A bug that would allow unlimited incorrect pin attempts on any iOS device is enough to make a lot of people’s toes curl. Unfortunately that is what I found when I recently stumbled upon an iPhone lockscreen bug allowing me to do just that.
On the 28th September 2014 I raised a bug with Apple which later was assigned the ID CVE-2014-4451. Now that this has been patched in the latest iOS 8.1.1 I am able to release the details of how the bug was exploited. At this stage I do not have any devices running any iOS earlier than 8.0 therefore am unable to test if this affects earlier releases of the operating system.
The steps to reproduce are demonstrated in the following video I placed on YouTube:
I have yet to discover if this affects devices running iOS 7 or earlier, therefore if you have one of these devices and are able to demonstrate that the issue occurs on that release of iOS also please leave a comment here and let me know.
I hope that this information helps users become aware that they should stay up to date with the latest release of software wherever possible to protect themselves against such bugs.
I thank Apple for working diligently to resolve the bug as quickly as possible.
Thanks to @DarthNull on twitter, we now know this goes back at least as far as iOS 6
@StuartCRyan Okay, it’s worked twice (out of four tries) on a 3GS with 6.1.6. Seems a bit more picky to get just right, but it’s there.
Could a future bug, with similar implications to that of Heartbleed cause major concern to the future use of biometric security? Following the critical Heartbleed vulnerability in OpenSSL, and reading countless articles online (see below for a few) an interesting conundrum came to my mind.
As we now know, there are three requirements to overcome the effects of the Heartbleed bug on any one server or service:
Patch the affected software on the affected server
Revoke and re-issue the SSL certificates (essentially the private keys used to encrypt traffic between two points such as the end user’s browser and a bank’s web server for example)
Change your password for the affected service/application in case it had been compromised
The conundrum focuses on a problem with step 3 and the use of biometric security measures such as fingerprints, retina scans and potentially new vein-scanning technologies. While these technologies are not heavily in use by consumers today they are becoming more commonplace, many users of the new Apple iPhone 5s (myself included) use a fingerprint to speed up unlocking the lock screen and the potential uses are already on the rise as this technology becomes more mainstream.
Taking a high level look at this, from a pure sequence of events (as opposed to analysing how or where the biometric data is stored and/or transferred and how it may or may not be encrypted), I provide the following hypothetical scenario to consider. In 12 months time lets say you can use your fingerprint or a retina scan to get cash out at an ATM, or to identify yourself to your bank and other providers using your smart phone. The technology is in use for a period of time and after a while a bug with similar consequences as Heartbleed happens to be discovered. At that time there may be no clear evidence of whether the bug has been exploited or not, however this actually becomes irrelevant. Taking a worst case scenario, lets say despite the best efforts of the companies, the multiple layers of encryption and all the other security measures that one of the many supporting components of the authentication process has a bug which has, or could potentially cause your biometric details to be exposed, copied or intercepted.
As our primary form of authenticating ourselves today is using a password, we can simply change our passwords which invalidates the potentially compromised user credentials. As I am sure you can now surmise if we were using biometric authentication, we could not simply change our retinas or fingerprints, these stay with us for life. I will admit this is taking the extreme end of a worst case scenario, with any high level security solution, you would expect several layers of protection, but it definitely poses an interesting question of what can be done to invalidate and then re-issue a biometric credential.
Unfortunately I don’t have an answer, I do hope that this might promote some discussion or at least get the idea in the back of a few peoples minds. If anyone has any thoughts or ideas please let me know as I am genuinely curious as to the answer to the riddle. In the mean time, perhaps it is best for us to all strongly consider who we want to hand over our biometric “prints” to… if they are ever compromised you can’t simply change them.
Squirrel Street (formerly Shoeboxed Australia) may have just taken me from being 100% reactive at tax time to 100% proactive and that (in my books) is a massive win! Although it has an unusual name Squirrel Street takes all the receipts out of your “shoeboxes” and makes them accessible online. For me, I hope that this will make preparing my tax return more straightforward and streamlined and I may just be on the way to a 100% paperless tax return.
A major benefit of Squirrel Street is that their scanned receipts are Australian Tax Office (ATO) accepted, so for those of you that are Australian and submit a tax return to the ATO each year, Squirrel Street is an accepted storage mechanism for your receipts. For those of you outside Australia and New Zealand, Shoeboxed US also operates in the US and Canada as well so you are covered there. As a guy I can say that my tax return is usually the last thing on my mind each year, I find myself scrounging for my receipts, donation receipts, work related expenses and all the other things that I need to put together my tax return each year.
I also tend to submit my tax return online at the *very* last minute possible before the deadline as it takes me so long to set aside a day to hunt down all the receipts… so anything that makes my life easy is definitely a win. I found Shoeboxed some time ago, which since rebranded in Australia to Squirrel Street (to be honest I have no idea how I stumbled across it) but the idea of being able to shove all my receipts, bills and other documents into an envelope and have them magically appear online for me to search, access and categorise sounded like a dream come true.
For the first month I decided on the Business $99.95AUD plan which came with 500 “documents”. This includes documents that you mail in, scan and upload yourself (that you opt to have automagically processed) and snap and upload with the Squirrel Street Mobile App. This was more than enough for me to clear out the last year of backlog (I figured this financial year was more than enough) and get a really good feel for the service. With the exception of the occasional receipt that I have to re-label (as the receipt may have been entered with the company name of “Vendor” and another “Vendor Australia” where sometimes they could be one or the other) I have to say I am really happy with the results.
I have also set up a forward that takes the document details and automatically uploads them into Evernote to enable extremely easy searching of all the receipts via another mechanism (and I treat this as a good backup).
After you mail in a series of receipts you will start to see them appear in your account classified including the category (which can be automatically or manually set), total amount, total tax, date and company/person that was paid:
As you can see from the above image, there are numerous categorisations, the Yellow categories are ones that I have added and assigned to a particular store/vendor that I want then to be listed under, it will also tell you (where it is listed on the receipt) whether it was paid by Cash/Credit or Debit Card/Cheque etc.
There are a range of other great features and I have to say I am really looking forward to having more of a play and finding out just how good the searching and reporting features are come tax time. As soon as we hit June 31st I am going to be giving Squirrel Street a run for its money to see just how easy it can make my life for submitting a tax return and keeping all the receipts on file for my records.
There are lots of other little features that I have yet to get my hands dirty with, I have dabbled a little bit in searching and sorting and uploading business cards as well (which is insanely easy from the mobile app). Support has been extremely helpful and been able to explain things to me when I ran into some early issues understanding how the email integration worked.
Why would you:
You find yourself struggling to keep track of your receipts/invoices/bills throughout the year
You want the time saver of just stuffing all your receipts into an envelope, posting them in, and having them appear in an account for you to categorise, search and archive
You run a small business and need what you could almost define as an online bookkeeper
You would like to better prepare for audits
You would like to share your receipts electronically with your accountant (Classic plan and higher)
Why wouldn’t you:
The price is something that people may be put off by, I guess it is one of those things you need to weigh the convenience against the price
You prefer not to store your receipts and invoices online.
The two things I liked most:
Being able to set up email rules on my mail account to automatically send monthly invoices from all my online subscriptions straight into Shoeboxed without any intervention from me
Receiving free envelopes that can be fillled with receipts and sent back (available on the Classic or higher plans) that then magically appear in my online account (you can then opt to have everything shredded or instead mailed back to you). Correction: New envelopes are posted out after the old ones are received and processed
The two things that I liked least:
User interface was a little confusing in the beginning, even as a geek it took me a while to understand where some things were and there were certain things in the UI that confused me then (and still confuse me now)
The FAQs seemed a little bit light on information when I ran into problems which required me to contact support, (don’t get me wrong, the support was exceptional) I would just like to see their FAQs rounded out a bit.
Hints if you want to give it a go:
Make sure you check out the Squirrel Street email address under your account, it will let you forward emails to the address which will then be processed and added to your account (very handy, especially if you set up some auto forwarding rules in your email client for those that come in each month).
If you are in for the long haul, by signing up to the yearly plan you can get between 250 and 1000 “kick off” scans to help you clear out your backlog as well as 2 months free for the year. As I was not 100% sold on the idea originally I will admit I just did this by paying for a larger plan for the first month so I could give it a good trial first but they do have a 30 day money back guarantee.
If you can go for the Squirrel Street Classic or higher plan you will get emailed “magic envelopes” weekly which are reply paid envelopes that you can just fill and send back, this makes the whole process brainless and painless :D. (Note: your receipts will not be returned to you on the Squirrel Street Lite plan).
If you send/upload/email more documents than your quota for the month there will be overage charges (depending on your plan) therefore make sure you plan early and plan accordingly.
I will keep this updated when I post the next stage of my review in a month or so’s time.
*corrections made to Magic Envelope delivery details April 16, 2014 12:54 pm
*changes made to rebrand Shoeboxed Australia to Squirrel Street April 28, 2017 9:05 am