iPhone, iPad lock screen bypass fixed, but 34 days too late
Summary: After over one month since its discovery, Apple finally fixes a major lapse in iPhone and iPad security: a lock-screen flaw, that allowed complete access to an iOS 6.1-powered device.
It took more than a month for Apple to fix a flaw with iPhone and iPad lock screens that allowed hackers to easily break into a user's iOS 6.1-powered device.
In just a few button presses and key taps, it was possible to bypass the four-digit lock screen and gain full access to rifle through parts of their iOS 6.1-powered device — which, by the way, would have been a significantly high proportion of all devices — not limited to photos, server-stored emails and contacts, voicemail and other private data.
Engage the enterprise panic switches. Your bring-your-own-device (BYOD) staff using their iPhones and iPads alike have been taking their devices home (or left on the train, at a bus stop, or had their devices stolen) whereby the ripple effect could result in the leaking of sensitive corporate data — or worse, citizen data — considering a rise in government employees using Apple products.
And yet it took 34 days, from February 14 to March 19, for one of the world's most advanced technology companies by staff and by wealth to fix the very front door, the first line of defense against unauthorized users, to its customers' phones and tablets.
During that time, Apple issued another update in form of iOS 6.1.2 that fixed a nasty Exchange Server-related bug that churned up servers with "excessive logging" problems. But there was no sight of a lock screen fix even then.
Apple said in a statement at the time that it was "aware of this issue, and will deliver a fix in a future software update." It did not, however, give a time frame in which it would do so, leaving many without a clue as to what their own employees should do to mitigate any security-related circumstances.
Apple, in true fashion, stayed mum. Not a word beyond the statement. No idea on when the problem would be fixed, or how to at least reduce the risk of a lock screen bypass.
The company also said that it "takes user security very seriously."
Again, that's five weeks, or more than one month until a fix was finally pushed out of the doors at Cupertino.
Whatever spin story you want to use, this is a pretty poor effort on Apple's part. Sure enough, many enterprises would have reacted to this security flaw by simply engaging a server-side policy that forced a stronger alphanumeric password on each connected device. (Besides which, that should be a standard in any enterprise, but that's missing the point.)
We should not forget, however, that Samsung also experienced a very similar flaw, in which hackers are able to bypass — albeit momentarily — the Android 4.1.2 lock screen on some Galaxy devices
Samsung, for the record, didn't even respond to a request for comment, putting it very much in the same position as Apple.
The bottom line to this is that the lock screen (on any device, in fact) is the very first defense against hackers. Most hackers, for the record, actually require a little skill to break into a device. But this was a wide-open flaw that allowed practically anybody — perhaps those sans fingers — to bypass the most basic of protections.
It was a massive a data protection and privacy risk that went unpatched for too long.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Let's give some credit to apple
Even worse is people who dare to not pay apple for hardware upgrades. apple's answer is simply to stop supporting them:
http://mygadgetnews.com/tech/no-ios-4-3-support-for-iphone-3g-no-more-updates
We know Toddy
BIG difference
Thanks danbi, glad you agree with me that apple sucks.
Toddy, as always
But if you say that Microsoft (or MS) sucks, we should all believe you.
You have no clue to whom I was referring. As usual.
Right here buddy
Who do you think makes the OS for the Nokia Lumia 920?
Remember buddy, we were talking OS.
Fast?
34 days is even slower than Oracle's Java updates - granted they have to keep on releasing further updates.
I do expect Apple to release 6.1.4 by the end of May to fix problems that that 6.1.3 caused. They are starting to remind me of Google and their buggy Chrome browser!
Let's not forget
It also seems that this trick only worked with an 4-digit "password" lock, which is obviously very weak anyway.
Anyway, Apple might have provided an update earlier, if they chose to no test it and not fix other possibly associated problems. Their standards are apparently different.
Yup...
Still shows that iPhone/iPad security sucks.
Why limit to 4 digits? Why not alphanumeric?
So, I didn't see what the problem was.
first line of defense?
Really?
It *does* take physical access to the device to carry out this attack, so no. Your phone has to actually be physically stolen in order to carry out this attack.
Apple should have fixed this sooner
"Apple, in true fashion, stayed mum."
34 days LATE?
"Samsung Galaxy Note 2 lock screen bypass fixed, but xx days too late!"
You will NEVER see that post on ZDNet.
But then again, I really don't fault Zack for this blog opinion. It has merit - to an extent.
The samsung problem grants access for part of one second.
If so then yes, they are in the same boat.
Physical Access bugs are low priority