Must Read: Samsung Galaxy S4 review

Topic: iPhone

iPhone passcode lock rendered useless

Summary: Do not trust that passcode lock on Apple's iPhone.The feature, which lets users set a four-digit pincode to limit access to the device, can be easily bypassed with a few finger taps on the iPhone to give an intruder access to sensitive information.

Ryan Naraine

By for Zero Day |

iPhone passcode lock rendered uselessDo not trust that passcode lock on Apple's iPhone.

The feature, which lets users set a four-digit pincode to limit access to the device, can be easily bypassed with a few finger taps on the iPhone to give an intruder access to sensitive information.

Here are a few steps to reproduce this vulnerability (requires physical access to a passcode-protected device) to access the phone, e-mail and SMS messages, Google Maps and the full Safari browser:

  • Set up a passcode lock  (Settings > General > Passcode Lock and enter a 4-digit passcode. iPhone then requires you to enter the passcode to unlock it).
  • Set up contacts in address book with e-mail address, phone numbers and Web sites.
  • Turn off/on iPhone and move slider to get to "Enter Passcode" screen.
  • Tap "Emergency Call" button (buttom left).
  • Double tap home button.
  • This pulls up all contacts in the Favorites list.
  • Tap on the blue arrow next to contact's name to get full access to e-mail, SMS, Safari, etc.

Here's the most troubling thing about this vulnerability:  It was fixed by Apple (see advisory) for iPhone v1.1.3 and iPod touch v1.1.3 back in January this year.

  • Passcode Lock CVE-ID: CVE-2008-0034 Available for: iPhone v1.0 through v1.1.2 Impact: An unauthorized user may bypass the Passcode Lock and launch iPhone applications Description: The Passcode Lock feature is designed to prevent applications from being launched unless the correct passcode is entered. An implementation issue in the handling of emergency calls allows users with physical access to an iPhone to launch an application without the passcode. This update addresses the issue through an improved check on the state of the Passcode Lock.

I have confirmed this issue affects iPhone and iPod Touch 2.0, which means the January fix never made it into the newer versions of the software.

The obvious workaround:  Remove all Favorites until Apple ships a proper fix.

UPDATE:  In the TalkBack section, reader zrds comes up with a better workaround:

  • I'd like to point out that a good workaround is setting your home button "Settings->General->Home Button" to "Home" will effectively negate the issue.

This does work much better as a mitigation.

* Hat tip to "greenmymac" on the MacRumors forum. The Register has additional coverage with a great headline.

Topics: iPhone, Collaboration, Mobility, Telcos

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

16 comments
Log in or register to join the discussion

  • iPhone

    I'd like to point out that a good workaround is setting your home button "Settings->General->Home Button" to "Home" will effectively negate the issue.

    Tested on iPhone 2.0
    zrds
    Reply Vote

    • Good catch

      Yes, setting home button to 'home' does revert to pincode screen. If your home button is iPod, intruder has access to your music.

      _r
      Ryan Naraine
      Reply Vote

  • RE: iPhone passcode lock rendered useless

    Strange it was fixed in a prior version but not pushed into v2. Seems like a simple enough fix though, I'm sure it will be done soon.
    ZenMasta
    Reply Vote

  • RE: iPhone passcode lock rendered useless

    You forgot 1 step in addition to all of the other steps that *ALL* have to be present... before
    this is ever a problem:

    Step 1: You have to have your phone physically stolen by someone.

    (I don't even use the 4-digit lock code at all. It's just a pointless pain.)
    HelpMeNow
    Reply 2 Votes

    • The passcode is more for the corperate crowd

      The reason the phone has a passcode lock is because Apple wants the iPhone to appeal to corperate users. For a business user who could get fired and fined if the corperate information on his iPhone was ever stolen, a functioning password is a necessity.

      So ultimately, this is more a "Corperations have one more reason to say 'hold it' to iPhone users" issue than a direct consumer issue.

      Except for consumers who would rather make sure their roommates, spouse, children, etc couldn't just casually peruse their iPhone contents of course.

      Not everyone is as concerned about privacy, or has the need to be so concerned, but for those with these concerns, this is a huge glairing defect.
      brendan@...
      Reply Vote

  • RE: iPhone passcode lock rendered useless

    I'm on version 2.0.2 with the 2G Iphone; have my home set to favorites. I tried this:
    Turn off/on iPhone and move slider to get to Enter Passcode Screen
    Tap Emergency call button(buttom left).
    Double tap home button.

    It goes back to the login screen.
    debig@...
    Reply Vote

    • Do you have...

      Do you have any contacts moved to Favorites?

      _r
      Ryan Naraine
      Reply Vote

  • RE: iPhone passcode lock rendered useless

    Just loaded 2.02 firmware on my 16gb 3g iPhone and the issue still exists. Having the factory behavior of the home button probably masked the issue to a degree.
    shaun.dudley@...
    Reply Vote

  • RE: iPhone passcode lock rendered useless

    You could do what i do: set double-tapping the "Home" button to
    launching iTunes controls instead. Harmless and (at least for me)
    much more useful.
    stam66
    Reply Vote

  • Steve Jobs is Darth Vader

    ... and he finds our lack of faith disturbing...Nothing further your honor.
    Jediguardian
    Reply Vote

  • RE: iPhone passcode lock rendered useless

    I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate!<a href="http://nccma.com">nccma</a> <a href="http://coolerkings.com">cooler</a>
    MACKENZI
    Reply Vote

  • RE: iPhone passcode lock rendered useless

    I used to be more than happy to seek out this internet-site.I wanted to thanks in your time for this glorious read!! I positively enjoying each little bit of it and I have you bookmarked to check out new stuff you weblog post. this thread is amazing i like your work and i appreciate you that you have share a useful stuff thanks for sharing <a href="http://the-ishop.com">the i shop</a> <a href="http://abatwa.com">abatwa</a>
    PEARLINEI
    Reply Vote

  • RE: iPhone passcode lock rendered useless

    I used to be more than happy to seek out this internet-site.I wanted to thanks in your time for this glorious read!! I positively enjoying each little bit of it and I have you bookmarked to check out new stuff you weblog post.Bookmarking now thanks please consider a follow up post.<a href="http://power28.com">power</a> <a href="http://sagesinc.com">sa</a> <a href="http://iloveshoping.net">shop</a>
    RHIANNONA
    Reply Vote

  • RE: iPhone passcode lock rendered useless

    I think the representation of this article is actually superb one. This is my first visit to your site. Thanks a lot and keep sharing the information. Keep updating the information for all of us. Thanks ZDNet Government was launched as the brand's first industry vertical, with a mission to cater to IT professionals in the public secto I agree with your post. However, do you have any sources I can cite for my paper <a href="http://easy-wheels.com/">wheel</a> <a href="http://pbcars.com/">car</a> <a href="http://com69.net">com</a> <a href="http://cadburry.com">bury</a>
    SATURNINA
    Reply Vote

  • RE: iPhone passcode lock rendered useless

    Well welcome, hopefully you can become a vital member of the community and really help to push far ahead of google. Which Im sure the development team would love. This will of course earn you alot points too and get you on the leaders board.<a href="http://vintagesnapbackhatsfan.com">z</a><a href="http://bestsolidstatedrive.net">d</a><a href="http://b2days.com/">n</a><a href="http://b2wp.com/">e</a><a href="http://buy-sell-cheap.com/">t</a> <a href="http://sellcheap.net/">t</a><a href="http://newsoftwarepc.com/">h</a><a href="http://bestlaptoppcreviews.com/">a</a><a href="http://buyfurniturefreeshipping.com/">n</a><a href="http://cheapclothingstoresonline.com/">k</a> Im not sure i come to an agreement with you on every level, howevor it absolutely was a good posting, many thanks for taking the time to put up your ideas.
    TOCCAR
    Reply Vote

  • RE: iPhone passcode lock rendered useless

    Thanks nice info <a href="http://buyboxinggloves.net/">z</a><a href="http://buygemicrowave.com/">d</a><a href="http://cheapweldingsupplies.com/">n</a><a href="http://cheapcarcareproducts.com/">e</a><a href="http://cheapluggageforsale.com/">t</a> I really liked your current article write more..let me add you to its favorite The articles you have on zdnet <a href="http://mlbshopgiants.com/">s</a><a href="http://best3dtvavailable.com/">i</a><a href="http://lampsplusstorelocator.com/">t</a><a href="http://discountperfumewebsites.com/">e</a> are always so enjoyable to read. Good work and I bookmarked it.
    MCKNIGH
    Reply Vote
CNET Join | Log In | Privacy | Cookies Close