iPhone passcode lock rendered useless

iPhone passcode lock rendered useless

Summary: Do not trust that passcode lock on Apple's iPhone.The feature, which lets users set a four-digit pincode to limit access to the device, can be easily bypassed with a few finger taps on the iPhone to give an intruder access to sensitive information.

SHARE:

iPhone passcode lock rendered uselessDo not trust that passcode lock on Apple's iPhone.

The feature, which lets users set a four-digit pincode to limit access to the device, can be easily bypassed with a few finger taps on the iPhone to give an intruder access to sensitive information.

Here are a few steps to reproduce this vulnerability (requires physical access to a passcode-protected device) to access the phone, e-mail and SMS messages, Google Maps and the full Safari browser:

  • Set up a passcode lock  (Settings > General > Passcode Lock and enter a 4-digit passcode. iPhone then requires you to enter the passcode to unlock it).
  • Set up contacts in address book with e-mail address, phone numbers and Web sites.
  • Turn off/on iPhone and move slider to get to "Enter Passcode" screen.
  • Tap "Emergency Call" button (buttom left).
  • Double tap home button.
  • This pulls up all contacts in the Favorites list.
  • Tap on the blue arrow next to contact's name to get full access to e-mail, SMS, Safari, etc.

Here's the most troubling thing about this vulnerability:  It was fixed by Apple (see advisory) for iPhone v1.1.3 and iPod touch v1.1.3 back in January this year.

  • Passcode Lock CVE-ID: CVE-2008-0034 Available for: iPhone v1.0 through v1.1.2 Impact: An unauthorized user may bypass the Passcode Lock and launch iPhone applications Description: The Passcode Lock feature is designed to prevent applications from being launched unless the correct passcode is entered. An implementation issue in the handling of emergency calls allows users with physical access to an iPhone to launch an application without the passcode. This update addresses the issue through an improved check on the state of the Passcode Lock.

I have confirmed this issue affects iPhone and iPod Touch 2.0, which means the January fix never made it into the newer versions of the software.

The obvious workaround:  Remove all Favorites until Apple ships a proper fix.

UPDATE:  In the TalkBack section, reader zrds comes up with a better workaround:

  • I'd like to point out that a good workaround is setting your home button "Settings->General->Home Button" to "Home" will effectively negate the issue.

This does work much better as a mitigation.

* Hat tip to "greenmymac" on the MacRumors forum. The Register has additional coverage with a great headline.

Topics: iPhone, Collaboration, Mobility, Telcos

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

10 comments
Log in or register to join the discussion
  • iPhone

    I'd like to point out that a good workaround is setting your home button "Settings->General->Home Button" to "Home" will effectively negate the issue.

    Tested on iPhone 2.0
    zrds
    • Good catch

      Yes, setting home button to 'home' does revert to pincode screen. If your home button is iPod, intruder has access to your music.

      _r
      Ryan Naraine
  • RE: iPhone passcode lock rendered useless

    Strange it was fixed in a prior version but not pushed into v2. Seems like a simple enough fix though, I'm sure it will be done soon.
    ZenMasta
  • RE: iPhone passcode lock rendered useless

    You forgot 1 step in addition to all of the other steps that *ALL* have to be present... before
    this is ever a problem:

    Step 1: You have to have your phone physically stolen by someone.

    (I don't even use the 4-digit lock code at all. It's just a pointless pain.)
    HelpMeNow
    • The passcode is more for the corperate crowd

      The reason the phone has a passcode lock is because Apple wants the iPhone to appeal to corperate users. For a business user who could get fired and fined if the corperate information on his iPhone was ever stolen, a functioning password is a necessity.

      So ultimately, this is more a "Corperations have one more reason to say 'hold it' to iPhone users" issue than a direct consumer issue.

      Except for consumers who would rather make sure their roommates, spouse, children, etc couldn't just casually peruse their iPhone contents of course.

      Not everyone is as concerned about privacy, or has the need to be so concerned, but for those with these concerns, this is a huge glairing defect.
      brendan@...
  • RE: iPhone passcode lock rendered useless

    I'm on version 2.0.2 with the 2G Iphone; have my home set to favorites. I tried this:
    Turn off/on iPhone and move slider to get to Enter Passcode Screen
    Tap Emergency call button(buttom left).
    Double tap home button.

    It goes back to the login screen.
    debig@...
    • Do you have...

      Do you have any contacts moved to Favorites?

      _r
      Ryan Naraine
  • RE: iPhone passcode lock rendered useless

    Just loaded 2.02 firmware on my 16gb 3g iPhone and the issue still exists. Having the factory behavior of the home button probably masked the issue to a degree.
    shaun.dudley@...
  • RE: iPhone passcode lock rendered useless

    You could do what i do: set double-tapping the "Home" button to
    launching iTunes controls instead. Harmless and (at least for me)
    much more useful.
    stam66
  • Steve Jobs is Darth Vader

    ... and he finds our lack of faith disturbing...Nothing further your honor.
    Jediguardian