A newly discovered timestamp security bug may leave your iOS device photos exposed regardless of whether or not your device is passcode locked. Ade Barkah, a Canadian tech consultant, has figured out that changing the time on your device will leave any photo taken in the “future” accessible via the quick camera toggle on the home screen.

The quick toggle is a new feature in iOS 5 that allows you to double tap your home button to access your camera app. From there you can tap into your image gallery. If your device is passcode locked, you will receive a message asking you to unlock your device to view photos. Unless you change the time on your device. Anything taken after that time stamp will be viewable as the phone will assume nothing exists after that point in time.

Turns out Apple’s restriction is just a simple filter based on the timestamp when the Camera app was invoked. You’re allowed to see all images with a timestamp greater than this invocation time. Yet that leads to an immediate hole: if your iPhone’s clock ever rolls back, then all images with timestamps newer than your iPhone’s clock will be viewable from your locked phone.

This could be a potential issue for anyone that travels frequently or has a need to change timezones. You can test this by simply changing the time and popping into your quick toggle even when the device is locked. Better get to deleting those inappropriate pictures!

Source: Peekay.org via CNET

pod2g has updated his blog with more details on how the Corona untether actually works. If the deep inner workings of exploits such as this interest you, it’s definitely something you’ll want to check out.

Using a fuzzer, I found after some hours of work that there’s a format string vulnerability in the racoon configuration parsing code! racoon is the IPsec IKE daemon (http://ipsec-tools.sourceforge.net/). It comes by default with iOS and is started when you setup an IPsec connection.

Now you got it, Corona is an anagram of racoon .

Corona will untether all current A4 devices that were previously tethered under iOS 5.0.1. Still no more news on when a jailbreak will be available for A5 devices, namely the iPhone 4S and iPad 2.

Source: pod2g

Waiting for an untethered jailbreak on iOS 5? The Chronic Dev Team has just released a crash reporter tool that will allow your to submit your crash reports to them instead of Apple. Crash reports are most likely the way Apple finds exploits in iOS and patches them.

The Chronic Dev Team is hoping to find exploits in the same way for a different reason – a jailbreak for all. You simply install the program to your computer, attach your device to the computer, and click a single button to send your exploits to the Chronic Dev Team. The program is currently available only for Mac users but a Windows version should follow over the next 24 hours.

We’ll update you as soon as we see one go up!

Source: Chronic Dev Team

Over on Reddit, Jailbreak developer Comex has been answering a lot of questions about his upcoming internship at Apple. Many users have been wondering whether or not this will effect jailbreak and how hard it will be for other jailbreak developers to find exploits with Comex working for the other guys now.

There are a lot of smart people working for Apple already; maybe I can help, but I doubt I can stop people from finding exploits.

Even though Comex won’t (read: can’t) participate the jailbreak community anymore, there are still tons of jailbreak developers out there more than willing to step up to the challenge of finding new exploits. The jailbreak cat and mouse game is far from over. Comex says he still wants to jailbreak his iPhone so he still hopes they’ll find those exploits too.

You can hit the Reddit link below to read the entire thread of Q & A’s with Comex.

[Reddit]

If someone manages to take physical possession of your iPhone and keep it long enough to Jailbreak it, enable SSH, and get access to the root, they can compromise Apple’s Keychain password management system and get to your data in roughly 6 minutes.

The attack works because the cryptographic key on current iOS devices is based on material available within the device and is independent of the passcode, the researchers said. This means attackers with access to the phone can create the key from the phone in their possession without having to hack the encrypted and secret passcode.

Using the attack, researchers were able to access and decrypt passwords in the keychain, but not passwords in other protection classes.

In other words, Exchange, Google/Gmail, LDAP, VPN, Wi-Fi, and some app passwords. This assumes you — or the company for which you have passwords — is a high enough level target that an attacker will go through the time and effort of stealing and breaking into your iPhone (or you lose your phone and a bored hacker finds it and decides to do it for the lulz.) It’s also currently being shown off in the lab, not in the wild (that we know of).

In any case, common sense and best practices dictate that if you ever have your iPhone stolen — or you lose it — you immediately use Apple’s free Find my iPhone service to remotely wipe it (you can always restore via iTunes if you find it again or it gets returned). You should also change your account passwords and inform your IT department so your enterprise access can be changed if/as needed.

Note: None of this has anything to do with you Jailbreaking your own phone or not. This is an attack on an iPhone, regardless if it’s Jailbroken or not, that uses Jailbreak to gain access to the iPhone to steal data. Same exploit, evil intentions.

Hopefully Apple’s new security muscle gets more serious about protecting the Keychain in future versions of iOS.

[PCWorld]

Apple has just released iOS 4.0.2 for iPhone and iOS 3.2.2 for iPad which on the surface seem only to patch the zero day, in the wild PDF rendering exploit that enabled Jailbreakme.com, but could have also potentially allowed all manner of malware attacks against the iPhone Safari browser.

At a whopping 579.3 MB for iOS 4.0.2 on iPhone 4, it does seem like there should be something more substantial in the update — proximity sensor fix anyone? — but if there is, Apple isn’t saying.

Kudos, however, for moving at what is for Apple security, lightning speed.

If you don’t care about the Jailbreakme.com, or care about potential malware exploits more, head on over to iTunes and start your download. If you notice anything else fixed or changed, let us know in comments!

Apple is aware of the web-based exploit used to Jailbreak iOS 4 and iPhone 4, but also potentially able to allow malicious access to any iPhone — Jailbroken or not — and are investigating it.

While many users were thrilled at the rapidity and simplicity with which Comex et. al. delivered an iOS 4 and iPhone 4 Jailbreak, that same exploit could just as rapidly and simply be used to hack any iPhone for any reason — including malicious ones like stealing your data.

Tapping on a web link is far easier to get someone to do than downloading and running a program, and with this exploit being zero-day and in the wild, Apple will need to get it patched and fast.

Until they do, the usual advice applies — don’t go to websites you don’t trust completely, and don’t click on links in emails if there’s any chance they’re malicious (go type the URL in the browser yourself).

[Reuters]

The cracking of GSM “encryption” has been making the inter-rounds lately, and this week on the Security Now! Podcast, Steve Gibson takes a look at how badly it’s broken, and what the potential risks are. In simple terms, it means what you say on your iPhone — or any GSM phone, which includes all phones on AT&T, T-Mobile, Rogers, and almost all phones internationally — can be intercepted, decrypted, and listened to if a person has several thousand dollars worth of equipment and the motivation to do it. In more complex terms:

So again, we’re now at the hobby level. We’re at the level where the hobbyist with a couple thousand dollars can – needs to know nothing about radio and even hardware. And even all of the preprocessing steps for demultiplexing the data and analyzing it and performing spectrum analysis and finding the channels and everything, all of that’s been done. There’s even some people have taken – they’re not at the GPL licensing, but they are – so they’re proprietary licenses, but free, but they’re open source and free for personal use, where turnkey packages to pull all this data together have been produced. There’s even one which abstracts this USRP, this Universal Software Radio Peripheral, making it look like a network device so that Wireshark, our favorite packet capture utility, is able to capture GSM packets and decode them and show you all the bits and all the protocols and everything going on in a stream that you capture.

So, I mean, we’re way far along in making this possible. In my opinion, this GSM Alliance is – they’re saying what they have to say politically; but, if they really believe what they’re saying, that they’re in serious denial because this is no longer James Bond government-level sci-fi stuff. It would be entirely possible for a company who wanted to do some surveillance of a competitor to equip a van with some of this equipment, spending only tens of thousands of dollars, park it across the street from a competitor, aim their antennas at the competitor’s building, and spend a day just streaming in, sucking in all of the cellphone traffic that is being transacted by the employees within the building, and then drive the van off and decrypt those conversations offline afterwards and find out what was being said. I mean, it is no longer difficult to do. It’s entirely possible.

It should be noted that the GSMA (GSM Alliance) seems to consider this attack theoretical and impractical for now. If you’re interested in more, check out the audio podcast [MP3 link] or the transcript.

• Our podcast feed
• Download Directly
• Subscribe via iTunes

Join Dieter, Chad, and Rene for iPhone 3.1 Beta 3, Google Voice rejection, iTablet and Verizon rumors, Palm/iTunes escalation, SMS exploits, and all the news and how-tos. Listen in!

Featured Accessory

• Jabra SP200 Bluetooth Speakerphone for Hands-Free iPhone 3G/3GS Action

News

iPhone 3.1 Watch

• Updated: Apple Release iPhone 3.1 Beta 3 to Developers (Beta 2 Expiring Tues, July 28!)
• iPhone 3.1: Augmented Reality Apps are a Go!

Apps and App Store

• UPDATED: Apple Rejects Removes all Google Voice Apps for iPhone from iTunes App Store
• GV Mobile Brings Google Voice to iPhone… via Cydia for Jailbreak
• Apple Reverses Decision, Allows Promo Codes for Apps Rated 17+
• Apple Improves iTunes App Store Search, Asks Developers for Keywords
• Quick App: Apple Releases MobileMe iDisk App for iPhone Amazon’s Jeff Bezos Apologizes to Kindle (and iPhone Kindle App) Users
• Google Finally Provides Latitude to iPhone Users — Yeah, it’s a WebApp

iTunes & iTablet

• iTablet: When Will it Ship and What Will it Run? now that Steve is finally happy with it, and Verizon is racing to get LTE ready…
• Apple and Record Labels Trying to Reignite Album Interest with “Cocktail”?

Carrier Talk

• CEOh-Snap! AT&T Says iPhone Exclusivity Will End… Eventually
• Verizon: iPhone 3GS Cost us Money, Helped Drive Innovation Rogers Canada Roundup: Q2 Financial Results, Out of Stock, and 21Mbps HSPA+ Testing
• Apple and China Unicom Finally Maybe Potentially Have an iPhone Deal. Possibly.

The Competition

• Palm Re-Hacks iTunes Sync, Shows They Care More About Ego and Press Than Pre Users, and files a complaint against Apple
• Palm’s Roger McNamee Wants to Know if You’re Still Using an iPhone?

In Other News

• iPhone 3GS Hardware Encryption “Useless”?
• 1GHz ARM Mobile CPU on the Horizon — but is it iPhone Bound?

Help and How To

• Pro Tips: How to Secure Your Jailbroken (or Regular) iPhone Against Hackers

Forums

• From the Forums: iPhone 3.0 Jailbreak Apps, Overheating, 3GS Photos, Battery Tips

Credits

Thanks to the the iPhone Blog Store for sponsoring the podcast, and to everyone who showed up for the live chat!

Our music comes from the following sources:

• I Called You — iPhone Remix by Pete Leidy
via Sneakmove iPhone Ringtone Challenge

Very little code is bullet-proof. Hackers will always find holes. The worst holes will be critical. The worst hacks will be zero-day and found in the wild — catching companies and users both by surprise.

Not sure we have any of that here. Macworld does report that, at the Black Hat Europe Security Conference, former NSA number cruncher Charlie Miller — who has rolled his ability to find exploits in the Mac version of Apple’s Safari Browser into tens of thousands of dollars and a couple free MacBooks at the annual Pwn2Own contest — claims to have:

…found a way to trick the iPhone into running code that enables shellcode. To run shellcode on an iPhone, however, an attacker would first need a working exploit for an iPhone, or a way to target some software vulnerability in, for example, the Safari Web browser or the mobile’s operating system. Miller said he doesn’t have one now.

Miller previously gained attention for a Mobile Safari exploit that made for some quick early jailbreaking and led to Apple patching the problem in firmware 1.0.1.

What’s particularly disturbing, however, is that Miller also says he’s unsure whether or not Apple knows about the potential vulnerability.

He should know that absolutely dead cold, of course. He should have told Apple long before he made the information public, and only made the information public when Apple had a fix rolled out or ignored his warnings for so long that public pressure could reasonably be considered the only option in getting them to roll out a fix.

Either way, Miller should know that Apple knows because he told them first. Or do we no longer warn people in a house when we see a potential fire starting, but wait and see how much attention and cash we can get for the info first?