About the Author

Hi, I'm Chris, a web developer and a founding member of Analog. I live and work in Brooklyn, NY.

iPhone Security Concern

Mon, 02 Jul 2007 at 03:11:06 GMT
6 Comments
References

Nitesh Dhanjani just posted a reminder of an AT&T/Cingular vulnerability he first mentioned over a year ago. If you've recently purchased an iPhone, here's the scary part:

The AT&T/Cingular voicemail system is configured by default not to ask for a password when you check your voicemail from the handset. Unfortunately, the AT&T/Cingular voicemail system trusts Caller ID to determine if the handset is calling it.

I'm not going to claim that Caller ID spoofing is easy, but Paris Hilton can do it. I'm just saying.

Until this vulnerability is fixed, Nitesh recommends setting your voicemail password:

Call your AT&T/Cingular voicemail (dial your own number from the iPhone).
Press 4 to go to Personal Options.
Press 2 to go to Administrative Options.
Press 1 to go to Password.
Press 2 to turn your password On.

Thanks for the reminder, Nitesh!

About This Post

iPhone Security Concern was posted on Mon, 02 Jul 2007 at 03:11:06 GMT.

6 Comments

1. Nitesh Dhanjani said:

So - did you get an iPhone?
Mon, 02 Jul 2007 at 04:26:09 GMT Link

2. Chris Shiflett said:

Nope.

It seems like a useful device, and I'm really happy to see Apple disrupting the mobile phone industry, but I can't justify the expense at this time.
Mon, 02 Jul 2007 at 04:31:25 GMT Link

3. Ben said:

Possibly much worse security flaw, check it out:

http://getitnext.typepad.com/weblog...e-attacks-.html
Mon, 23 Jul 2007 at 20:31:08 GMT Link

4. Mathew Keefe said:

This was one of the first things I noticed when I moved to ATT. Very useful information indeed.. funny Hilton article too!
Sat, 11 Aug 2007 at 05:55:47 GMT Link

5. Chris Shiflett said:

I have an iPhone now, and I was prompted to enter a voicemail password during the sign-up process.
Sat, 11 Aug 2007 at 14:16:21 GMT Link

6. Todd Eddy said:

during the signup process it asks you, at least I think it did when I got it (the monday after it being released). The password you enter on the iphone it saves to authenticate itself for the visual voicemail. but if you just called your number from your phone it would put you right into the voicemail system. that's what this fixes. I did it on mine early on so don't know if they fixed that later on.
Tue, 14 Aug 2007 at 03:22:21 GMT Link

Upcoming Talks

ConFoo

10 - 12 Mar 2010

At Hilton Montréal Bonaventure, Montréal, Canada.

South by Southwest

12 - 16 Mar 2010

At Austin Convention Center, Austin, Texas.

Dutch PHP Conference

10 - 12 Jun 2010

At TBD, Amsterdam, Netherlands.

O'Reilly Open Source Convention

19 - 23 Jul 2010

At Oregon Convention Center, Portland, Oregon.

New Comments

RyanTheGreat wrote:: Well, I'm not Chris, but I will do my best to address the questions raised in the comments by Ian...; Posted in Security Corner: Cross-Site Request Forgeries
Chris Shiflett wrote:: Thanks for the kind words, Simon. I'm glad you liked the tutorial. In case it's helpful, here'...; Posted in Webstock
Chris Shiflett wrote:: Hi Robin, I plan to post something about it, but it's going to be hard to express everything i...; Posted in Webstock
Simon Mahony wrote:: Hi Chris, I really enjoyed your workshop on the Evolution of Security at Webstock. I think I g...; Posted in Webstock
Robin Gorry wrote:: Hi Chris, I was wondering if you were going to post how Webstock went for you this year. I li...; Posted in Webstock