Last Post and Rouse at the Shrine

I had another wonderful opportunity to play the Last Post and Reveille (Rouse) bugle calls at the Shrine of Remembrance in Melbourne.

This amazing building is a magnificent tribute to Australia’s serving, returned and deceased military personnel and, as a civilian bugler, it’s rare that I have the chance to play there.

This performance was for the XLI Club, whose purpose is “…to bring together like-minded members of the community who embrace the efforts of all law enforcement, defence and emergency services, whilst making a positive contribution to the local community and selected charities.

I was able to record my performance:

I still have a number of ANZAC memorials in the lead-up to ANZAC Day, including the Toorak Heroes Club, Melbourne Central and an Essendon and Collingwood FC brunch on ANZAC Day itself.

Voicemail privacy issue. Is Apple to blame?

After tinkering with and trying to raise attention to a serious privacy issue in Telstra’s MessageBank Plus (their implementation of Apple’s Visual Voicemail), I’m now convinced that the issue lies within Apple’s service and not Telstra’s implementation of it.

At the end of the day my contract is with Telstra. They’re the custodians of my privacy here and with them remaining absolutely silent, I’ve had no-one else to point the finger at. But my repeated replication of the issue makes me seriously consider the fact that this cannot be limited to the Telstra network.

I have definitely been told that Telstra doesn’t use IMEIs to authenticate devices for Visual Voicemail. And I remember reading that Visual Voicemail can use “invisible” SMS messages to authenticate and communicate with a device. This all lead me to finding this document – I have no idea if it’s the exact solution Telstra uses, but it sounds similar. And if so, my hypothesis is this:

That iOS does not send, or does not send a valid STATUS SMS (8.1.4) when a different SIM is inserted immediately following an iPhone’s activation.

I would love for people to test this issue on other carriers!

We Need You!

Do you have access to the following?

  • A spare iPhone you’re happy to wipe
  • Your SIM for a service WITH visual voicemail active
  • Another SIM for a service WITHOUT visual voicemail active on the same carrier

If so, fantastic!

Firstly, you’re about to wipe your phone. Do not continue if you have any data you wish to keep on this device!

Your steps may differ slightly than what my iPhone 5 gave me, for example Touch ID is on the 5S and above. I’m intentionally not setting up any services or features in order to save time and not add any complications.

  1. Insert your SIM (with VVM active) into the iPhone
  2. Open Settings, select General > Reset and Erase All Content and Settings
  3. Leave your SIM in and once it’s restarted, set up the iPhone as a new device:
    1. Select Your Country: Australia
    2. Choose a Wi-Fi Network: Use Mobile Connection
    3. Location Services: Disable Location Services
    4. Create a Passcode
    5. Set Up as New iPhone
    6. Apple ID: Don’t have an Apple ID then Set Up Later in Settings then Don’t Use
    7. Terms and Conditions: Agree then Agree
    8. Siri: Turn On Siri Later
    9. Diagnostics: Don’t Send
    10. Welcome to iPhone: Get Started
  4. Turn the iPhone off and remove your SIM
  5. Call your number and record yourself a message
  6. Insert the other (non-VVM) SIM
  7. Turn the phone on

Do you get the message? If you did, please leave as much detail about your service and where you are in a comment below.

 

An escalating little Telstra privacy breach

What voicemails have you received recently? A birthday message from a mate? Your mechanic letting you know your car’s ready? A doctor calling about your child’s test results? Your psychologist confirming an appointment? A lawyer to say your divorce papers are ready?

Now, who have you given or sold an old iPhone to? A family member? A colleague? A stranger? How would you feel if you discovered they had been listening to your messages?

If you’re up-to-date with my previous blog posts on this, feel free to jump ahead. If you’d like a walk down memory lane, please allow me to take you on a journey…

A short history of nearly everything

When the new owner of my old, formatted iPhone contacted me on Wednesday Jan. 20 to say they’d been receiving my voicemail I was immediately terrified. Not for my own privacy – I don’t receive many messages and I knew the person who had the phone – but for whoever else could be affected and to what degree. Telstra immediately denied this was even possible but having seen (and heard) my voicemail on this old device I thought to email The Age.

I’m pretty sure it was Fairfax tech journo Hannah Francis‘ call to Telstra on Thursday Jan. 21 that got the cogs turning; I was called by Telstra’s high-risk complaints team, then a senior engineer confirmed what I’d experienced and put a temporary fix in place, some 30 hours after I first contacted Telstra. Hannah’s article (Telstra privacy breach leaves customer’s voicemail exposed) was published online on Friday Jan. 22 and in print on Saturday Jan. 23. The engineer flew to Melbourne on Sunday Jan. 24 to have a look at the old iPhone.

Communication from Telstra had been thin at best. Then late on Monday Jan. 25 I received an automated email to tell me Telstra had “sorted out” the issue; no explanation of what had happened or how it was fixed. Then, on Tuesday Jan. 26, I received Telstra’s official statement:

We apologise to customers affected by this and thank them for their patience as our engineers investigated the reports.

Overnight we have successfully tested, and are currently rolling out, a fix to address it.

We will be informing any customers who we identify may have been affected of the steps being taken.

And until this afternoon, Wednesday Jan. 27, that’s all she wrote.

Big trouble in little Australia

I’ve openly stated that, by raising and pursuing this issue, I wanted to ensure the cause of this issue was found and resolved, not just its symptoms. While mulling over everything today I read back over Hannah’s article, my Telstra chat logs and my blog posts. I remembered a comment from Matt who said he’d seen the issue before and that it might have something to do with the activation of the iPhone after it is reset using an active Telstra SIM. I whipped out another spare iPhone (I’m a hoarder of these things), played around for a while and sure enough, I have been able to replicate the issue. This. Is. Huge.

Firstly, the ingredients:

  • An iPhone you’re happy to wipe clean.
    • My test was on an iPhone 5 running iOS 9.
  • Your active Telstra SIM (with Visual Voicemail, aka MessageBank plus active).
  • Another person’s active Telstra SIM (without Visual Voicemail active).
    • I bought a brand new $30 Telstra Pre-Paid SIM this afternoon to test with; MessageBank Plus is not available on Pre-Paid.

Then the all-important execution:

  • Put your SIM in the iPhone
  • Open the Settings app, go to General > Reset > Erase All Content & Settings
  • Follow Apple’s process here – it might differ if you have Find My iPhone enabled for example
  • Once it’s restarted, follow the prompts to set the device up as a new iPhone. To prevent the Apple ID the following:
    • Select Your Country: Australia
    • Choose a Wi-Fi Network: Use Mobile Connection
    • Location Services: Disable Location Services
    • Create a Passcode
    • Set Up as New iPhone
    • Apple ID: Don’t have an Apple ID then Set Up Later in Settings then Don’t Use
    • Terms and Conditions: Agree then Agree
    • Siri: Turn On Siri Later
    • Diagnostics: Don’t Send
    • Welcome to iPhone: Get Started
  • Turn the iPhone off.
    • This is the point I have gotten to every single time I have passed on an iPhone. Every. Single. Time! I want to make sure all my data and apps are definitely gone; seeing the stock home screen, Stocks and all (see what I did there?), is the best way to confirm everything is shiny and new. From memory iOS 7 was the first to force a passcode so any recent hand-me-downs were sent with the code! I doubt I’m the only person who’s done this.
  • Insert the other person’s SIM.
  • Call your own number and leave yourself a voicemail or two.
  • Turn the iPhone on.

Want to see it in action for yourself? Here you go! The video is long I’m sorry, but it covers the process to replicate the issue.

At this point I really hope you don’t find that your voicemails are still being delivered to what is now effectively someone else’s iPhone.

Oh, the thinks you can think

There are so many questions here:

  • Why are my voicemail credentials not removed when the iPhone is restarted with another service?
  • Is this a Telstra issue or is this the iPhone/iOS itself not dealing with the change of SIM?
  • Does this happen with other iPhone models and iOS versions?
  • Does this happen on other networks in Australia and around the world?
  • How many people has this affected, for example Telstra customers with Visual Voicemail who have passed on an iPhone to a Pre-Paid user?

So, what happens next? I honestly don’t know. I feel like I’ve climbed a hill to find a mountain behind it. Right now, I’m going to sit down and enjoy the view.

An unresolved little Telstra privacy breach

Welcome back to the curious case of the voicemail on the formatted iPhone 5! If you’re new here, welcome. This is now the third installment in my adventures with Australia’s largest teleco [1], Telstra. My two previous posts are:

  1. A big little Telstra privacy breach, and
  2. A continuing little Telstra privacy breach

The TL;DR here is that I sold my iPhone 5 after formatting it and the new owner was receiving my visual voicemail. Telstra acknowledged the issue, but only after denying it was even possible and the media got involved [The Age, Friday Jan 22]. They then changed the security of my voicemail which prevented the iPhone from authenticating… It’s still trying as far as I know, but it’s failing.


So, on Saturday afternoon, three days after I first approached Telstra, the engineer I had been speaking with called. He was in the lab and desperately trying to replicate the issue and, while doing so, needed to confirm some details. He was understandably under some pressure to find the cause of the problem and would be flying to Melbourne to see the problematic device the following morning.

I have to say, of all the people I have interacted with at Telstra, this engineer has been an absolute legend. He knows his stuff and I’m desperately trying not to undermine his ability or authority, or his own privacy. He’s working hard and he’s the only person to have offered any form of ownership of and apology for the issue. Thanks – you know who you are!

On Sunday I was contacted via this blog by someone who has had a very similar experience. I was then in touch again with Hannah at Fairfax who told me she’d also been contacted by someone. She’d reached out to Telstra’s media team again but as far as I know she hasn’t received a response.

I’ve since had two frustrating and disappointing updates. This evening I was contacted by another journalist who, having spoken with someone at Telstra himself, told me the issue was apparently resolved. He wanted a comment to which I replied “it’s not”. Then, to round out the day, I received the following:

Solved?

I’ve completed the questionnaire; “Is your matter resolved?” No. “How likely are you to recommend Telstra?” Not very.

To be absolutely clear, there is little I want to achieve here:

  • Some explanation as to how the issue occurred.
  • If I messed something up – tell me so I (and others) don’t do it again.
  • If I didn’t, tell me what’s being done to ensure it doesn’t happen to anyone else.

There has been absolutely no recognition from Telstra of just how devastating this issue could have been, including me! A few years ago I had a serious health complication that, for a short while, was looking like lung cancer. I immediately spoke with my wife about it, but can you imagine if I had mulled it over while my messages, unbeknownst to me were being listened to by someone else? Far out!

Finally, I’ve been overwhelmed by the support I’ve had from family and friends who all agree this issue is absolutely worth pursuing. I’ve been receiving messages from around the world and my little site has been wiped out at least once by the traffic it’s receiving. Thank you all.

Tomorrow’s a new day!

A continuing little Telstra privacy breach

There was movement at the station, for word had passed around that the media was picking up their pens…

This post follows on from yesterday’s revelation that the new recipient of a completely formatted iPhone is receiving my voicemail…

Today kicked off at full speed when I woke to a swathe of support and comments from my reddit post. There was the suggestion again that the IMEI of my old device was part of the problem, concern about the overarching privacy issues and someone suggesting that I contact Apple, which I didn’t believe was necessary. Apple definitely knows about the issue now though! But let’s take a step back…

Early this morning I received a tweet from Telstra offering to investigate the issue, again reiterating this was unique and shouldn’t be possible. Shortly after this a journalist from a tech news site got in touch, though I didn’t have any more for him than was available online. Things then got a little more exciting when I finally received a call mid-afternoon from someone who deals with Telstra’s “complex complaints”. While he once again left me feeling like he didn’t believe this was happening, he seemed to be in more of a position to get the wheels rolling, which they did tonight, finally.

Late in the day another major newspaper also got in touch. Both journalists said they had reached out to Telstra…

The big news though is that at around 19:30 tonight I received a message from a very senior Telstra voicemail engineer. Straight off the bat I knew he was the guy who would get this sorted. I will respect his privacy here as I doubt he’s in a public role, but after all of the disbelief and hand-balling, he confirmed that the logs showed my voicemail account being accessed by two separate devices and with a direct contact at Apple, he now had them in disbelief himself.

I want to do some reading about visual voicemail now so I can understand the service’s architecture, but ultimately my old device has retained some level of authentication with the service and is stuck in the mode of thinking the new owner has visual voicemail enabled, which he doesn’t. The records show the other device is accessing my voicemail without requesting authentication. Needless to say, Telstra finally acknowledges and is concerned about the issue and Apple is closely watching the outcome of further tests.

The engineer also confirmed that yesterday’s deactivation and reactivation of my visual voicemail wouldn’t change any security on the service, so it was never going to work. He has now completely removed my visual voicemail service and created a new one with new authentication tokens. For now he can see my old device continuing to request messages (using its cached and now invalid credentials), but won’t receive any. Excellent!

There is clearly a wealth of investigation still to do; he’ll probably want to get his hands on that device! And while my ultimate quest for answers and a guarantee that systems and processes will be established to prevent this ever happening again is far from over, but the immediate privacy concern has abated.

Oh, an hour ago Telstra’s twitter team updated me that they’re still investigating the issue, but again suggested I’ve left my Apple ID signed into the device… ¯\_(ツ)_/¯

Stay tuned for more. 🙂

A big little Telstra privacy breach

Update @ 23:00 ADST – Jan 21

It’s been a pretty huge day! You can continue reading this adventure in my new post; A continuing little Telstra privacy breach.

Update @ 21:00 ADST – Jan 20

Boy has this been an exciting afternoon. The official word from Telstra is “shut up and wait”. After a lengthy chat session that was escalated part-way through, I’ve been told my only option is to disable Visual Voicemail, wait for a case manager to call (24-48 hours) and wait for the other device’s owner to go to a store. So much for “hey, we’ve totally destroyed your privacy, here’s how we’re bending over backwards to help you”.

Update @ 19:00 ADST – Jan 20

Telstra’s Visual Voicemail reset is complete and (as advised) all of my old messages have been deleted. I have since done the following:

  • I asked my wife to call my number and leave a voicemail.
  • I asked the owner of my old device to reboot their phone.
  • They sent a message after the reboot not only telling me the message arrived, but repeating its contents.

Meanwhile, the email Allen said he would send with his contact link has never arrived. Telstra have also tweeted to say:

…voicemail is linked to your SIM Card, not your device, did you ensure to remove the SIM?

My SIM is now in my iPhone 6S here with me and wasn’t sent with the phone. Back to 24×7 Chat we go.

Original post @ 16:00 ADST – Jan 20

In late 2015 I performed a factory-reset on an old Apple iPhone 5 and sold it. It’s the same process I’ve done a number of times in the past (yeah, I know, I’m a gadget junkie) and before handing it over I ensured there was absolutely nothing of mine left on the device and the SIM was removed. A few hours ago the new owner let me know that they’re receiving a copy of my (visual) voicemails on the device and repeated contents and sent a screenshot of the messages to confirm it. YIKES!

Here’s what we could establish:

  • We’re both Telstra customers.
  • Messages aren’t received in realtime, only when the phone is powered up.
  • My own device and visual voicemail works as it should.
  • If the user misses a call and the caller doesn’t leave a message, the user receives the standard missed-call TXT notification.
  • If the caller leaves a message, the user has no notification at all – no visual voicemail (it only shows mine), no TXT notification.
  • If the user calls 101, Telstra’s messagebank service, they can access their voice messages.
  • They listened to some of my messages trying to work out who the unknown callers were – they were understandably confused!

Let me be clear here – no matter what the cause is, this is a significant breach of privacy. Could you imagine a law firm or other privacy-critical service (medical practice, government department, school etc.) turning over a fleet of phones? The thought is terrifying. But let’s stick to the facts!

After a tweet and a facebook post I was steered to Telstra’s 24×7 Chat service where Allen straight up told me:

…that’s impossible. Since the only way that the old iPhone can be sync with your new phone is if they’re using the same Apple ID.

and

Since you don’t have the device with you personally we can’t really test if this is actually happening.

Allen’s suggestion was to then deactivate and reactivate visual voicemail which will take between 4-8 hours. In the meantime I have lodged a complaint which I have been told will be followed up by a manager. I was given two reference numbers, one for the support case, one for the complaint and then sent on my way. That is, with one final comment from Allen:

I guarantee to you that this is a rare case and maybe the first.

Well, lucky me, I guess!

After chatting to a friend in a different part of Telstra (and receiving a similar suggestion on twitter) we are hypothesising that the device’s IMEI is used to authenticate with voicemail during its boot sequence. That’s all we’ve got for now!

I’ll update this post as soon as I can.

Remembrance Day 2015

Today I had the absolute honour of reciting The Ode and performing Last Post and Rouse at The Glen Shopping Centre in Glen Waverley. It was a pleasure being involved and it’s great to see more businesses organising ANZAC and Remembrance Day memorials.

Centre staff recorded the following video which was then posted to facebook.

If you or your business are interesting in holding memorials like this in the future, please don’t hesitate to drop me a line. I can help suggest a format or put you in touch with people at the RSL who can assist you further.

Song Exploder: a behind the scenes look at music

I have recently been engrossed by Song Exploder, a podcast in which musicians/composers deconstruct one of their pieces. As a musician I am drawn to the show by many aspects; the usually hidden view of an artist’s influences and methods, the inspiration of hearing a professional musician talk so passionately about their work and my love of TV and film scores, which have now appeared in a number of episodes.

Genres span everything from pop, rap and electronica to TV and film composition and while there are a number of episodes featuring music I wouldn’t normally listen to, I still find them fascinating. One example is Joey Bada$$’s “Hazeus View” which is really not my cup of tea. But its story and the way the underlying beat was crafted is interesting.

The most recent episode while writing this, and the episode that I was busting to share is a fascinating interview with Harry Gregson-Williams about his score for The Martian, in which Harry describes his instrumental choices and his combination of synthesised and live instruments. All I can say is it’s worth a listen!

Other episodes I have enjoyed are from U2 and the composers behind Game of Thrones, House of Cards and Avengers: Age of Ultron, the last of which again gives a great view under the curtain of film scoring and the process the composer Brian Tyler used.

U2 – Cedarwood Road

Ramin Djawadi – Game of Thrones

Jeff Beal – House of Cards

Brian Tyler – Avengers: Age of Ultron

It’s a seriously great podcast and I can’t recommend it highly enough. I found the podcast in iTunes, but episodes are on the website and SoundCloud. I’d love to know which episodes you enjoy!

Whoops!

Well, here we are. Are you well? I am. Well, I was, until I deleted my website.

I’m now looking at the clear field where my website once stood, having unintentionally decided to test my disaster recovery processes. While clearing out an old backup server I discovered a folder titled richardthornton.com. “Aha”, I thought to myself. “You shouldn’t be here. Begone. You’re not needed any more.” DELETE.

And as it is with these kinds of things, this old backup just happened to be my live website. Running from my backup server. The backup server that, as it is with these kinds of things, isn’t backed up itself. Continue reading

Last Post and Rouse: Victoria Police Academy Chapel

I had the honour of playing the Last Post and Rouse at the funeral of a retired Victoria Police officer in the Victoria Police Academy Chapel at Glen Waverley. This incredible chapel has an amazing blend of architecture, with my favourite feature being the domed, Renaissance-style ceiling. You’ll hear just how wonderful the acoustics are.

It’s rare for me to have video of myself playing at these ceremonies. For this service I stood alone on the balcony, out of sight of the congregation, so I was able to privately capture this video. I have intentionally angled the camera towards the ceiling out of respect for the family and their friends.