iPhone security flaw exposes private data

[Havoc 1]

http://news.yahoo.com/s/nm/20080828/tc_nm/apple_security_dc

A security flaw in Apple Inc's (AAPL.O) iPhone allows unauthorized users to gain easy access to private contacts and e-mails even when the device is locked, but the company said a fix is on the way.

Popular technology blog Gizmodo and an online forum run by the Mac Rumors site showed that it took only three taps to gain access to locked iPhones, which run the latest 2.02 iPhone software.

Apply a lock to your iPhone, and it’ll ask you for a four-digit passcode. However, it’ll also let you make an emergency call. Go into the menu to dial the emergency number, perform a quick double-click on the ‘home’ button, and your phone’s favourites menu will appear.

Not only that, if you’ve changed the settings then whatever you’ve applied to the double tap action will pop open. That could be your iPod too.

The gigantic security flaw lets unauthorised users call any number they like from your phone. If you’ve assigned web sites or e-mail addresses to your contacts, they can tap into them too.

[xKLAATUx 0]

Not surprising; since the very beginning of the iPhone, Apple was acknowledging that their plan was basically security-by-lack-of-features. They should take back all the fancy features they've introduced since its inception and protect their customer base again. Come to think of it people can be easily give away important information via a simple phone call, so Apple may want to reconsider the iPhone's ability to make or receive phone calls.

[systems_glitch 111]

Physical access == pwned, as with just about any system you might encounter. At least someone's working on an update to counter this problem.

[sif519 0]

Ok so i thought this was so interesting i had not only to try it but to register with my results having had mixed feelings since i got a great deal on upgrading my iphone ( it cost me 56 Canadian dollars after selling my ipod touch for 200 ) that i figured i would try it

so i locked my phone and hit emergency call , and double tapped the home button what happened ? absoulty nothing it simply went back to asking the password , I tried this several times i guess if you have your phone setup to go to either the home menu or the ipod menu it simply doesn't work ( or at least i couldn't get it to work). The Only way i could get this to work is if the device was set to show the favorites list.

[Havoc 1]

remember this important step

If you have used the "Favorites" feature in the phone, it is possible to break into the phone.

try also this one

How to break into a PIN locked iPhone

So if you are a fan of the iPhone and have it all synced to your Exchange server, I want to pass a word of caution to you.

Firstly, you SHOULD be locking your iPhone with a PIN. Not doing so makes it easy for anyone to look at your emails, contacts and calendar. It's another layer of defense which costs you nothing. Please use it.

However, I am sad to report that even if you do use it, the current PIN security in iPhone 2.0.2 is flawed. If you have used the "Favorites" feature in the phone, it is possible to break into the phone.

Here are the steps to do so:

1. Press the Home button to wake up the iPhone.

2. Slide to unlock

3. Click the "Emergency Call" button on the bottom left

4. Press the "Home" button two times fast. Your Favorites list will show up.

5. Click on the ">" circle of a contact that has an email address tied to it

6. Hit the email address to create a new email.

7. "Cancel" the new email.

8. You are now in the users Exchange mailbox, without knowing their PIN to unlock the phone.

This seems like a pretty interesting attack vector. I would have never expected the Emergency mode in an iPhone to be used so easily in this way.

Edited September 1, 2008 by Havoc