Flaw gives attackers access to passcode-protected iPhones

If an attacker gains physical access to a system, one can usually do very little to keep that device locked down. Apple seems to make things extra-easy for attackers with the new iPhone 3G, though. A member of the Mac Rumors forums has uncovered a major flaw that allows malicious users to gain access to certain passcode-protected iPhones. The forum member has helpfully detailed the steps needed to reproduce the issue, too:

Set iPhone to use passcode lock, have contacts marked as Favorites with links, phone numbers, addresses, etc in address book entry.
Tap “Emergency Call” keypad from passcode entry screen.

Double-tap home button.

Tap blue arrow next to contact’s name. You now have full access to applications such as Safari, complete Contacts list, SMS, Maps, “full” Phone access, and Mail by accessing various entries on the Favorite’s page, i.e. tapping their home page brings up a full, unrestricted Safari.

Gizmodo explains the flaw in more detail in this blog post, while a Reuters report has brought coverage of the problem to major news sites. Reuters contacted an Apple spokeswoman for more information, and she revealed that Apple knows about the issue and is working on a fix. Until that fix comes out, she says users can circumvent the flaw by configuring their iPhones so the “Home” button opens up the music collection rather than the “Favorites” menu.

Comments closed
    • tfp
    • 11 years ago

    But but but, it just works!

      • barich
      • 11 years ago

      That’s how Apple makes things “just work.” Passwords impair usability, so the ability to bypass them without having to remember what they are is paramount.

    • lex-ington
    • 11 years ago

    i say they patent the problem and make it the iFlaw, then when anyone uses it, they owe apple royalty fees. That’s a nice little bonus for shareholders, don’t ya think so?

    • adisor19
    • 11 years ago

    Umm, this little trick has been there since 1.0. And what that forum user posted doesn’t even begin to scratch the REAL trick..

    Adi

    • Tamale
    • 11 years ago

    *Yawn*

    no surprise to me. apple’s never really been known for security. let’s place bets on how long it’ll be before the fix is published. my money’s on a whole week.

      • Scrotos
      • 11 years ago

      Only a week? Really? You have great confidence in Apple, methinks!

      To turn your phrase, Apple’s never really been known for quick turnaround time on security fixes…

Pin It on Pinterest

Share This