ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

iPhone passcode lock rendered useless

By | August 27, 2008, 6:19am PDT

Summary: Do not trust that passcode lock on Apple’s iPhone. The feature, which lets users set a four-digit pincode to limit access to the device, can be easily bypassed with a few finger taps on the iPhone to give an intruder access to sensitive information. Here are a few steps to reproduce this vulnerability (requires physical access to [...]

iPhone passcode lock rendered uselessDo not trust that passcode lock on Apple’s iPhone.

The feature, which lets users set a four-digit pincode to limit access to the device, can be easily bypassed with a few finger taps on the iPhone to give an intruder access to sensitive information.

Here are a few steps to reproduce this vulnerability (requires physical access to a passcode-protected device) to access the phone, e-mail and SMS messages, Google Maps and the full Safari browser:

  • Set up a passcode lock  (Settings > General > Passcode Lock and enter a 4-digit passcode. iPhone then requires you to enter the passcode to unlock it).
  • Set up contacts in address book with e-mail address, phone numbers and Web sites.
  • Turn off/on iPhone and move slider to get to “Enter Passcode” screen.
  • Tap “Emergency Call” button (buttom left).
  • Double tap home button.
  • This pulls up all contacts in the Favorites list.
  • Tap on the blue arrow next to contact’s name to get full access to e-mail, SMS, Safari, etc.

Here’s the most troubling thing about this vulnerability:  It was fixed by Apple (see advisory) for iPhone v1.1.3 and iPod touch v1.1.3 back in January this year.

  • Passcode Lock
    CVE-ID: CVE-2008-0034
    Available for: iPhone v1.0 through v1.1.2
    Impact: An unauthorized user may bypass the Passcode Lock and launch iPhone applications
    Description: The Passcode Lock feature is designed to prevent applications from being launched unless the correct passcode is entered. An implementation issue in the handling of emergency calls allows users with physical access to an iPhone to launch an application without the passcode. This update addresses the issue through an improved check on the state of the Passcode Lock.

I have confirmed this issue affects iPhone and iPod Touch 2.0, which means the January fix never made it into the newer versions of the software.

The obvious workaround:  Remove all Favorites until Apple ships a proper fix.

UPDATE:  In the TalkBack section, reader zrds comes up with a better workaround:

  • I’d like to point out that a good workaround is setting your home button “Settings->General->Home Button” to “Home” will effectively negate the issue.

This does work much better as a mitigation.

* Hat tip to “greenmymac” on the MacRumors forum. The Register has additional coverage with a great headline.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Apple iPhone, Register, Telecom & Utilities, E-mail, Online Communications, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
19
Comments
Add Your Opinion

Join the conversation!

Just In

RE: iPhone passcode lock rendered useless
FAULKNE 13th Oct
Good day to confirm this comment I would appreciate T h e b e s t o f Z D N e t d e l i v e r e d your website very nice to everyone Yes, Oracle is the only one with shared-disk architecture, but that is there advantage. It means you can add or remove nodes and the database lives on. In a shared nothing architecture, if you lose a node, you lose the system. I'm sure Oracle appreciates EMC highlighting their advantage.I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate Awesome post! Thank you very much || thanks for nice content this is really benefit to me.
View in thread
0 Votes
+ -
iPhone
zrds 27th Aug 2008
I'd like to point out that a good workaround is setting your home button "Settings->General->Home Button" to "Home" will effectively negate the issue.

Tested on iPhone 2.0
0 Votes
+ -
Contributr
Good catch
Ryan Naraine 27th Aug 2008
Yes, setting home button to 'home' does revert to pincode screen. If your home button is iPod, intruder has access to your music.

_r
0 Votes
+ -
RE: iPhone passcode lock rendered useless
lovedong 13th Sep
Thank you so much for your sharing. replica hermes bags
0 Votes
+ -
RE: iPhone passcode lock rendered useless
ZenMasta 27th Aug 2008
Strange it was fixed in a prior version but not pushed into v2. Seems like a simple enough fix though, I'm sure it will be done soon.
0 Votes
+ -
RE: iPhone passcode lock rendered useless
HelpMeNow Updated - 27th Aug 2008
You forgot 1 step in addition to all of the other steps that *ALL* have to be present... before
this is ever a problem:

Step 1: You have to have your phone physically stolen by someone.

(I don't even use the 4-digit lock code at all. It's just a pointless pain.)
0 Votes
+ -
The passcode is more for the corperate crowd
brendan@... 28th Aug 2008
The reason the phone has a passcode lock is because Apple wants the iPhone to appeal to corperate users. For a business user who could get fired and fined if the corperate information on his iPhone was ever stolen, a functioning password is a necessity.

So ultimately, this is more a "Corperations have one more reason to say 'hold it' to iPhone users" issue than a direct consumer issue.

Except for consumers who would rather make sure their roommates, spouse, children, etc couldn't just casually peruse their iPhone contents of course.

Not everyone is as concerned about privacy, or has the need to be so concerned, but for those with these concerns, this is a huge glairing defect.
0 Votes
+ -
RE: iPhone passcode lock rendered useless
debig@... Updated - 27th Aug 2008
I'm on version 2.0.2 with the 2G Iphone; have my home set to favorites. I tried this:
Turn off/on iPhone and move slider to get to Enter Passcode Screen
Tap Emergency call button(buttom left).
Double tap home button.

It goes back to the login screen.
0 Votes
+ -
Contributr
Do you have...
Ryan Naraine 27th Aug 2008
Do you have any contacts moved to Favorites?

_r
0 Votes
+ -
RE: iPhone passcode lock rendered useless
shaun.dudley@... 28th Aug 2008
Just loaded 2.02 firmware on my 16gb 3g iPhone and the issue still exists. Having the factory behavior of the home button probably masked the issue to a degree.
0 Votes
+ -
RE: iPhone passcode lock rendered useless
stam66 28th Aug 2008
You could do what i do: set double-tapping the "Home" button to
launching iTunes controls instead. Harmless and (at least for me)
much more useful.
0 Votes
+ -
Steve Jobs is Darth Vader
Jediguardian Updated - 28th Aug 2008
... and he finds our lack of faith disturbing...Nothing further your honor.
0 Votes
+ -
RE: iPhone passcode lock rendered useless
MACKENZI 11th Sep
I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate! nccma cooler
0 Votes
+ -
RE: iPhone passcode lock rendered useless
PEARLINEI 12th Sep
I used to be more than happy to seek out this internet-site.I wanted to thanks in your time for this glorious read!! I positively enjoying each little bit of it and I have you bookmarked to check out new stuff you weblog post. this thread is amazing i like your work and i appreciate you that you have share a useful stuff thanks for sharing the i shop abatwa
0 Votes
+ -
RE: iPhone passcode lock rendered useless
RHIANNONA 13th Sep
I used to be more than happy to seek out this internet-site.I wanted to thanks in your time for this glorious read!! I positively enjoying each little bit of it and I have you bookmarked to check out new stuff you weblog post.Bookmarking now thanks please consider a follow up post. power sa shop
0 Votes
+ -
RE: iPhone passcode lock rendered useless
SATURNINA 14th Sep
I think the representation of this article is actually superb one. This is my first visit to your site. Thanks a lot and keep sharing the information. Keep updating the information for all of us. Thanks ZDNet Government was launched as the brand's first industry vertical, with a mission to cater to IT professionals in the public secto I agree with your post. However, do you have any sources I can cite for my paper wheel car com bury
0 Votes
+ -
RE: iPhone passcode lock rendered useless
TOCCAR 25th Sep
Well welcome, hopefully you can become a vital member of the community and really help to push far ahead of google. Which Im sure the development team would love. This will of course earn you alot points too and get you on the leaders board. z d n e t t h a n k Im not sure i come to an agreement with you on every level, howevor it absolutely was a good posting, many thanks for taking the time to put up your ideas.
0 Votes
+ -
RE: iPhone passcode lock rendered useless
MCKNIGH 26th Sep
Thanks nice info z d n e t I really liked your current article write more..let me add you to its favorite The articles you have on zdnet s i t e are always so enjoyable to read. Good work and I bookmarked it.
0 Votes
+ -
RE: iPhone passcode lock rendered useless
MEJIAHA 30th Sep
Fantastic news about the new release.I positively enjoying each little bit of it and I have you b o o k m a r k e d to check out new stuff you weblog post.Im not sure i come to an agreement with you on every level, howevor it absolutely was a good posting, many thanks for taking the time to put up your ideas
0 Votes
+ -
RE: iPhone passcode lock rendered useless
FAULKNE 13th Oct
Good day to confirm this comment I would appreciate T h e b e s t o f Z D N e t d e l i v e r e d your website very nice to everyone Yes, Oracle is the only one with shared-disk architecture, but that is there advantage. It means you can add or remove nodes and the database lives on. In a shared nothing architecture, if you lose a node, you lose the system. I'm sure Oracle appreciates EMC highlighting their advantage.I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate Awesome post! Thank you very much || thanks for nice content this is really benefit to me.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix