dems portraying themselves as agents of change being pro woman. We have yet to see how they will attempt to crucify this woman and but we are beginning to see that Apple products are just that products. Nothing magical or mystical about them. Just some hardware and software.

coolkiwilivin

@coolkiwilivin: STFU noob.

iomatic

This is minor compared to the email problem the phones have. No one even seems to be discussing that. Thousands can't get it to work, and those who do often see it drop out with every switch between 3G and Edge. And the company won't even admit there's a problem!

pablops

Apple really screwed up and has blown all credibility for this and other problems. This problem is "minor" compared to the email snafu that showed up with the release of 2.0 software for the 2G phones and all of the new 3G iphones. Thousands are reporting that email won't work, goes bananas when you switch from 3G to Edge, etc. And they won't even admit there's a problem! In fact they've even lied to their tech support people or told them to lie about it because they won't admit it either in spite of hundreds of support calls. That kind if support ignorance can only be due to deliberate designs to deceive. There is a mail thread on their "discussions" forum with over 25,000 reads, and thousands of posts with a massive number of users reporting the email problems. Yet Apple is deliberately playing head-in-the-sand on it. This is all on top of the MobileMe problem! It's truly sad when you have to admit that there's a major company acting less responsible, lying more, and acting worse that Microsoft...

pablops

Anyone who is a big enough tool to purchase a me account deserves to get their account hacked.

It IS a pretty huge security flaw for people who keep sensitive info on their phone... which I don't, so don't really care tbh. Meh.

PurpleTentacle

This is honestly a major issue for say an individual trying to create a start up while working for a major firm without access to personal email and very curious co-workers or management who would gladly pick up your iPhone while its laying on your desk and would very interested to see your personal email and other dealings...not to mention jealous girlfriends :-)

Stevie358

@ Katoejoe, bobdobbs,

Physical access is usually considered "game over" in the security world because physical access to a machine isn't expected. The same rule doesn't apply to a phone -- nobody can mug you to get access to your desktop at work.

If you carry a laptop with sensetive documents etc., you can secure it using bitlocker, truecrypt etc. Even without that, if people are able to get to your work docs *without* at least putting the HDD in a different machine, that would be a serious security flaw. You just can't blindly apply the "physical access = game over" rule blindly to a phone.

And another reason this is a big deal: The original iphone had this problem as well, and Apple fixed it then too. How are we supposed to give Apple the benefit of doubt (about taking security seriously) if they actually regress on simple things like this? I mean, by-passing a password requirement is a huge flaw even if you do give them the benefit of doubt..

TheAxMan

What everyone seemingly fails to realize is that THREE days ago, there was no known security flaw. Thanks a lot Jesus.

G-Ram

im not sure if anyone has notice, but it say vodafone in top left corner.. way to go gizmodo!

Orkey

has anyone noticed that it says vodafone in the top left corner?? congrats gizmodo.

Orkey

I agree with The Magnificen7. This isn't a huge issue. Keep your eyes on your phone. If someone grabs it and takes off with it, they'll have all your information anyways, not to mention your iPhone, without having to use this "HUGE" security flaw.

Knavve

Nice one Apple! How much else could go wrong with the 3G?

Jack_Napier