New iOS 7 lock screen flaw opens up iPhones, iPads in seconds

New iOS 7 lock screen flaw opens up iPhones, iPads in seconds

Summary: A new flaw allows any hands-on hacker to access iPhones and iPads where the user previously left off, including email, settings, and other apps.

SHARE:
TOPICS: Security, Apple, iOS, iPhone, iPad
69
ios-hero
(Image: ZDNet/CBS Interactive)

Apple users have been left with yet another lock-screen flaw, which can allow anyone with physical access to an iPhone or iPad running the latest iOS 7 software to access the device where the owner previously left off.

The bug, which was first discovered on YouTube, is relatively simple to replicate.

Once a missed notification is received, flip up the Control Center and enable Airplane Mode. This disables any data in or out of the device. Then, swipe down on the Notification Center and tap the missed call. The device will unlock, prompting you to turn on the radio functions.

However, the caveat is that it only displays the app that was last open on the device before it was locked. If it were the Mail app, the attacker has unfettered access to your emails only. If it were the Settings app, they will have full control over your device options.

Once they leave the app, the device locks again.

This was tested on the iPhone 5s and iPhone 4s both running iOS 7.1.1, the latest version of the mobile software, in the New York newsroom.

This isn't as serious as previous issues with the iOS 7 lock screen as it doesn't give full access to the device, but it's once again yet another issue with a deeply-flawed lock screen — as we have seen before.

Users are advised to disable "Notification View" in the "Notification Center" panel in the device Settings area, to prevent this from working. Alternatively, users can disable the Control Center by going to its area in the Settings, and turning off the "Access to Lock Screen" function.

We reached out to Apple for comment but did not hear back at the time of writing.

Topics: Security, Apple, iOS, iPhone, iPad

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

69 comments
Log in or register to join the discussion
  • Only an issue for people with Control Panel on the lockscreen

    geez, this is not really all that new. allow the Control Panel on the lockscreen and there is too much potential for access or for avoiding iphone security by turning on airplane mode.
    if you are at all serious about security on an iphone that is on iOS 7.x, then you will have already disabled the Control Panel from being on the lockscreen. you really do not want the Control Panel on the lockscreen at all. so disable it from being on the lockscreen. so, there, problem solved ... already.
    i-want-gizmos
    • Agreed. Taking the Control Panel OFF the lock screen...

      Was one of the first, "OH, MY! iOS 7 IS HACKED!" arguments.
      Vulpinemac
      • This only works if you have no passcode.

        At least when I tried to replicate it. If I turned off the passcode, it word exactly as described, and my guess, as designed.
        Bruizer
    • Agree!

      I don't understand this. I just checked, the Settings-->Control Center-->Access on Lock Screen was already off. Don't remember turning it off. We have 4 iPhones and 5 iPads at home and all of them are set to off. Can anyone confirm/deny that Control Center's Access on Lock Screen is defaulted at "off?"
      ManoaHI
      • Both of my 5S handsets and my iPad Air

        are defaulted to the "on" position.
        Champ_Kind
      • defaults is ON

        I've restored dozens of iphones on iOS7 and control panel access is on by default.
        warboat
    • Don't forget...

      "which can allow anyone with physical access to an iPhone or iPad"

      This only applies if you've lost your iPhone or it has been stolen. Hopefully, by then you'll have tried Find my iPhone and initiated the erase function.
      sip01
    • Eject SIM card

      "there is too much potential for access or for avoiding iphone security by turning on airplane mode. "

      First thing they would do after stealing your phone is pull the SIM card.
      warboat
      • Wifi

        Pulling the SIM card does not affect connectivity via wifi. Any time the thief/user connects to the inter web your setting for ERASE or BRICK will be initiated.
        seaniepie
        • if they are smart enough

          They firewall icloud using their own router.
          Find-my-iphone can't connect while iphone can still be used for rest of internet.
          warboat
        • BTW

          Really bad risk to leave find-my-iphone on after the proof of concept for icloud proxy where a determined hacker can remote brick your iOS7 device.
          This is a serious vunerability that Apple can't fix without a redesign of icloud and taking away some conveniences from users.
          warboat
          • Use Two-factor authentication

            Make use of two-factor authentication in iCloud

            http://www.pcmag.com/article2/0,2817,2416929,00.asp

            and don't use the same password for every site you go to. That is how people got their iCloud accounts locked up. One of the sites they went to was hacked and that information was used to access their iCloud accounts.
            eberit
  • Apple

    Perfection.
    Rob Berman
  • Argh

    Whittaker and his writing.

    "...owners are left..." No one has left me. Apple has not, to date, thrown up its hands and said "Sorry Dan, we're stumped, good luck."

    "The bug, which was first discovered on YouTube,..." No! The bug was revealed on YouTube. It was discovered somewhere else.

    No discussion as to responsible disclosure or that going to YouTube is self-promotion and not public service?

    And no discussion about the essential security truism that physical access is usually game over? Kill switches, login failure lockouts, etc., are merely making the best of a bad situation.

    I'm not saying this isn't news or that I, as an iOS user, should be casual about a misplaced device, though I think I knew that already. But, come on, let's move the perspective up to the top, omit the abandonment theme, and choose correct verbs.
    DannyO_0x98
    • This piece is what you call

      clickbait.
      Champ_Kind
  • Shock Horror!!!!

    Well that's made my mind up!! I was considering replacing my Android phone soon but there is no way I would consider an iPhone now. At least if somebody steals my Android, or even a Windows phone, there is no way that they can access any of the data on them is there.....
    Ohhhhhhh hang on......
    The Central Scrutinizer
    • Can they?

      Are there any known lock-screen bypasses on the latest versions of Android or Windows Phone?
      x I'm tc
      • Windows? Phone?

        Microsoft has a phone?
        Mihi Nomen Est
      • Who needs to bypass a lock screen when

        you can just download a root kit?
        baggins_z
        • sure

          Lets just telnet in and install root kit Loverock style.
          warboat