Serious Security Flaw Discovered in iPhone Firmware 2.0.2; Temp Fix Available; Permanent Fix On Its Way [Updated]
Gizmodo is reporting that a member of Mac Rumors forums has discovered a major security flaw in the iPhone firmware 2.0.2 that allows someone to access your data and certain iPhone apps even when you have the passcode lock feature turned on.
Find out more about the security flaw and a workaround to avoid it after the jump.
To replicate the security flaw, follow these instructions:
- Password Protect your iPhone and lock it.
- Then Slide to Unlock the iPhone, tap Emergency Call button on the screen where you get an option to enter the passcode and then double tap the home button.
- If you have not set the home button settings to something else as described in the iPhone tip here, then double tapping the home button takes you to Favorites.
If you thought this was a feature, think again, remember you have not entered the passcode which means that if someone happened to pick up your phone can get access to your Favorites (without knowing the passcode).
It also gives someone access to your address book, the dial keypad, voice mail and by tapping on the blue arrows can get access to the private information of any of the contact entries in Favorites.
Here is where where this flaw becomes a major concern:
Someone can then click on the mail address of the contact to get access to your iPhone's mail application thus exposing all your emails. Clicking on a URL in your contact gives someone access to iPhone's Safari browser. Someone can also send text messages to any of the contacts in your address book.
If this has got you worried then here is a simple workaround to fix this security flaw:
1. In the iPhone home, go to Settings.
2. Click on General.
3. Click on Home Button.
4. Click on either "Home" or "iPod".
This way, the double-click on the home button will take the user back to the unlock screen (if you use "Home") or the iPod screen. Its recommended to use "Home".
This means that you will lose the ability to quickly access your favorites for a quick call but I am sure you will agree that its better than having all your private mails, contacts, and SMS database exposed.
Mac Rumors is reporting that Apple is already aware of this flaw and a fix is on its way.
"This security flaw was already reported to Apple earlier this month and has been acknowledged as an issue. A fix will presumably be included in a future firmware update this security flaw was already reported to Apple earlier this month and has been acknowledged as an issue. A fix will presumably be included in a future firmware update."
This security flaw applies to all those who are using iPhone's passcode lock functionality (Settings -> General -> Passcode Lock) and have updated their iPhone with the latest firmware v2.0.2 which was released by Apple last week.
Update (Aug 28, 2008):
Apple representative, Jennifer Bowcock, said in an email to Macworld:
“The minor iPhone security issue which surfaced this week is fixed in a software update which will be released in September”.
[via Gizmodo and Mac Rumors]
Top iPhone Hacks Categories:
Hacks
iPhone Applications
Unlock iPhone
JailBreak iPhone
iPhone Tips & Tricks
iPhone Games
iPhone News
What next?
Well i have not updated to 2.0.2 but i just tried it on my 2.0.1 and it still have the same security issue. I was able to send text, check my mail and Dial in my favorites, get the safari to work. The only thing i couldn't do was dail a new number or get to the address book..
Posted by: laurnzo | August 27, 2008 at 06:48 PM
OMG!!! That f-ing sucks!! Nice little loophole to get around the 'security' lock code of the iPhone. LOL. Also, even though someone can now only get into my emergency call option, they can still make ANY call, not only emergency ones.
So while even locked, someone can use my phone and call anyone they wish and rack up my phone bill??? LOL. Too funny. You hit the Emergency Call button, it should call 911 only.
Posted by: Lonnie | August 27, 2008 at 07:24 PM
Ok, a flaw is there, but any one with older versions tried it? since how long this flaw is there??????????
Posted by: Ahsan | August 28, 2008 at 02:01 AM
Thanks for bringing this up, I can't believe there's such a simple flaw in the security!
Posted by: Shai | August 28, 2008 at 05:43 AM
I've just tested this loop hole and found that the matter is even worse. If you get to the emergency key pad and dial any number, it'll still make a call for you as if you are in unlock mode. This is un-belivable. By the way my iphone is an jailbroken and unlocked one. I don't know if it still behave the same way under official carrier.
Posted by: John Wen | August 28, 2008 at 12:05 PM
yeah when you hit the emergency call button you can call anyone if you know there phone number what is the deal with that. Is apple stupid like who was sleeping when they tested that one out.
Posted by: drew | August 31, 2008 at 12:39 PM