Apple CEO Tim Cook announces the new iPhone 7 during an event to announce new products, in San Francisco. (AP Photo/Marcio Jose Sanchez, File)
Apple is pretty hot on security. But it’s prone to weird errors.
The latest aberration comes in the form of a startlingly simple bug, one that literally saw the iPhone read users’ private passwords out loud. The vulnerability, found by Turkish patent attorney Davut Hari, has been patched in iOS 10.2, released yesterday.
Hari explained the issue to me: “Passwords are saved in the iPhone mail settings. This password appears to be confidential in the form of *******. This password cannot be copied. But when you select the password and click on the ‘Voice’ option, the secret password sounds.” If anyone was in earshot of your phone and you hit the button, therefore, the security of that password just disappeared.
As Apple admitted in its security update yesterday, “a nearby user may be able to overhear spoken passwords.” What was Apple’s ingenious fix then? Just turn the feature off entirely.
How to explain Apple’s bizarre feature? Password security expert Per Thorsheim said it appeared to be a typical example of two different developers not synchronizing on potential security issues.
Given the feature needed to be turned on and the user had to select the password to be spoken aloud, however, there’s not much chance of hackers or opportunistic crooks taking advantage, he added. “The chances of it getting abused, or just happening by accident so that others could hear it are very slim I would think. So I wouldn’t say it’s terrible security. I would rather say that it’s a fascinating example of lack of (security) communication, security testing and more between different functions and departments within Apple.”
There are a bunch of other reasons to update to iOS 10.2 if you care about security. Listed amongst the vulnerabilities patched in Apple’s latest OS was a way to bypass the lockscreen to access photos and contacts, a method for disabling Find My iPhone and a number of techniques for executing malicious code on the device.
In another recent Apple recent security gaffe, it accidentally degraded iTunes backup password security, which was fixed in an October iOS update.