Wi-Fi Vulnerability in Things for iPhone and Mac
(Thanks to MacMacken reader Marie for providing the following rough English translation of Wednesday’s blog entry on a serious Wi-Fi vulnerability in Things for iPhone and Mac!)
Things is a popular GTD application available for iPhone (including iPod Touch) and Mac. Things offers syncing between the iPhone and Mac versions over Wi-Fi – unfortunately without any encryption … 🙄
In the first half of this week, I had received some respective hints from MacMacken readers – thanks a lot for these hints as well as the reference to a thread in the Things forums on this Wi-Fi vulnerability! In order to verify the alleged vulnerability, I created a new task called ‚erdbeere‘ (strawberry in German), tagged it ‚himbeere‘ (raspberry in German) and added a note consisting of the word ‚blaubeere‘ (blueberry in German) …
… during the next sync between Things on my Mac and on my iPod Touch, I captured all synced data by using Cocoa Packet Analyzer (CPA) and started a search for the above-mentioned berry varieties in the captured data – to my disbelief with success! 🙁
As a result, it became obvious that there is absolutely no encryption for the data synced over Wi-Fi between Things on iPhone and Mac. Things users who care for the confidentiality and privacy of their tasks should therefore use the Wi-Fi sync only in appropriately encrypted Wi-Fi networks used alone or only with trustworthy users and refrain from using the sync in public or other untrusted Wi-Fi networks.
How could the Things developers of Cultured Code make such a beginner’s mistake? ❓
I asked Cultured Code for a confirmation of this unbelievable Wi-Fi vulnerability and further comment by e-mail. […] Up to now, I have not received an answer from Cultured Code.
Addendum (18th July 2009, 19.30): Another user has received an answer from Cultured Code:
We recommend that you do not sync over public wifi if security is an issue. You can create a computer to computer network with security enabled in order to sync in a public forum in this way if security is required for your sync.
Hope this helps!