Bitcoin wallets on older iphones are insecure

[gentlemand]

It always surprises me how willing people are to place their entire lives on their phones in a way no one would ever have dreamed of a generation ago. Even worse, most phone manufacturers will abandon you security wise after a year or so. There are people running around with truly ancient devices with gaping holes.

[pawanjain]

Here is an interview with the developer of this exploit, which contains a lot of good information: https://arstechnica.com/information-technology/2019/09/developer-of-checkm8-explains-why-idevice-jailbreak-exploit-is-a-game-changer/

Essentially, the attacker must have physical access to the device, can't access any data that is stored behind the Secure Enclave PIN, and any code that is injected doesn't persist through restarts. It is a very specific exploit. If you have an iPhone 6 or later, and are using proper security measures, then an attacker can't access your data unless you unlock the phone for them, and if you reboot your phone into iOS any malware or malicious code that has been injected will no longer run. For those reasons, I don't really see this as a valid attack on cryptocurrency wallets. In addition, any good mobile wallet should have its own PIN or password which will encrypt its contents.

That's not to say mobile wallets are otherwise safe. I would only advocate storing small amounts of day to day spending money on a mobile wallet.

That would require some high level of specific scenario to occur for the wallet to be exploited. As you said, it cannot be considered truly an exploit on wallets.
Though measures should be taken so that the hackers don't target this attack on anybody, it certainly cannot be considered as a way of targeting crypto wallets.

[bitbunnny]

Every phone, older and the last issued could be vulnerable to different threats. Don't expect that manufacturers will protect, it's up to you and you only have to protect your phone and your data.
Also, it's not very wise to keep important personal and financial data on your phone because absolute security and safety can't be guaranteed.

[serjent05]

Isn't this a marketing strategy to sell more new version of Iphones?  It was stated that it is in danger only if the attacker has physical contact to the phone yes?  So why do we have to worry about such thing?  And who is a sane person that will save a huge sum of BTC on their mobile phone that have a tendency to be lost or crack?  Personaly, I never use my mobile phone as a cryptocurrency wallet except installing 2fa.

[Kizaki]

Crazy how fast technology moves and advances in our world. The iPhone X was one of the most flagship phones apple ever made, and now your telling me, that after only 2 years of it being out, it can easily get hacked and exploited?

There is a reason behind this for sure maybe its an inside job that led to this incident anyone can simply backdoor their own system and get money from the exploit itself or by fixing what they did.Apples technology is not developing that much phones from phones they are just simply changing the phones name and slight camera upgrade but in tersm of security nono

[Artemis3]

This is typical Apple support. When a product is only but a few years old, they declare it obsolete and don't bother with updates. They do this with the OSX computers, and of course tablets and smartphones. Kinda like Microsoft, but on a much shorter timespan.

It has nothing to do with bitcoin, just anything you might have in there that needs protection, would be exposed. Unfortunately Android isn't exempt of this, in fact its proprietary environment almost causes it. Every manufacturer adds their custom junk and then forgets it.

Smartphones are for the most part running insecure OSes, only a few old models can run something decent, but most can't.

And yes, this might actually be those companies playing the planned obsolescence thing.

[Theb]

Misleading headline again and this time they have taken an important piece out of the context of the article. The exploit that was found from this iOS devices are from jailbroken devices only and that is the main issue why crypto wallets aren't safe to use from these kinds of devices. In the first place it's not even right to jailbreak your device and it is one of the owners choice of doing so because just by doing it voids any kind of warranty claims from Apple, Jailbreaking your own iOS device is just exploiting it to unlock some restricted features as well as download paid apps for free. Just by that description you already know that there will be some certain issues that comes with it and there is really no guarantee that your device will still be 100% protected once jailbroken.

[o_e_l_e_o]

Well, in my opinion, I guess this can be resolved when your IOS is updated to its latest version

It can't. This exploit affects the bootrom, which is read-only. There is no way to patch it. It would require Apple to recall every device from iPhone 4 through X and perform a hardware upgrade, which is obviously never going to happen.

It always surprises me how willing people are to place their entire lives on their phones in a way no one would ever have dreamed of a generation ago.

Complete sacrifice of privacy for the slightest convenience. I'm amazed that people are willing to bug their own houses on behalf of the government with Amazon Echoes, Google Homes, and similar devices, so they don't have to push like 4 buttons to turn on some music.

This is typical Apple support. When a product is only but a few years old, they declare it obsolete and don't bother with updates.

This is true, and Apple are particularly bad at this. Not just stopping updates and leaving old devices vulnerable, but actually deliberately slowing older devices down so users get frustrated and upgrade sooner. It's particularly immoral behavior. Having said that, I don't think this is what's happened here. It would be fairly stupid of Apple to know about this bug and leave it in, since it allows users to bypass their lack of updates and install their own custom software.

[gentlemand]

Complete sacrifice of privacy for the slightest convenience. I'm amazed that people are willing to bug their own houses on behalf of the government with Amazon Echoes, Google Homes, and similar devices, so they don't have to push like 4 buttons to turn on some music.

It's the potential for physical access which is just as alarming.

Someone twats you over the head with a rock, holds up your face to the camera and bingo - they have access to your finances, photos of your bum, all of your emails and plenty more.

[o_e_l_e_o]

Someone twats you over the head with a rock, holds up your face to the camera and bingo - they have access to your finances, photos of your bum, all of your emails and plenty more.

I don't keep up to date with developments in biometrics, because I don't use them, but certainly when they first came out there were many reports of facial recognition or iris scanners on phones being fooled simply by photos of the owner. A quick internet search seems that not much has changed, and even the latest flagship phones are still vulnerable to this.

So you steal a phone, open up the "Emergency Contact" information from the lock screen, get the owner's name as well as the name of a couple of his/her next of kin, use that information to find them on Facebook, and use their photos to unlock their phone. Sounds super safe.


I'll have you know that photos of my bum are a highly sought after commodity.

[bbc.reporter]

It always surprises me how willing people are to place their entire lives on their phones in a way no one would ever have dreamed of a generation ago. Even worse, most phone manufacturers will abandon you security wise after a year or so. There are people running around with truly ancient devices with gaping holes.

It is only business. You are required by the vendor to upgrade your hardware to run the updated software. I reckon the solution would be to create opensource hardware and software devices where the community can continue its maintenance and security updates.

[Sancho18]

It always surprises me how willing people are to place their entire lives on their phones in a way no one would ever have dreamed of a generation ago. Even worse, most phone manufacturers will abandon you security wise after a year or so. There are people running around with truly ancient devices with gaping holes.

It is only business. You are required by the vendor to upgrade your hardware to run the updated software. I reckon the solution would be to create opensource hardware and software devices where the community can continue its maintenance and security updates.

This is a bad business. The planned obsolescence tactics help maintain sales in a saturated market, but I don’t want to change my smartphone every year, simply because the manufacturer is too concerned about its financial performance. This is a serious problem that goes beyond the scope of this topic.

[jseverson]

-snip-

You can't actually break iOS' facial recognition with just photos because it uses 3d recognition. It has been broken with masks, but it's not exactly straightforward.

This is typical Apple support. When a product is only but a few years old, they declare it obsolete and don't bother with updates. They do this with the OSX computers, and of course tablets and smartphones. Kinda like Microsoft, but on a much shorter timespan.

I can tell you right now that Apple doesn't like this exploit at all. It's a jailbreak exploit, something some iOS users actively look for to have more freedom with their devices. It's also worth noting that it hasn't been exploited as of now, and it would be very difficult in practice to use it to steal crypto from someone else -- they would still need to unlock the phone, for one.

[gentlemand]

It is only business. You are required by the vendor to upgrade your hardware to run the updated software. I reckon the solution would be to create opensource hardware and software devices where the community can continue its maintenance and security updates.

Most things can clearly run the most modern software several generations after the manufacturer has given up on them.

I can see why they do it but it still leaves a fairly nasty taste. It's not the latest vulva recognition they're depriving you of that counts, it's the fundamentals of security.

With Android at least a lot of is down to the widely disliked and almost always pointless tweaks they personally add. The OS should really come in two modules, fundamental Android that's the same on all phones and can upgrade without manufacturer effort, and the other bit can be their crappy bloat that they're free to abandon.

[omone1]

I have been using Iphone5 which was a gift, suddenly I can't download a lot of applications because my IOS is outdated and Iphone 5 has no support for a higher grade of software. What I currently do until I get money to buy an android is downloading applications via android emulators on my laptop. 

[Mandoy]

I do agree that cryptocurrency wallets installed in smartphones, androids are not safe. It is not exclusive only to Iphones but to all smartphones out there. There is a higher chance for a smart phone to be accessed by somebody compared to a personal computer. Actually there are website that offers services to spy on your phone just by using your phone number or email, the culprit could just pay some subscription to those websites and he can now access all your logs and data on your mobile phones.

Thus I do not recommend using mobile wallets especially for cryptocurrency and other financial related applications that risks your money.

[gentlemand]

I do agree that cryptocurrency wallets installed in smartphones, androids are not safe.

I've genuinely never heard of anyone's - reputable - phone wallet being hacked remotely. I'm sure it's more than possible if it's in someone's physical possession.

The number of hacks regarding Windows PC is too numerous to count. If I had only those two to choose from I'd go for the phone without fail.

[bbc.reporter]

It always surprises me how willing people are to place their entire lives on their phones in a way no one would ever have dreamed of a generation ago. Even worse, most phone manufacturers will abandon you security wise after a year or so. There are people running around with truly ancient devices with gaping holes.

It is only business. You are required by the vendor to upgrade your hardware to run the updated software. I reckon the solution would be to create opensource hardware and software devices where the community can continue its maintenance and security updates.

This is a bad business. The planned obsolescence tactics help maintain sales in a saturated market, but I don’t want to change my smartphone every year, simply because the manufacturer is too concerned about its financial performance. This is a serious problem that goes beyond the scope of this topic.

Agreed. However, I speculate that there will be a smart CEO who would take a different direction in the smartphone business that might utilize opensource hardware and software and also modularity of the devices.

It will be the smarter smartphone hehehe.

[jseverson]

Actually there are website that offers services to spy on your phone just by using your phone number or email, the culprit could just pay some subscription to those websites and he can now access all your logs and data on your mobile phones.

Would you mind shedding some light on this service? I've never heard of such a thing, and I imagine it would be a big deal if it actually worked as you described.

There is a higher chance for a smart phone to be accessed by somebody compared to a personal computer.

While this is true, it should also be noted that phones could actually be protected against thieves by a strong PIN, and that even biometric security measures aren't trivial to crack (except most Androids' facial recognition, don't use that lol). If you're not being personally targeted (which is incredibly unlikely for us regular folk), keeping a wallet in your phone shouldn't be too much of a security issue. That being said, you shouldn't be keeping large amounts of coins outside cold wallets anyway, regardless of whether it's in your phone or PC.

[aces777]

There has been some discussions about old Iphone users updating their Iphone devices as it is no longer safe to have bitcoin wallets on old Iphones and that users private keys are at risks. Well, unless you are being targeted, it is mostly unlikely for your phone to get hacked. Just ensure you keep strong pins and passwords and use secure connections, and you are good.