iPhone date glitch exposes photo albums

iPhone date glitch exposes photo albums

Summary: If your iOS device's clock is rolled back, your entire photo album is visible even if the device is locked with a passcode.

SHARE:

Technology consultant Ade Barkah has discovered a security/privacy vulnerability in Apple's iPhone that leaks iOS 5 album photographs under certain conditions.

Barkah explains:

follow Ryan Naraine on twitter

This vulnerability is simple to test.  Just set your iPhone’s clock to a time in the past (say, in 2010).  Then access the Camera while your phone is still locked.  Lo-and-behold, you’ll be able to see all your “protected” images.

As part of the iOS 5 upgrade, users get immediate access to the camera even if the device is locked with a passcode.  This feature blocks access to the entire photo album and only allows the user to see photos taken from the current (locked) session.

However, Barkah found that if he rolled back the clock settings on an iOS device, the entire photo album became visible.

The point to all this is that Apple should not rely on a simple timestamp to restrict image access.  Changing the iPhone’s clock — forwards or backwards — should notaffect its security.  We can’t guarantee the clock will always monotonically more forward, and when it doesn’t, the system should fail-secure.

Apple does not respond to media queries about security problems in its products.

Topics: Mobility, Apple, Hardware, iPhone, Mobile OS, Security, Smartphones

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

43 comments
Log in or register to join the discussion
  • You're setting the date wrong.

    Just don't set it that way.

    Sent from TCP/IP
    Samic
    • RE: iPhone date glitch exposes photo albums

      @Samic <br><br>I used to work as a mobile phone programmer.<br>Always fun when getting reported bugs like this <img border="0" src="http://www.cnet.com/i/mb/emoticons/grin.gif" alt="grin"><br><br>Nana<br><a href="http://www.cool-websites.org" target="_blank" rel="nofollow">http://www.cool-websites.org</a>
      lalaland1
    • RE: iPhone date glitch exposes photo albums

      @Samic
      It's actually doing exactly what it's supposed to do.
      The camera app allows you to take photos and review the ones you just took--meaning photos taken with a time stamp that appear AFTER the time at which the camera app was launched. Setting the date to the past means that when you launch the app, any photos that were taken AFTER the time the camera app was launched are then viewable.

      Simple solution: don't set your clock to some bogus B.S. time in the past, and then photos that are taken with relative dates IN THE FUTURE won't be visible!

      DUH!! Stupid non-freakin-story
      lelandhendrix@...
      • RE: iPhone date glitch exposes photo albums

        @lelandhendrix@... The problem is it SHOULDN'T behave that way. There should be a failsafe to prevent this from happening. There are obviously some security and privacy issues here. Thinking this isn't an issue is just lazy programming, if you ask me. <br><br>For instance, will this happen when you change time zones (as someone posted below)? If so, then frequent travelers will most certainly object to this behavior.

        EDIT: Accidentally repeated "@lelandhendrix@..."
        Ndiaz.fuentes
  • iOS is a swiss cheese OS

    iOS 5.0.1 was hacked with only a few minutes worth of work.
    toddybottom
    • RE: iPhone date glitch exposes photo albums

      @NZ


      You're falling back into your old habits of repeating proven falsehoods.
      msalzberg
      • There was a story on it very recently

        @msalzberg
        I know you hate to admit that iOS could possibly be hacked within a few minutes. The truth hurts.
        toddybottom
      • So this Ade Barkah is lying?

        @msalzberg
        William Farrel
      • William: that's the power of RDF

        msalzberg is a known Apple fanboi who simply repeats "it isn't true" when confronted with Apple related information he doesn't want to admit to.

        It isn't true.

        It isn't true.

        It isn't true.
        toddybottom
      • RE: iPhone date glitch exposes photo albums

        @msalzberg
        to toddy/NZ:[i]"You're falling back into your old habits of repeating proven falsehoods."[/i]

        Mainly because that is all he has to work with most of the time. This "problem" is not even a glitch - it is the software doing just what it is supposed to do! To change the date requires the passcode - in which case you are assumed to be a legitimate user. When the phone is locked, it shows photos from the (supposedly) current date.

        Interesting that he denies being the same person as NonZealot. This conjures up the disturbing scenario that there may actually be [b]two[/b] such paranoid and rabid Apple haters at large. A scary thought, but very good news for psychiatrists that such potential clients are out there waiting.

        Of course, my father could have cured these sad creatures, who apparently have to justify their existence to themselves by hating Apple and repeatedly telling themselves that all thing Microsoft are wonderful. He would simply tell them to "Snap out of it!" and "Wake up to yourself!" Perhaps if they heeded these suggestions they could get a life and stop infesting these talkbacks, but that would just be wishful thinking...

        Oh well, at least there is the weekend coming up, when they leave their desks in Redmond, and we get some relative peace and quiet in here!
        rahbm
    • RE: iPhone date glitch exposes photo albums

      @willfarrell

      Nope, I didn't say he was lying. Where did I say that?

      I was commenting on toddy bottom's claiming that 'a few hours' is the same as 'a few minutes.'

      http://www.zdnet.com/tb/1-112202?tag=talkback-river;1_112202_2280028#1_112202_2280028
      msalzberg
      • RE: iPhone date glitch exposes photo albums

        @msalzberg
        While we're splitting hairs I'd like to point out that hours can be converted into minutes and "a few" is a relative term. That is, 720 minutes is a few when compared to a month's worth of minutes. The point was that a security flaw was found in a relatively short period of time, and that is a fact. It shouldn't be ignored or rebuffed, it should be patched as soon as possible.
        lippidp
      • RE: iPhone date glitch exposes photo albums

        @lippidp

        To be pedantic, 'few' is defined as a small number. While 3 minutes is few when compared to 360 minutes, 360 minutes is not few when compared to 3, which is what NZ was doing.

        Time frame means little. A bug was found, and should be fixed. In that, you and I are in complete agreement.
        msalzberg
      • Thank you lippidp, my point exactly

        "While we're splitting hairs I'd like to point out that hours can be converted into minutes and "a few" is a relative term."

        msalzberg took exception to my statement that iOS had swiss cheese security because it was hacked in a very short period of time. Of course, since my statement was true, he has had to deflect by pretending that "a few hours" is a very long time to hack an OS. Even sadder, he must resort to calling me by someone else's name. Very childish. I would expect this type of behavior from a pre-teen.
        toddybottom
    • RE: iPhone date glitch exposes photo albums

      @toddybottom
      Dum Dum Dum Dum
      lelandhendrix@...
    • All OSes are Swiss cheese.

      @toddybottom Every OS has been hacked. None of them are secure. They're all based on software technologies that are decades old. Until somebody takes a clean slate approach to build an OS from technology developed in this century, we will hear about new hacks on a weekly basis. The most important issue is how quickly the security issue is fixed once it has been discovered.
      BillDem
  • RE: iPhone date glitch exposes photo albums

    So can changing timezones cause this bug? Is it time, date, or a combination? Can simply going from one cell tower in one time zone to another in an earlier time zone really cause this big of a security issue? This article is very short of details.

    And yes, I realize that if the device was disconnected for more than an hour while crossing time zones the issue is not likely to occur.
    aep528
  • RE: iPhone date glitch exposes photo albums

    Not only do you get access to the camera, if you set the clock back far enough it gives you full access to the phone, removing the pass code completely
    goro_uk
    • It doesn't matter according to msalzberg

      @goro_uk
      This doesn't matter because it took more than 3 minutes to find this hole. Anything more than 3 minutes means that the OS is rock solid.

      According to msalzberg.
      toddybottom
      • Wrong again, you lying sack

        @toddybottom
        Look a few posts up and you will see msalzberg stating
        <i>"Time frame means little. A bug was found, and should be fixed. In that, you and I are in complete agreement."</i>

        What he said was that your claim of "a few minutes" was incorrect by a large margin, and you know it.
        To anyone living in reality "A few minutes" is not synonymous with "a few hours". I understand you you, in your own little RDF, don't understand that, but it's true.

        Anything reflecting well on Apple must be shot down and any fault to be found with Apple must be blown out of proportion and shouted from the rooftops. According to toddybottom (by his/her actions if not his/her words).
        use_what_works_4_U