About the Author

Chris Shiflett

Chris Shiflett is an author and speaker who leads the web application security practice at OmniTI.

iPhone Security Concern

Nitesh Dhanjani just posted a reminder of an AT&T/Cingular vulnerability he first mentioned over a year ago. If you've recently purchased an iPhone, here's the scary part:

The AT&T/Cingular voicemail system is configured by default not to ask for a password when you check your voicemail from the handset. Unfortunately, the AT&T/Cingular voicemail system trusts Caller ID to determine if the handset is calling it.

I'm not going to claim that Caller ID spoofing is easy, but Paris Hilton can do it. I'm just saying.

Until this vulnerability is fixed, Nitesh recommends setting your voicemail password:

  1. Call your AT&T/Cingular voicemail (dial your own number from the iPhone).
  2. Press 4 to go to Personal Options.
  3. Press 2 to go to Administrative Options.
  4. Press 1 to go to Password.
  5. Press 2 to turn your password On.

Thanks for the reminder, Nitesh!

About This Post

iPhone Security Concern was posted on Mon, 02 Jul 2007 at 03:11:06 GMT.

6 Comments

1. Nitesh Dhanjani's GravatarNitesh Dhanjani said:

So - did you get an iPhone?

Mon, 02 Jul 2007 at 04:26:09 GMT Link

2. Chris Shiflett's GravatarChris Shiflett said:

Nope.

It seems like a useful device, and I'm really happy to see Apple disrupting the mobile phone industry, but I can't justify the expense at this time.

Mon, 02 Jul 2007 at 04:31:25 GMT Link

3. Ben's GravatarBen said:

Possibly much worse security flaw, check it out:

http://getitnext.typepad.com/weblog...e-attacks-.html

Mon, 23 Jul 2007 at 20:31:08 GMT Link

4. Mathew Keefe's GravatarMathew Keefe said:

This was one of the first things I noticed when I moved to ATT. Very useful information indeed.. funny Hilton article too!

Sat, 11 Aug 2007 at 05:55:47 GMT Link

5. Chris Shiflett's GravatarChris Shiflett said:

I have an iPhone now, and I was prompted to enter a voicemail password during the sign-up process.

Sat, 11 Aug 2007 at 14:16:21 GMT Link

6. Todd Eddy's GravatarTodd Eddy said:

during the signup process it asks you, at least I think it did when I got it (the monday after it being released). The password you enter on the iphone it saves to authenticate itself for the visual voicemail. but if you just called your number from your phone it would put you right into the voicemail system. that's what this fixes. I did it on mine early on so don't know if they fixed that later on.

Tue, 14 Aug 2007 at 03:22:21 GMT Link

Post A Comment

Personal Details and Comment

Style Guide

Line breaks are converted to paragraphs. Also use:

  • <a href="" title="">text</a>1
  • <em>text</em>
  • <blockquote><p>text</p></blockquote>
  • <code>2  <?php  if ($foo) {      $foo = TRUE;  }  ?></code>
  1. Note: <code> can be used inline (e.g. in paragraphs) or in a block as shown. Include whitespace and newlines in blocks.

Please enter Chris (my first name) below. This is a primitive spam prevention technique, and I apologize for the inconvenience.

Preview and Submit

Upcoming Talks

O'Reilly Open Source Convention

21 - 25 Jul 2008

At Oregon Convention Center, Portland, Oregon.

ZendCon

15 - 18 Sep 2008

In Santa Clara, California.

PHP Appalachia

11 - 14 Oct 2008

At Big Bear Lodge, Gatlinburg, Tennessee.

New Comments

Ash Searle wrote:

It might be worth changing your example code from using htmlentities to htmlspecialchars. Runn...

Posted in Allowing HTML and Preventing XSS
Chris Shiflett wrote:

Hi Steve, According to the NYT Manual of Style and Usage, it's push-up: Most but not all co...

Posted in Miscellaneous
steve wrote:

so, is it push up, pushup or push-up? just curious... --steve --www.hundredpushups.com

Posted in Miscellaneous
Walter Lawless wrote:

It's sad to think that even now, nearly 4 years after this was originally written, that there are...

Posted in
Asanka Dewage wrote:

I've been a Mac user for over a year now and I didn't know about the [say] command! What a nifty ...

Posted in Miscellaneous

Browse Comments