iPhone, iPad lock screen bypass fixed, but 34 days too late

iPhone, iPad lock screen bypass fixed, but 34 days too late

Summary: After over one month since its discovery, Apple finally fixes a major lapse in iPhone and iPad security: a lock-screen flaw, that allowed complete access to an iOS 6.1-powered device.

SHARE:
TOPICS: Security, Apple, iPhone
16
iPhone-5
iOS 6.1.3 fixes the lock screen bypass flaw. (Credit: ZDNet)

It took more than a month for Apple to fix a flaw with iPhone and iPad lock screens that allowed hackers to easily break into a user's iOS 6.1-powered device.

In just a few button presses and key taps, it was possible to bypass the four-digit lock screen and gain full access to rifle through parts of their iOS 6.1-powered device — which, by the way, would have been a significantly high proportion of all devices — not limited to photos, server-stored emails and contacts, voicemail and other private data.

Engage the enterprise panic switches. Your bring-your-own-device (BYOD) staff using their iPhones and iPads alike have been taking their devices home (or left on the train, at a bus stop, or had their devices stolen) whereby the ripple effect could result in the leaking of sensitive corporate data — or worse, citizen data — considering a rise in government employees using Apple products.

And yet it took 34 days, from February 14 to March 19, for one of the world's most advanced technology companies by staff and by wealth to fix the very front door, the first line of defense against unauthorized users, to its customers' phones and tablets.

During that time, Apple issued another update in form of iOS 6.1.2 that fixed a nasty Exchange Server-related bug that churned up servers with "excessive logging" problems. But there was no sight of a lock screen fix even then. 

Apple said in a statement at the time that it was "aware of this issue, and will deliver a fix in a future software update." It did not, however, give a time frame in which it would do so, leaving many without a clue as to what their own employees should do to mitigate any security-related circumstances.

Apple, in true fashion, stayed mum. Not a word beyond the statement. No idea on when the problem would be fixed, or how to at least reduce the risk of a lock screen bypass.

The company also said that it "takes user security very seriously."

Again, that's five weeks, or more than one month until a fix was finally pushed out of the doors at Cupertino. 

Whatever spin story you want to use, this is a pretty poor effort on Apple's part. Sure enough, many enterprises would have reacted to this security flaw by simply engaging a server-side policy that forced a stronger alphanumeric password on each connected device. (Besides which, that should be a standard in any enterprise, but that's missing the point.)

We should not forget, however, that Samsung also experienced a very similar flaw, in which hackers are able to bypass — albeit momentarily — the Android 4.1.2 lock screen on some Galaxy devices

Samsung, for the record, didn't even respond to a request for comment, putting it very much in the same position as Apple.

The bottom line to this is that the lock screen (on any device, in fact) is the very first defense against hackers. Most hackers, for the record, actually require a little skill to break into a device. But this was a wide-open flaw that allowed practically anybody — perhaps those sans fingers — to bypass the most basic of protections.

It was a massive a data protection and privacy risk that went unpatched for too long.

Topics: Security, Apple, iPhone

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

16 comments
Log in or register to join the discussion
  • Let's give some credit to apple

    They are VERY fast at releasing patches when the bug involves a threat to their 30% cut of app revenues. They care very much about THEIR security, just not very much about yours.

    Even worse is people who dare to not pay apple for hardware upgrades. apple's answer is simply to stop supporting them:
    http://mygadgetnews.com/tech/no-ios-4-3-support-for-iphone-3g-no-more-updates
    toddbottom3
    • We know Toddy

      Such thing would be impossible to happen to an Nokia Lumia 920. Nobody else ever obsoletes software and all non-Apple platforms are genuinely more secure. If not, the user is at fault.
      danbi
      • BIG difference

        You guys are very clear that everything MS sucks and so to suggest that this is no big deal because MS is the same basically forces you to admit that apple sucks.

        Thanks danbi, glad you agree with me that apple sucks.
        toddbottom3
        • Toddy, as always

          Where did you find 'Microsoft' in my post buddy? Or MS?
          But if you say that Microsoft (or MS) sucks, we should all believe you.

          You have no clue to whom I was referring. As usual.
          danbi
          • Right here buddy

            "Such thing would be impossible to happen to an Nokia Lumia 920"

            Who do you think makes the OS for the Nokia Lumia 920?

            Remember buddy, we were talking OS.
            toddbottom3
    • Fast?

      I know you were probably sarcastic but fast?

      34 days is even slower than Oracle's Java updates - granted they have to keep on releasing further updates.

      I do expect Apple to release 6.1.4 by the end of May to fix problems that that 6.1.3 caused. They are starting to remind me of Google and their buggy Chrome browser!
      Gisabun
  • Let's not forget

    If someone has physical access to your mobile device, they can access any data on it. Doesn't matter how much "protected" it is.

    It also seems that this trick only worked with an 4-digit "password" lock, which is obviously very weak anyway.

    Anyway, Apple might have provided an update earlier, if they chose to no test it and not fix other possibly associated problems. Their standards are apparently different.
    danbi
    • Yup...

      I forgot the code of a simple 3 digit lock. Harder to move the dials instead of touching a screen. Went through almost the full 1000 combinations within an hour.
      Still shows that iPhone/iPad security sucks.
      Why limit to 4 digits? Why not alphanumeric?
      Gisabun
  • So, I didn't see what the problem was.

    How easy was it? Were people guessing passwords? I am using the 8 character numeric passkey. Does it effect me? I don't like to update iOS often. Where can I read about the actual problem rather than 'after-the-fact' bashing?
    The Danger is Microsoft
  • first line of defense?

    "The bottom line to this is that the lock screen (on any device, in fact) is the very first defense against hackers."

    Really?

    It *does* take physical access to the device to carry out this attack, so no. Your phone has to actually be physically stolen in order to carry out this attack.
    CobraA1
  • Apple should have fixed this sooner

    And some regular forum participants here should note that obviously not all ZDNet articles are positive towards Apple and negative towards Microsoft. That claim is so often made in forum threads here if some author dares to write anything critical (and maybe even true) about Microsoft...
    Smalahove
  • "Apple, in true fashion, stayed mum."

    Isn't that better, when security is involved, than to broadcast details of the flaw so that it can be exploited more easily?
    Userama
  • 34 days LATE?

    I just want you to follow-up in the same fashion when Samsung fixes their problem. 34 days to fix a problem that affects millions of iPhones is a good response time since it covers all supported IOS versions. Looking forward to reading...

    "Samsung Galaxy Note 2 lock screen bypass fixed, but xx days too late!"
    myronlm
    • You will NEVER see that post on ZDNet.

      It just wouldn't be news generating.

      But then again, I really don't fault Zack for this blog opinion. It has merit - to an extent.
      kenosha77a
    • The samsung problem grants access for part of one second.

      Is the Apple problem the same? Does it resume its lock scfeen after less than a second?
      If so then yes, they are in the same boat.
      radleym
  • Physical Access bugs are low priority

    If anyone believes that their data is safe once a device is in the hands of a hacker, they are delusional. Remote wipe any device lost immediately is the only answer. If this were a flaw that allowed remote access to this data and Apple took a few weeks to get it out, then we would have something to talk about. I'm not saying easy exploits don't need to be fixed quickly, but this is not the huge deal the author is making it out to be as long as it doesn't happen over and over again.
    DougPetrosky