Sniffer Hijacks SSL Traffic From Unpatched IPhones

CWmike writes "Almost anyone can snoop the secure data traffic of unpatched iPhones and iPads using a recently-revised nine-year-old tool, a researcher said as he urged owners to apply Apple's latest iOS fix. If iOS devices aren't patched, attackers can easily intercept and decrypt secure traffic — the kind guarded by SSL, which is used by banks, e-tailers and other sites — at a public Wi-Fi hotspot, said Chet Wisniewski, a security researcher with Sophos. 'This is a nine-year-old bug that Moxie Marlinspike disclosed in 2002,' Wisniewski told Computerworld on Wednesday. On Monday, Marlinspike released an easier-to-use revision of his long-available 'sslsniff' traffic sniffing tool. 'My mother could actually use this,' he said."

How can they patch this?

[exentropy]

If an attacker can act as the gateway for a victim (man in the middle), he can use this attack. sslsniff works by intercepting requests between the server and the victim, and it removes all HTTPS tags/references/links. In effect, the victim doesn't know there was supposed to be an SSL connection. I don't see how they can patch this with the current technology..

Re:How can they patch this?

[nedlohs]

Because that isn't how the attack works.

Re:How can they patch this?

[aeiah]

you're thinking of sslstrip, another program by moxie marlinspike a lot of websites get around this by denying requests to http:/// for login pages and beyond, but some surprisingly popular ones didn't when i played with it last year.

Re:How can they patch this?

[spydir31]

No, you're thinking of SSLstrip which methodically strips HTTPS references. This is a different attack, where the client accepts certificates signed by any certificate that has a valid chain

Re:How can they patch this?

[rbrausse]

I thought the problem was a failure of ios to check the certificate chain? It is a mitm attack but one with a (for the attacked user) valid SSL connection. The patch fixes the incorrect certificate handling and will throw an exception.

Re:How can they patch this?

blocking HTTP URLs won't help, your attacker can do SSL connections perfectly well on their own

Re:How can they patch this?

Actually if you're already intercepting and modifying the HTTP request you can just turn it into an HTTPS request and send it on it's way, and the server is none the wiser. sslstrip already does this IIRC. The only way to defend against it is making sure users actually check the connection type.

Re:How can they patch this?

[petermgreen]

a lot of websites get around this by denying requests to http:/// [http] for login pages and beyond

There is nothing stopping a proxy using ssl to talk to the server while using an unecrypted connection to talk to the client.

Things get a little harder if the site has some pages ssl only and others avilable non-ssl only. In that case you would have to either mangle the hostname to differentiate or store a list of what protocol to use for what pages.

Re:How can they patch this?

[AJH16]

Not really, you simply have to assign each link an identifier so that when they click a link your proxy goes to the original link from your server or might even be more easily done by leaving the https on the links but returning http if the browser is not smart enough to notice the discrepancy.

never been used my ass

[aeiah]

" "It's probably been in [iOS] since day one," said Wisniewski, who speculated that even attackers hadn't known of the flaw. "Someone would likely would noticed if it had been used, because every Windows user would have been getting browser warnings [of an invalid certificate] on a public Wi-Fi network even as iPhone users were seeing no such warning." " Does he seriously think you can't filter out non iOS devices and just forward them to the proper site? even a user agent check would suffice

Re:never been used my ass

Does he seriously think you can't filter out non iOS devices and just forward them to the proper site? even a user agent check would suffice

SSL does not work that way

Re:never been used my ass

[nedlohs]

You can't check the User Agent without feeding them the fake SSL cert first, since it's in the encrpted data.

You could of course default pass along everything and only act as a man in the middle for https requests from a device that you've already intercepted an HTTP request from to determine it's of the right flavor. But that does make it ever so slightly more difficult.

Re:never been used my ass

[aeiah]

i thought MITM could, though?

Re:never been used my ass

have the https landing page[1] redirect to a http landing page[2], which redirects to a https landing page [3].
on [3] you know the user agent, and can serve a fake cert.

Re:never been used my ass

Someone surely has all the iPhone 802.11 MAC prefixes. Attackers will simply attack only those hardware addresses.

Re:never been used my ass

[petermgreen]

You may not be able to do a user agent check on the SSL request but you can probablly assume all requests from the same (local) IP came from the same device and most devices are likely to make unencrypted requests as well.

Re:never been used my ass

[petermgreen]

To redirect the user off a https page you have to negotiate a ssl session with them and that means you have to present a cert. If the cert doesn't match they will get a warning before receiving the redirect.

but as the GP implies none of this really matters much because most users will go to a http page first anyway.

Re:never been used my ass

[crow]

Yes, but you can use the device's MAC address. It shouldn't be too difficult to determine the ranges used for iPhones.

Re:never been used my ass

[Synerg1y]

that's not what MAC filtering is used for nor would it fix the problem. Sit down.

Re:never been used my ass

[shutdown+-p+now]

Can't you check for TTL~=128 on the packets to see if it's Windows or not? Then assume that anything that isn't Windows is iOS.

It won't help if there's an OS X or Linux desktop machine on the network, but how many people only have iPhone/iPad, and Windows on all their desktops? I'd wager it's a lot of potential targets.

Re:never been used my ass

Except to do the first redirect you would have to send an HTTPS page which would give you away to a non iOS client.

3G Owners are SCREWED

3G owners can't upgrade past 4.2.1. Looks like they are SOL! Thanks Apple!

Re:3G Owners are SCREWED

Exactly. Apple should be ashamed that they don't provide security updates for the original iPhone and the iPhone 3G already. Original iPhone owners have been SOL for over a year now, almost 2 year actually. If Microsoft did this, they would probably be taken to court by the Department of Justice. I'd like to point out though, that other phone manufacturers have the same problem. Take the original droid, the G1. That thing is still running 1.6, right? You can't tell me that's a good thing. As phones evolve into mini-computers, this is going to be a much larger problem over time. Hackers will have a field day with these old security issues.

Re:3G Owners are SCREWED

I'm guessing that all of those Android phones that never offer ANY security updates since they can't get updates from the vendor are ok though? We'll just tell grandma to root her phone instead, assuming the handset manufacturer even allows it.

Re:3G Owners are SCREWED

[PhilHibbs]

If Microsoft did this, they would probably be taken to court by the Department of Justice.

I have a 286 running Windows 3.1, can I take MS to court for not releasing security updates any more? That's an extreme example, all manufacturers have to end-of-line their older systems at some point, but I agree that it's a bit soon to do that for the iPhone 3G.

Re:3G Owners are SCREWED

[Jeng]

You know what is really great about Android?

It is distributed in so many different ways that you can talk all the shit you want about it since it is probably true about at least one handset.

Then again, it also means you are wrong about all the others.

Re:3G Owners are SCREWED

[Bert64]

Simple, require manufacturers to release source code (and anything else required in order to build and run the source) once they are no longer willing to provide security updates. Someone else will pick up the slack and provide updates if enough people are still using the devices.

Re:3G Owners are SCREWED

[spinkham]

iPod touch 2g also.

It was still being sold as the 8 gig version less than 3 months before the announced last software update.

The 3g 8gig was being sold around 6 months before the last announced software update.

I understand not getting feature updates, but why can't we get security updates for a device apple was still selling a year ago?

Re:3G Owners are SCREWED

The 3G owners have been screwed since the moment they "upgraded" to iOS4. Damn things ran out of memory so fast they slowed to a crawl after just a short time using them.

Posting anonymously from an iPhone 4 because the Apple fanboys will no doubt descend like flies to defend whatever crap is decanted by The Turtlenecked One, and I'm not posting from the 3GS that iOS4 rendered useless, and couldn't revert back to 3.1.3 because of some other DRM crapple strategy.

Re:3G Owners are SCREWED

Yes, if Microsoft was still selling Windows 3.1 a year ago and included network connectivity. Also, if people had to sign a 2 year contract with someone and weren't eligible for upgrade to a new device until the 2 years is up. Then yes, Microsoft should be held accountable.

Re:3G Owners are SCREWED

[PhilHibbs]

Not simple. The manufacturer may not own all the source code, or the libraries, or the "anything else" that the product uses.

Re:3G Owners are SCREWED

Because fuck you, that's why.

-- Steve Jobs

Re:3G Owners are SCREWED

[stating_the_obvious]

first, downgrading from 4.0 to 3.1.3 on an iphone is (or maybe only was) possible. LMGTFY: http://www.google.com/search?aq=1&oq=downgrade+4.0&sourceid=chrome&ie=UTF-8&q=downgrade+4.0+to+3.1.3 (click the top link...)

second, you can dramatically improve the performance of 3g phones running 4.0+ by disabling all (or most) of spotlight search settings -> general -> spotlight search, and then uncheck everything you can live without -- I recommend just keeping mail, events, and contacts)

I find it funny that you complain about apple's treatment of you (and all 3G owners) and then admit to buying a second iphone...

Re:3G Owners are SCREWED

[Tomato42]

Sucks to be them. No one forced them to use closed source libraries.

There should be a requirement for all governmental contracts to sell the application and service together with source code.

Re:3G Owners are SCREWED

[chemosh6969]

You'd think a bug 9 years old would've been fixed. As usual, no response until it's been publicized enough times instead of fixing it before it can get to this point. It would really suck if those older users really can't get a fix because they can't upgrade.

Re:3G Owners are SCREWED

[CheerfulMacFanboy]

Simple, require manufacturers to release source code

http://opensource.apple.com/

Re:3G Owners are SCREWED

...right. 2g "MC" model owner here, too. The 8GB wasn't a 3G but a 2G and this wasn't made clear. But that aside, this is a serious security flaw, and should be treated similar (here we go!) to recalls on automobiles. A security flaw might cause damages, and where there's damages it's always a sport for the group of victims to find someone responsible. And when that someone has a big wallet...

Re:3G Owners are SCREWED

[Kalriath]

You can't compile OS X or iOS from the code on that page. Sit down.

Breaks Jailbreak

[tecker]

Problem is that applying this update for something that is not likely exploited in the wild will hose your Unteathered Jailbreak. Reports on twitter are that redsn0w pointed at 4.3.4 (or 4.2.9) will work for getting a tethered Jailbreak. Many jailbreakers likely wont bother.

Wonder if someone will patch this like they did the PDF exploit and put it on Cydia.

Re:Breaks Jailbreak

[aristotle-dude]

Problem is that applying this update for something that is not likely exploited in the wild will hose your Unteathered Jailbreak. Reports on twitter are that redsn0w pointed at 4.3.4 (or 4.2.9) will work for getting a tethered Jailbreak. Many jailbreakers likely wont bother.

Wonder if someone will patch this like they did the PDF exploit and put it on Cydia.

Sorry but I don't see the problem here. If you are concerned about security in the first place then you should not jailbreak. What exactly do you think a jailbreak is anyway? You are basically stripping the check for code signing and shutting down the BSD jail sandbox mechanism for the OS so that you can run unsigned code but that also means that someone can setup a repo and trick people to download and install malware onto their iPhone. On a jailbroken iPhone, code can access any part of the filesystem without restriction whereas a stock iOS install will prevent that from happening.

Geeks should not be encouraging their grandmas or other noobs to jailbreak/root their phones because they are then leaving those phones wide open to attack.

Re:Breaks Jailbreak

[organgtool]

Which is just another reason why I am done with buying phones that I need to jailbreak just to add basic features such as custom SMS ringtones.

Re:Breaks Jailbreak

[rwven]

Jailbreaking does not magically leave your phone wide open for attack.

Re:Breaks Jailbreak

[dgatwood]

Here's what I don't understand: why don't the jailbreakers modify the phone to add trust for a Cydia root cert (or whoever's), then use that to provide free certs for devs to sign apps on Cydia, etc.? That would provide the same flexibility as a full jailbreak, but without the security impact. Or heck, add trust for all the major CAs so that any standard code signing cert will work.

The problem is that jailbreaking started out as a hack and still hasn't grown up from being a hack into being a usable tool. Then again, I guess I shouldn't expect usability from an app that presents you with a "Loading data" screen for five minutes while it downloads a description of the entire set of available packages.... Apparently, they've never heard of doing updates on background threads, performing on-demand loading, etc. What a mess.

Re:Breaks Jailbreak

Thanks, fanboi, for that stellar but completely irrelevant and pointless defense of Apple's walled garden. "Apple keeps me safe and snuggly by protecting me with their monopoly!" makes as much sense as "Look at Chewbacca! Wookies on Endor do not make sense!"

Claiming jailbreakers don't care is equivalent to saying "The way she was dressed she deserved it!"

A jailbreak does not make your phone "more open" to Apple's faulty certificate validation mechanism. Apple failed you. Steve Jobs let you down. You can either accept the imperfection and move on, or go cry in the shower.

Re:Breaks Jailbreak

[scot4875]

Guess what: the phones are already wide open to attack. That's why they're so easily jailbreakable in the first place.

--Jeremy

Re:Breaks Jailbreak

[CheerfulMacFanboy]

Jailbreaking does not magically leave your phone wide open for attack.

I'll take Charlie Miller's word over yours. http://www.macworld.com/article/141506/2009/07/jailbreak_security.html?lsrc=rss_weblogs_iphonecentral

Re:Breaks Jailbreak

[aristotle-dude]

Which is just another reason why I am done with buying phones that I need to jailbreak just to add basic features such as custom SMS ringtones.

Custom SMS tones are coming in iOS 5.

Re:Breaks Jailbreak

[rwven]

I don't care WHO said it. That's nothing but FUD. The fact remains that jailbreaking your phone doesn't leave it wide open. It DOES allow you to do many various things that CAN leave your phone wide open....but in and of itself, it's not really dangerous.

Re:Breaks Jailbreak

[Kalriath]

You could even rub Apple's nose in it, and require all code submitted to Cydia to have an Apple Developer signature - and tell devs to sign up for the Safari developer program...

Re:Breaks Jailbreak

[aristotle-dude]

I don't care WHO said it. That's nothing but FUD. The fact remains that jailbreaking your phone doesn't leave it wide open. It DOES allow you to do many various things that CAN leave your phone wide open....but in and of itself, it's not really dangerous.

Jailbreaking destroys the BSD jails in iOS, hence the name "jail break". It also circumvents checks for code signing so unsigned code can run on the iOS device. When there are no jails then each program that you install has free access to the filesystem whereas a stock iOS install limits access to a few areas on the filesystem for non-Apple software.

Re:Breaks Jailbreak

[register_ax]

Jailbreaking does not magically leave your phone wide open for attack.

Yes it does.

Jailbreaking requires you to write code to modify the bootstrap sequence. If you cannot do this, you must TRUST someone else will ENTER YOUR SYSTEM, and then LEAVE. You TRUST the program(s) they left behind (Cydia or equivalent) do not have any holes (like enabling telnet/ssh/trojan/something else bad by default) or, if they do (Strike 1), they will update their code appropriately and quickly (Strike 2 if they don't).

And that's only if you now use your phone as if it isn't jailbroken. If you want to install unsigned apps (reason most (everyone?) jailbreak), you leave yourself even more open to attack every unsigned app you install. That isn't to say you safe via Apple's signed process, but you are definitely not *safer* than without Apple. Unless you took *additional* precautions after jailbreaking, you must worry about leaving your phone anywhere as any technically minded person can get root access to your phone and install any sort of "bad" software!

Saying jailbreaking does not magically leave your phone wide open for attack is incredibly naive!

Re:Breaks Jailbreak

[rwven]

And yet, ironically enough, having a jailbroken phone can allow you to avoid or patch vulnerabilities that Apple hasn't gotten around to patching (or won't)....

Also, running unsigned code is the #1 reason people WANT to jailbreak their phone. If people could run unsigned code on their iPhones, most wouldn't bother jailbreaking in the first place.

The "jails" only protect you from things that you install through itunes. If you remember the many web-based jailbreaking techniques in times past, obviously once a flaw has been found in apple's walled garden someone could easily do anything they wanted anyway. It's only good fortune that the vulnerabilities were used to jailbreak and subsequently patch the holes that allowed the jailbreak to begin with. Apple's "security" is their biggest security risk. As I see it, jailbreaking has historically made devices MORE secure than less.

Re:Breaks Jailbreak

[CheerfulMacFanboy]

I don't care WHO said it. That's nothing but FUD.

He knows better then you. Trust me. Or remain a fool. http://www.blackhat.com/presentations/bh-europe-09/Miller_Iozzo/BlackHat-Europe-2009-Miller-Iozzo-OSX-IPhone-Payloads-whitepaper.pdf

Jailbroken versus Factory iPhones
Jailbroken phones are much easier to work with than factory phones. The main difference is that the jailbroken phone disables code signing. This allows for the running of arbitrary third party, unsigned, applications. Such applications include a shell, sshd, gdb, python, etc. It is no wonder that researchers prefer to work on jailbroken phones. After all, besides the code signing, there appears to be no real distinctive difference between the jailbroken and factory phones. However, this is not the case.

Many researchers, including one of the authors of this paper, have given talks where their results tacitly relied on the fact a phone was jailbroken. This is because, by disabling the code signing requirements, it doesnt just change what programs may be executed, but it fundamentally changes the way the memory page protections work. As we discussed, at this point, it is not clear how to write to a page and then make that page executable on a factory phone. While there may be a clever way to accomplish this, at the present time, any discussion of shellcode with regards to the iPhone implies the phone is jailbroken. This includes payloads that return into mprotect to set page permissions for their shellcode. If you attempt to mprotect a page which has previously had data written to it on a factory iPhone, the mprotect will fail with a return value of -1 and errno set to “Permission Denied”.

What can I do for my iPhone 3G?

I use it for browsing over wifi, and the test at https://issl.recurity.com shows it is vulnerable to this attack.

Re:What can I do for my iPhone 3G?

[h4rr4r]

Buy another iPhone of course. This is just your uncle Steve making sure you stay up to date.

Re:What can I do for my iPhone 3G?

[schnikies79]

Are you jailbroken? If so, wait for a couple days. There will be something available on cydia.

Re:What can I do for my iPhone 3G?

By now any iPhone 3G users who felt the "don't-get-left-behind" pressure and could afford it will have been "born again" with upgraded hardware. So Apple won't lose any sales by throwing recalcitrant sinners a bone with security updates for the feature set they paid for.

iPhone 3G

[bobbomo]

still no support for a less than 3 year old device, thanks for nothing Apple.

I have been looking in to the whited00r project...

Like Android is much better

[Quila]

Verizon started selling the Droid Eris in November 2009, issued an update to 2.1 in March 2010, and then nothing since.

Only four months of active support. That's gotta be a record.

Re:Like Android is much better

I've got one. To be fair, it has no GPU and as such can't make any good use out of 2.2 even if you root the phone to install it. 2.1 works better. My beef is with app developers upgrading apps and breaking support for no good reason.

Still, verizon could do more. Even the 2.1 took forever to roll out, the youtube app wouldn't even work on the phone while I was waiting for it.

Re:Like Android is much better

[jimicus]

I can beat that. Sony Ericsson shipped the XPeria X8 with Android 1.6 some time in about the end of August/beginning of September of last year. It had an upgrade to 2.1 towards the end of November, has had nothing since and Sony Ericsson have announced there will be no further update.

That's just three months - depending on where you are in the world, these phones get released at different times so it could actually work out at more like 2.

The mobile phone industry has never historically issued significant software upgrades once a phone's been released - back in the old pre-smartphone days, firmware would only ever be updated if you took the phone in for service and then you'd be lucky if any update made any noticeable difference. As an industry, none of the major phone manufacturers have ever treated their products as something customers might want to apply software upgrades to over the course of an 18-24 month contract.

Re:Like Android is much better

[risinganger]

This is why I chose the iPhone over others, this being just one example of who mobile users were typically treated pre Apple.

Apple released the 3G in July 2008 and it received iOS updates until November 2010, approximately 6 months after being discontinued so around 2.5 years of support. Compare that to the XPeria X8 mentioned which on release used a one year old OS 1.6, when 2.2 had been out for around half a year and then they assume you should be grateful when they 'upgrade' you to another obsolete version. I'm not saying Apple are as pure as snow but when it comes to mobiles they highlighted most over manufacturers laziness in my mind.

As a 3GS owner I'm told iOS 5, with all sorts of decent enhancements over iOS4, will be available to me. So unless it turns out it's not available to the 8GB version for some odd reason that's a good couple of years support there too. Not one of my previous phones with LG, Samsung or even Nokia received anything like that.

Re:Like Android is much better

There are plenty of updates around for all of those phones if you look to places like xdadevelopers. You can easily get CM7 with almost no work at all that is a custom version of gingerbread which nearly all still supported phones haven't released updates to yet. That's the beauty of android, it's open source so just grab a new fork and update it yourself rather than blindly following Steve

Re:Like Android is much better

[jimicus]

So if I want to update the OS on my phone - my 7 month old phone that still has 11 months of contract to run before I can get a subsidised replacement - I have to install an unsupported firmware that will blow any warranty out of the water?

Forget it.

Re:Like Android is much better

That is not entirely correct. Siemens (and I owned several of those (35 and 55 series) in the early 2000s ) had a web page where you can update your phone. Provided, this was not advertised, and you had to buy an expensive data cable at that time, that could cost up to a quarter of the phone price, but it was worth it.
Anyway, then went our of business.

Re:Like Android is much better

[scot4875]

And it's why I chose an Android phone that I knew was easily rootable so I could install whatever OS I wanted on it, and not be reliant on the manufacturer for updates.

Those who choose otherwise get no pity from me. It's easy enough to do the research beforehand, and it's not like hardware manufacturers have a good track record for providing support. Apple does do better than most, but they still drop support for phones that people are on contract for. Being less-bad than the alternatives isn't really a win in my book.

--Jeremy

Re:ruh roh!

Queue the anally retentive!

To be fair...

[TehCable]

"My mother could actually use this" To be fair, his mother is Kevin Mitnick

Re:To be fair...

Kevin could at most convince you to hand the phone over to him to check for electronic gremlins. I doubt he could hack the iPhone worth a damn. He's a social engineering genious; average techie at best.

Older iTouch devices?

[enderwig]

Yeah, but devices that don't support iOS 4.3 will remain unpatched and vulnerable. These include: iPod Touch (1G & 2G) and iPhone 3G and older.

Re:Older iTouch devices?

New corporate methodology: revenue generation by not fixing known exploits. Wait, Microsoft has been doing this for years.

Re:ruh roh!

[Arancaytar]

Cue is the correct term in this context. Fail.

What it would get

[Quila]

It would at least get JIT compiling, tethering and the Chrome V8 JavaScript engine, along with a bunch of other vague "performance optimizations."

Android is not Apple

We expect more from Apple, just like we expect more from Porsche than Chevrolet.

VPN

I get to keep my jailbreak plus I'm secure while keeping my jailbreak. Good job Apple better lucky trying to scare people into unjailbreaking next time.

Re:ruh roh!

Right on schedule!

Re:ruh roh!

[Duradin]

Perhaps they need to form a line for the restroom?

Apple's policy seems to be at least two years

[Quila]

As you can see, that's already much better than the situation in Android land. Of the two iPhones that have gone out of support:

iPhone: Jan 2007 - Jul 2008, last update Feb 2010, support 3 years, 1.5 years after last sale

iPhone 3G Jul 2008 - Jun 2009, last update Nov 2010, support for 2.5 years, 1.5 years after last sale

I'm seeing a pattern here, and it's better than most Androids.

Wait a minute

[psydeshow]

Did Apple really write a new custom certificate validation stack for iOS? Really?

And then the developers failed to test it against this basic condition (using a valid certificate to sign a fake certificate)? On a device where you can only connect via wi-fi networks, which are inherently untrustworthy!

Why, Jobs, why?

THIS is the kind of gross incompetence that deserves a Congressional investigation. Who was behind this? Was it stupidity or actual malice?

Re:Wait a minute

[Synerg1y]

This is more like it, could a possible backdoor into IOS have been discovered? It seems that something like this would have come to surface a whole lot sooner...

was this a problem with earlier IOS is the interesting part.

Re:Wait a minute

[psydeshow]

was this a problem with earlier IOS is the interesting part.

It's a problem on my my 2G iPhone, running iOS 3.1.3. So, yeah, it has been a problem for a while.

blllaaaaaa

iphone schmiphone ...

Re:ruh roh!

You mean unlike the iTards, who are already here?

-- A pre-MS-fuckup Nokia user. (Always have been, never will be anymore.) (And I will neither use Android either. If I don't have full access to the hardware, and Java extensions for ALL built-in functionality [Which isn't the case with Android. I checked. You can't even write a fuckin' answering machine on that thing! {The ones that say they are, actually aren't. I checked that too.}], they can go fuck themselves.)

Why exactly

[deains]

Would you be doing anything "secure" at a public wi-fi hotspot? Checking bank details can wait until you get home I'd imagine, or you could hop onto the kinda-more-secure 3G network.

Re:Why exactly

[Tomato42]

You either do check SSL certs and use secure ciphers or you don't.

If you don't you're not secure no matter the access point to network. Internet is a insecure network, WiFi hot-spots don't make it less so.

Re:ruh roh!

[justsayin]

Cue the pedants.

Re:ruh roh!

Let me guess, you went back to the good old cups and string method of communications.

older iPhones

[phrostie]

if you have an older phone, there are no updates.

Re:ruh roh!

[sjames]

Given the number of anally retentive, I think we'd better queue them.

why is this so old...

[hesaigo999ca]

Why is something that is so old, still working on new technology that has been pushed out after it? If Apple can not make sure that their products being shipped at least have the latest updates before shipping, then there is a problem....now i have to review how many times i used wifi hot spots with my iphone.....oh ..wait.....i never do that!

sorry, never mind..... as you were.....