iPhone date glitch exposes photo albums

Summary:If your iOS device's clock is rolled back, your entire photo album is visible even if the device is locked with a passcode.

Technology consultant Ade Barkah has discovered a security/privacy vulnerability in Apple's iPhone that leaks iOS 5 album photographs under certain conditions.

Barkah explains:

follow Ryan Naraine on twitter

This vulnerability is simple to test.  Just set your iPhone’s clock to a time in the past (say, in 2010).  Then access the Camera while your phone is still locked.  Lo-and-behold, you’ll be able to see all your “protected” images.

As part of the iOS 5 upgrade, users get immediate access to the camera even if the device is locked with a passcode.  This feature blocks access to the entire photo album and only allows the user to see photos taken from the current (locked) session.

However, Barkah found that if he rolled back the clock settings on an iOS device, the entire photo album became visible.

The point to all this is that Apple should not rely on a simple timestamp to restrict image access.  Changing the iPhone’s clock — forwards or backwards — should notaffect its security.  We can’t guarantee the clock will always monotonically more forward, and when it doesn’t, the system should fail-secure.

Apple does not respond to media queries about security problems in its products.

Topics: Mobility, Apple, Hardware, iPhone, Mobile OS, Security, Smartphones

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.