MacDailyNews - Where Mac news comes first

 MacDailyNews Poll

Deal of the Day

5 Day Most Commented

Opinion Archive

Current Headlines

Latest Joy of Tech

  • Latest Joy of Tech!

MacNN

AppleInsider

Macworld UK

TUAW

MacRumors

Yahoo! Finance AAPL

iTunes Top 10 Albums

Mac OS X Downloads

Sun, Aug 01, 2010 - 12:55 AM EDT  —  AAPL: 257.25 (-0.86, -0.33%)  |  NASDAQ: 2254.70 (+3.01, +0.13%)

Apple reintroduces iPhone ‘Passcode Lock’ flaw (with workaround)
Wednesday, August 27, 2008 - 12:04 PM EDT

Apple’s iPhone offers users an optional "Passcode Lock," which allows users to enter a four-digit passcode to limit access to the device.

However, it can currently be bypassed in certain situations if an intruder has physical access to your iPhone:

Here's how to induce the issue:

1. Enter a 4-digit passcode via Settings > General > Passcode Lock
2. Make sure you have some contacts entered in Contacts, including email addresses, phone numbers, and website URLs.
3. Lock iPhone and then hit "Home" button to activate slider to get to “Enter Passcode” screen.
4. Tap “Emergency Call” button (buttom left).
5. Double tap "Home" button.
6. On certain iPhone setups, this can access up all contacts in the Favorites list.
7. Tap on the blue arrow next to contact name to get full access to email, Safari, SMS, etc.

This vulnerability was already once corrected by Apple with iPhone / iPod touch v1.1.3:

Passcode Lock

CVE-ID: CVE-2008-0034

Available for: iPhone v1.0 through v1.1.2

Impact: An unauthorized user may bypass the Passcode Lock and launch iPhone applications

Description: The Passcode Lock feature is designed to prevent applications from being launched unless the correct passcode is entered. An implementation issue in the handling of emergency calls allows users with physical access to an iPhone to launch an application without the passcode. This update addresses the issue through an improved check on the state of the Passcode Lock.

MacDailyNews Note: Obviously, this is one that has slipped through and not been included in later updates. Somebody at Apple failed to incorporate the most-recent codebase. Simple as that. Not an excuse. Apple blew it. Hopefully, it's the only thing they missed. So, until Apple gets around to re-fixing this issue in the next update, you can secure your iPhone by setting your iPhone's "Home" button's double-click action to "Home" or "iPod" (Settings > General > Home Button and check “Home" or "iPod").



Apple Store Advertisements
iPhone 4: From $199. Free shipping.
13-inch MacBook: From $999. Free shipping.
13-inch Macbook Pro: From $1199. Free shipping.
13-inch MacBook Air: From $1499. Free shipping.
15-inch Macbook Pro: From $1799. Free shipping.
17-inch MacBook Pro: From $2299. Free shipping.
Mac mini: From $699. Free shipping.
iMac 21.5-inch: From $1199. Free shipping.
iMac 27-inch: From $1699. Free shipping.
Mac Pro: From $2499. Free shipping.
iPod touch: From $199. Free Shipping.
iPod nano: Now shoots video! From $149. Free shipping.
iPod shuffle: From $59. Free engraving. Free shipping.
iPad: A magical and revolutionary product. From $499. Free shipping.
Apple TV: From $229. Free shipping.

Send us links! Email: webmaster@macdailynews.com

MacDailyNews on Twitter



MacDailyNews app for iPhone and iPod touch

Bookmark and Share

Always -- Free ground shipping with orders over $50 at the Apple Store.

Reader Feedback: = registered.
Unregistered users: Feedback from multiple usernames are subject to deletion. Off-topic and posts from suspected astroturfers will be removed.

Reader feedback page 1 of 1 pages:
Aug 27, 08 - 12:12 pm Comment from: Captain Obvious

Inexcusable, really.

Aug 27, 08 - 12:20 pm Comment from: Wandering joe

a workaround to fix the flaw reintroduced by the patch that broke the original patch that fixed the flaw. hmmmmm, sounds familiar...
couldn't help myself, sorry wink

Aug 27, 08 - 12:25 pm Comment from: Jeremy

@ Captain Obvious

"Inexcusable" is a bit of hyperbole don't you think?

Phones have a (rather unusual and atypical) hardware requirement to always be able to be used for an emergency call irrespective of the security state of the system that makes the call. That's like having a "secure" computer that somehow also lets you log on and do your email without giving you access to the system itself. This is not a trivial thing to design.

I think it's more than understandable that Apple has made this minor mistake in that regard. It is a mistake, and I am not defending it, but it's hardly "inexcusable," not is it malicious or really that surprising.

Aug 27, 08 - 12:29 pm Comment from: Randian

Perfection, damn it! I DEMAND PERFECTION FROM EVERYONE AND EVERYTHING! (Thank Gawd I'm not on the International Space Station right now with my trusty, but infected, PC laptop. huh?)

Aug 27, 08 - 12:42 pm Comment from: Fanboy

I'm very happy about the flaw. It allows me the best of both worlds. Once again Apple design triumphs. I can set my security code that will stop most people, but leave my phone set up so that I can quickly get back in without being forced to recall and enter that stupid pass code.

This works quite well for me.

No one does it better than Apple!

Aug 27, 08 - 12:42 pm Comment from: Jumbo

In order for this to occur you have to set "favorites" as the default action for the double click. If you have either of the other 2 actions set it doesn't work

Aug 27, 08 - 12:44 pm Comment from: R2

I've got the double-tap set to open my iPod and sure enough that's what opens when I follow the instructions.

Speaking of the passcode, I don't see why we can't use alphanumeric passwords. It's like Apple was still in iPod-mode and forgot about the touch keyboard that can appear whenever we need it.

Aug 27, 08 - 01:13 pm Comment from: apathy

Does anyone really care? I have never used password protect because I don't have anything important on my phone and if I did I wouldn't let anyone else use it.

Aug 27, 08 - 01:57 pm Comment from: R2

"Does anyone really care?"

Yes.

Aug 27, 08 - 02:27 pm Comment from: Mark S.

What I want is Bluetooth syncing!

Aug 27, 08 - 03:52 pm Comment from: Sixvodkas

@ Jeremy,

No, this was inexcusable.

Apple has exactly TWO devices to test.

This was a KNOWN security flaw that had earlier been corrected, and all it takes to verify they broke it, was to double tap the home key.

Sorry, but there's only ONE button on the front of the iPhone, and QA is falling on its face.

Aug 27, 08 - 06:43 pm Comment from: Sogni X

I honestly like this "flaw" and wish it would show an emergency contacts list.

All it does is show your address book - or your iPod app (depending on what you programmed the double-click home button to).

I like using the password lock, but am always worried that if I ever have an accident and am unconscious (I ride motorcycles so that's always on my mind) - I would want someone to be able to access my contacts list and get a hold of someone who knows me.

But then again the chances of the iPhone surviving such a crash is very small. hmmm

Aug 27, 08 - 06:49 pm Comment from: TheConfuzed1

My double click is set to open iPod.

I guess that makes me safe. smile

Aug 28, 08 - 07:42 pm Comment from: @Sogni X

You can solve this problem by setting a list of such phone numbers as your background. Just go into Word (or another word processor, if you like), type up the numbers, and take a screenshot. Obviously, you can even have another image within Word as a background and put your numbers in a text box.

This way, if you lose your phone and somebody finds it, they won't be able to steal it, but they'll know whom to call.

Reader feedback page 1 of 1 pages:

Always -- Free ground shipping with orders over $50 at the Apple Store.

Add Your Feedback:

Register or Login

Name:

Email: (optional)

Emoticons | Allowed HTML Tags

Remember my info   Notify me of follow-up comments?

Please enter the "MDN Magic Word" you see in the image below: