iOS 4.1 security hole allows using the iPhone when it's locked

Emil

Posts: 152   +0

With the latest iOS 4.1, it appears that Apple has opened up a small security vulnerability: the iPhone's passcode no longer works as it should. If you input a random number in the emergency call field, press call, and then promptly hit the hardware lock button, you will gain access to the Phone app. The issue occurs on all iPhones that can been upgraded to iOS 4.1; the iPhone 3G, iPhone 3GS, and iPhone 4 are all vulnerable.

In other words, even if your phone is locked, you can make non-emergency phone calls from it. This could be easily abused by thieves who use your phone to make expensive calls right after they steal your iPhone. The hole also grants the user access to favorites, contacts, recent calls, and voicemail. Additionally, selecting "share contact" and then the camera icon will give you access to the photo album. Furthermore, if the user holds down the menu button he or she can gain access voice control and play locally-stored music. Here's a video from Boy Genius Report showing the issue:

We expect that Apple will have a fix available by iOS 4.2, though there's no date for that release yet. Currently, the 4.2 beta still has this problem since it has only been recently discovered and sent as a bug report to Apple.

Permalink to story.

 
All so worried about keeping Iphones from being jailbroken, Apple leaves this vulnerability wide open. Great job Apple. Why don't you start spending less time protecting your bottom line and spend more time protecting your consumer. And Apple continues to be on my ban list. I will not buy an apple product.
 
So... My passcode is there just to annoy me everytime I wake up the phone from sleep mode... Apple, you should give out rewards to people who find these kind of security issues like this one, and maybe start a program like Mozilla did some time ago...
 
Is this really a bug? Sounds more like an 'easter egg' or cheat code.
up down down left right A B B to unlock Flash :)
 
bakape said:
Is this really a bug? Sounds more like an 'easter egg' or cheat code.
up down down left right A B B to unlock Flash :)

APPLE! Please do. Flash on my iphone would rock!
 
Apple is mostly looks, it's like a glass case with a lock and they expect you to store things in it which people do because apple tells them it's super safe... but it's glass case...sigh
 
What I find more severe is the fact you can completely reformat an iPhone even if it has a passcode, which should allow for activition if the SIM card is in. No idea how iPhone activation works though...
 
Another apple blunder apple is one company i don't trust and wish they would go under lol. Lets see they make a phone that is messed up and then blame the customer.
 
Lets see they make a phone that is messed up and then blame the customer.

Also, don't forget they made a tablet with wifi issues and blamed the consumer's routers.

I honestly wouldn't pick on Apple so much if they weren't so stuck up about how perfect their products are. So I can't help but laugh at their misfortunes.
 
That seems like a pretty obvious case that should have been checked by QA. "What happens when we hardlock the phone to interrupt an emergency call?"
 
"Another apple blunder apple is one company i don't trust and wish they would go under lol."

I agree. I can't stand Apple and their owners tick me off. Apple is better than..blah blah blah.
 
Not a big apple fan but it'll be fun to mess with my machead friend. At least he's not pretentious about it.
 
This reminds me of the windows 95 hack that let you login to the computer without knowing the password.
 
wow idk how apple overlooked this flaw. for the pricetag on their gadgets, they should protect their users from these kinds of vulnerabilities.

lets go steal an iphone. haha kidding
 
Just tried it on my iPhone 3GS (fully updated) and indeed this works! just showed the guys at work and since the office is full of iPhones it is now causing a bit of a stire :)
 
Yeah - I've been showing this off at work too. Most of the folks here are saying, "who cares? Who said their stuff was secure anyway?" Guess I'm the only one really worried about people making calls to my CIO from my phone.
 
Back