or Connect
AppleInsider › Forums › Mobile › iPhone › New security hole in Apple's iOS 6.1 lets anyone bypass an iPhone's lockscreen
New Posts  All Forums:Forum Nav:

New security hole in Apple's iOS 6.1 lets anyone bypass an iPhone's lockscreen - Page 2

post #41 of 82
Quote:
Originally Posted by mactoid View Post

Geezuz....do people actually get PAID to sit around all day and try these weird key sequences on their phones?  I guess I'm glad they have phones..imagine what they'd discover if they only had themselves to play with! lol.gif
 

I'm going to guess they just tried the same key sequence that worked in 2011. Someone probably tries it again with every new update. A bit surprised someone with authority at Apple didn't (if they didn't).

melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #42 of 82
This can't be something you happen upon by accident. This vulnerability must be surreptitiously shown by an Apple iOS engineer to his or her friend, who then posts a video detailing the vulnerability.

How are these vulnerabilities usually discovered?
post #43 of 82
Quote:
Originally Posted by ClemyNX View Post

Again? After the similar bug in 2010, they could test a little bit more the unlocking screen!

Those lazy must have skipped the standard


1. Lock device
2. Slide to unlock
3. Tap emergency call
4. Hold sleep button until the power down prompt shows.

5. Type in 911 or your emergency number

6. click call

7. cancel it asap
8. Lock your device with the sleep button

9. turn it on using the home button.
10 Slide to unlock

11 hold the sleep button

12 wait 3 seconds

13 tap emergency call.

 

test case.

post #44 of 82
I couldn't get this to work, and honestly unless some dimwit actually published this, who the hell would work this out by accident?

Do not overrate what you have received, nor envy others.
15" Matte MacBook Pro: 2.66Ghz i7, 8GB RAM, GT330m 512MB, 512GB SSD

iPhone 5 Black 32GB

iPad 3rd Generation, 32GB

Mac Mini Core2Duo 2.26ghz,...

Reply

Do not overrate what you have received, nor envy others.
15" Matte MacBook Pro: 2.66Ghz i7, 8GB RAM, GT330m 512MB, 512GB SSD

iPhone 5 Black 32GB

iPad 3rd Generation, 32GB

Mac Mini Core2Duo 2.26ghz,...

Reply
post #45 of 82
Quote:
Originally Posted by seanie248 View Post

"Ironically, a nearly identical vulnerability reared its ugly head back in October of 2010 "

Coincidentally, maybe, but Ironically???

Cant see the irony here....

Love it when guys find these little bug things out... I always have to think... what made him do those actions in exactly that order to discover the bug? Do these people sit all day just trying random combinations of actions or is there a "method".
 


Irony is all too often when people should say coincidence. I guess people want to feel crafty and make their article interesting, even though they are using the wrong word. In fact, it seems that "coincidentally" is going out of style people are opting for "ironically."

post #46 of 82
Quote:
Originally Posted by Gazoobee View Post

Or, you could just look over someone's shoulder.  About the same level of accuracy/security.  

 

Seriously though, if anyone is using the passcode lock and thinking it really does much at all for "security," they are dreaming.  

 

It's just there to make nervous people feel more comfortable.  

 

Yes and no.  My kids learned my PIN and my wife's by watching us (not even over the shoulder), so that part is dead on.  On the other hand, I like the security of knowing that if I lose my phone it will get wiped automatically if some stranger types in 11 guesses.

post #47 of 82
Quote:
Originally Posted by Rogifan View Post

As expected, this is the top story on the Verge's website. 1rolleyes.gif

 

Those guys are media whores.  They're more concerned with being "TV Stars" than actually reporting news.  

Also, it's a complete sausage fest over there, all their "reporters" have the exact same point of view, and most of the commenters are twelve year old boys (mentally or otherwise).  

 

So ... Engadget 2.0 really. 

post #48 of 82
Quote:
Originally Posted by malax View Post

 

Yes and no.  My kids learned my PIN and my wife's by watching us (not even over the shoulder), so that part is dead on.  On the other hand, I like the security of knowing that if I lose my phone it will get wiped automatically if some stranger types in 11 guesses.

 

True.  11 guesses gives an attacker fairly good odds of guessing it though.  

 

Where I work we have numbered locks on the doors and when I get bored I try to guess the codes.  Most of the time it's under a dozen guesses or so and your in.  You could use the longer alpha-numercial password to be safer.  

 

I was mostly kicking back against how poorly the whole thing is being portrayed by the tech press.  Everyone is saying this is a "bypass" of the lock screen for example when it's really only a partial bypass.  Access to the phone itself is not given.  

 

Also, it requires physical access to the phone, which if an attacker has, they could simply take your phone and take it back to their home in which case it's easy to break in.  Any attack that requires physical control of the device is not really a security flaw in the same way as a "real" security flaw that could allow someone to access your stuff without your knowledge or consent.  By giving them physical access, you are essentially complicit.  

 

Finally, as others have pointed out, Android has numerous ways to *completely* bypass the lock screen (not partial), and no one gives a flying f*ck about that.  

 

IMO it's just shameless the way this has been put forward by the tech press as some kind of giant serious security flaw when it isn't even close to that. 

post #49 of 82
Quote:
Originally Posted by Gazoobee View Post

 

Those guys are media whores.  They're more concerned with being "TV Stars" than actually reporting news.  

Also, it's a complete sausage fest over there, all their "reporters" have the exact same point of view, and most of the commenters are twelve year old boys (mentally or otherwise).  

 

So ... Engadget 2.0 really. 

The article has over 200 comments, most of them a troll fest.  I had high hopes for the Verge because I can stand Engadget.  But man this click bait mentality sucks.  It's not Business Insider levels but the site could be so much more.  What's amusing is most of the commenters think all their "reporters" are Apple fanboys.lol.gif

post #50 of 82
Quote:
Originally Posted by Gazoobee View Post

 

True.  11 guesses gives an attacker fairly good odds of guessing it though.  

 

Where I work we have numbered locks on the doors and when I get bored I try to guess the codes.  Most of the time it's under a dozen guesses or so and your in.  You could use the longer alpha-numercial password to be safer.  

 

I was mostly kicking back against how poorly the whole thing is being portrayed by the tech press.  Everyone is saying this is a "bypass" of the lock screen for example when it's really only a partial bypass.  Access to the phone itself is not given.  

 

Also, it requires physical access to the phone, which if an attacker has, they could simply take your phone and take it back to their home in which case it's easy to break in.  Any attack that requires physical control of the device is not really a security flaw in the same way as a "real" security flaw that could allow someone to access your stuff without your knowledge or consent.  By giving them physical access, you are essentially complicit.  

 

Finally, as others have pointed out, Android has numerous ways to *completely* bypass the lock screen (not partial), and no one gives a flying f*ck about that.  

 

IMO it's just shameless the way this has been put forward by the tech press as some kind of giant serious security flaw when it isn't even close to that. 

Lots of things make me scratch my head these days.  Just this morning it was announced that one of Blackberry's original founders/CEO's no longer owns any shares in the company and the stock is up almost 6% on the day.

post #51 of 82
Quote:
Originally Posted by lkrupp View Post

What fascinates me about stuff like this is how it is discovered. Some ODC type with too much time on their hands sitting around randomly pushing buttons? You tell me how somebody figures this out.
 

 

Think you meant OCD, a typo that any OCD person would have caught.  Oh, must have a bit of OCD myself!

post #52 of 82
Quote:
Originally Posted by Gazoobee View Post

 

True.  11 guesses gives an attacker fairly good odds of guessing it though.  

 

Where I work we have numbered locks on the doors and when I get bored I try to guess the codes.  Most of the time it's under a dozen guesses or so and your in.  You could use the longer alpha-numercial password to be safer.  

 

I was mostly kicking back against how poorly the whole thing is being portrayed by the tech press.  Everyone is saying this is a "bypass" of the lock screen for example when it's really only a partial bypass.  Access to the phone itself is not given.  

 

Also, it requires physical access to the phone, which if an attacker has, they could simply take your phone and take it back to their home in which case it's easy to break in.  Any attack that requires physical control of the device is not really a security flaw in the same way as a "real" security flaw that could allow someone to access your stuff without your knowledge or consent.  By giving them physical access, you are essentially complicit.  

 

Finally, as others have pointed out, Android has numerous ways to *completely* bypass the lock screen (not partial), and no one gives a flying f*ck about that.  

 

IMO it's just shameless the way this has been put forward by the tech press as some kind of giant serious security flaw when it isn't even close to that. 

We have penetration testers hired by our company to compromise our security. There are different ways to compromise security. Some are physical access some are remote (from outside the firewalls) but most of the time it is through some kind of social engineering that security is compromoised. Someone is fooled or convinced to not follow the established protocals and processes and security is compromised. Also...all software has vulnerabilites. Any clicks or touches on a screen can be replicated with a script. Afterall that what the OS software does behind the scenes anyway. To run these things you don't always have to have physical access to the device to run a script.....

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply
post #53 of 82
post #54 of 82

 

Why would anyone care about this? Google isn't arbitrarily defined by the media as being "cool", so it's just business as usual for a company known (and never derided) for stealing your information and selling you to the highest bidder.

Originally posted by Relic

...those little naked weirdos are going to get me investigated.
Reply

Originally posted by Relic

...those little naked weirdos are going to get me investigated.
Reply
post #55 of 82

ok, this discussion is definitely bordering on "fanboism" (yes, I said it).

 

While the average person could care less about someone getting at their pictures and contacts (since they're probably all available on Facebook anyways), there could *shock* actually be people like law enforcement officers who do care about criminals getting ahold of their contacts (so that they can find out about an investigation, threaten people, or worse).

 

Obviously, those people should take more precautions that just a 4-digit password on a lock screen to keep people out of their private information.  However, the fact that this method of keeping information safe has flaws will then make people question other (supposedly more secure) methods as well.

 
Reply
 
Reply
post #56 of 82
"spazz out", seriously?
post #57 of 82
Originally Posted by abinitio View Post
"spazz out", seriously?

 

You know, wig out, lose your cool, drop the skinny in a blender, etc. 

Originally posted by Relic

...those little naked weirdos are going to get me investigated.
Reply

Originally posted by Relic

...those little naked weirdos are going to get me investigated.
Reply
post #58 of 82
Quote:
Originally Posted by Tallest Skil View Post

 

Why would anyone care about this? Google isn't arbitrarily defined by the media as being "cool", so it's just business as usual for a company known (and never derided) for stealing your information and selling you to the highest bidder.

Yeah I guess mass hypocrisy shouldn't surprise me any more.

post #59 of 82

Obviously, it's because there's a massive double standard. Apple is held to different standards than everyone else.
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #60 of 82
Wow!



Quote:
Originally Posted by Galbi View Post


Prove that he did not notify Apple.

Then lets talk.

Also, this isnt the first time Apple had this issue raised before. According to your logic, now that Apple had months since the last release, shouldn't they now have been fixed?

This latest video clearly shows that they certainly havent listened or at least bothered to check it.

So you think he notified Apple and allowed them sufficient time to fix the hole before posting his video online?

Let's examine the evidence, shall we?


We have a phone that is set to February 13, 2013 at 4:41pm. This doesn't tell us his time zone nor does either the date or time have to be accurate. Do you really think he made this video months ago but set his phone to February 13th first just to make it look like the video and upload date happened on the same day? It's possible but not probable.

I suppose he also could have informed Apple months ago but then only made a video yesterday but does that seem very likely to you .Do you really think that he followed the proper reporting channels before making a video with detailed info on how to do it, including a text version without mentioning how he submitted the bug to Apple and how they ignored him all this time? Really?

I can come to not other probable conclusion than him creating a video as soon as figured out how to recreate the events without ever going to Apple.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #61 of 82

Despite Android's numbers not enough people care about Android for it to be a big deal. It's not that people are more rational it's about the mindshare making it newsworthy, like some actor who is a household name one year just to be forgotten the next. Apple has seemingly done the impossible by continuing generating more and increasingly dominant mindshare and holding it for so very long. I guess if you look at the single issue it's better for Google than Apple in this case and Apple needs to be more diligent because anything out of place will be dissected to the fullest degree but in the big picture everyone wants to be Apple.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #62 of 82
Quote:
Originally Posted by jragosta View Post


Obviously, it's because there's a massive double standard. Apple is held to different standards than everyone else.

Apple holds themselves to different standards don't they, as do their users? That's why a stumble by Apple gets more attention. Not being "any worse than Google" isn't nearly good enough is it?


Edited by Gatorguy - 2/14/13 at 10:13am
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #63 of 82
Originally Posted by Gatorguy View Post
Aple holds themselves to different standards don't they? That's why a stumble by Apple gets more attention.

 

Funny how holding oneself to any standard whatsoever is considered "higher" these days.

Originally posted by Relic

...those little naked weirdos are going to get me investigated.
Reply

Originally posted by Relic

...those little naked weirdos are going to get me investigated.
Reply
post #64 of 82
Quote:
Originally Posted by SolipsismX View Post


Despite Android's numbers not enough people care about Android for it to be a big deal. It's not that people are more rational it's about the mindshare making it newsworthy, like some actor who is a household name one year just to be forgotten the next. Apple has seemingly done the impossible by continuing generating more and increasingly dominant mindshare and holding it for so very long. I guess if you look at the single issue it's better for Google than Apple in this case and Apple needs to be more diligent because anything out of place will be dissected to the fullest degree but in the big picture everyone wants to be Apple.

Wow...that was so perfect...i was trying find a way to explain Apple's mindshare and you nailed it!

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply
post #65 of 82
It's reckless to suggest people call 911 as a game. Even if only a few calls go through because people don't end the calls quickly enough, it's just not okay. Someone with an actual emergency could have service delayed because some geek is trying a hack. Seriously, this is reckless and should be removed from this website. Even if it's on other sites, AppleInsider should have more respect for human life than this.
post #66 of 82
Originally Posted by peterm7 View Post
…AppleInsider should have more respect for human life than this.

 

I think that's a little overboard.

Originally posted by Relic

...those little naked weirdos are going to get me investigated.
Reply

Originally posted by Relic

...those little naked weirdos are going to get me investigated.
Reply
post #67 of 82
Quote:
Originally Posted by Gazoobee View Post

 

True.  11 guesses gives an attacker fairly good odds of guessing it though.  

 

Where I work we have numbered locks on the doors and when I get bored I try to guess the codes.  Most of the time it's under a dozen guesses or so and your in.  You could use the longer alpha-numercial password to be safer.  

 

I was mostly kicking back against how poorly the whole thing is being portrayed by the tech press.  Everyone is saying this is a "bypass" of the lock screen for example when it's really only a partial bypass.  Access to the phone itself is not given.  

 

Also, it requires physical access to the phone, which if an attacker has, they could simply take your phone and take it back to their home in which case it's easy to break in.  Any attack that requires physical control of the device is not really a security flaw in the same way as a "real" security flaw that could allow someone to access your stuff without your knowledge or consent.  By giving them physical access, you are essentially complicit.  

 

Finally, as others have pointed out, Android has numerous ways to *completely* bypass the lock screen (not partial), and no one gives a flying f*ck about that.  

 

IMO it's just shameless the way this has been put forward by the tech press as some kind of giant serious security flaw when it isn't even close to that. 

 

I agree with your other points.  Getting my voicemail, photos, and contacts wouldn't concern me (much); getting into my mail and apps would be a BFD.

 

But your assertion that 11 tries (without having seen the phone being unlocked) gives one "fairly good odds" is nonsense.  .999^11 = .989.  Ok, the fact that 1.1 times out of a hundred a random dude could guess your pin before it's disabled is higher than you'd like.  But 1 in a 100 a very long, long shot by most definitions.

 

(I just just checked my phone to see if fingerprints would give away what numbers I tend to type, and was pleasantly surprised that whatever coating Apple uses is pretty darn good: no smudges, no fingerprints.)

post #68 of 82
Quote:
Originally Posted by peterm7 View Post

It's reckless to suggest people call 911 as a game. Even if only a few calls go through because people don't end the calls quickly enough, it's just not okay. Someone with an actual emergency could have service delayed because some geek is trying a hack. Seriously, this is reckless and should be removed from this website. Even if it's on other sites, AppleInsider should have more respect for human life than this.

 

An excellent point and the reason that I won't try this.

 

Not sure it shows AI as not having respect for human life - but I have to wonder why AI would give the video creator more attention over a pretty clunky sort of a hack.

post #69 of 82
Quote:
Originally Posted by peterm7 View Post

It's reckless to suggest people call 911 as a game. Even if only a few calls go through because people don't end the calls quickly enough, it's just not okay. Someone with an actual emergency could have service delayed because some geek is trying a hack. Seriously, this is reckless and should be removed from this website. Even if it's on other sites, AppleInsider should have more respect for human life than this.

Not sure about elsewhere, but here in the UK its on offence to call 911/999 without good cause.  Better make sure you cancel that call damn quick as I'm pretty sure trying out an iOS exploit is not good cause:-)

post #70 of 82
Quote:
Originally Posted by peterm7 View Post

It's reckless to suggest people call 911 as a game. Even if only a few calls go through because people don't end the calls quickly enough, it's just not okay. Someone with an actual emergency could have service delayed because some geek is trying a hack. Seriously, this is reckless and should be removed from this website. Even if it's on other sites, AppleInsider should have more respect for human life than this.

 

It said to try 112 in the video, so I tried it figuring it was just a random junk number that went nowhere.  Found out the hard way the it works in the U.S., same as 911.

post #71 of 82
I was able to use this method to open someone else's locked phone on the first try. Hope Apple fixes it soon.
post #72 of 82
Another irresponsible post from the Apple insider staff.
post #73 of 82
It's an issue and it will be fixed. Much like typing the file slash slash thing was. The only people this effected were the ones trying it out themselves. Blown out of proportion, yes. Still needs to be addressed, yes. If you care about it that much, don't let anyone you don't trust use your phone. Perfect interim solution.
post #74 of 82

A poster on MacRumors for the same story states that if you turn off Simple Passcode, and require more than the 4 numbers, this "exploit" no longer works.

post #75 of 82
Just remember that it is illegal to call 911 for any purpose other than to report an emergency. Even if you think you have canceled the call, it could still go through and your phone number and GPS location will be logged. I imagine that if you do this a bunch of times while trying out the hack or demonstrating it to others you could receive an visit from the police. I worry that this hack has the potential to snarl the 911 system and prevent people in real emergency situations from getting through. DON'T DO IT!
post #76 of 82
Quote:
Originally Posted by seanie248 View Post

"Ironically, a nearly identical vulnerability reared its ugly head back in October of 2010 "

Coincidentally, maybe, but Ironically???

Cant see the irony here....

Love it when guys find these little bug things out... I always have to think... what made him do those actions in exactly that order to discover the bug? Do these people sit all day just trying random combinations of actions or is there a "method".

Pretty much. It would be great if Windows news sites reported the endless glitches in Windows that have been there since Win 98 and are still there. Every time I use a feature that not every person on the planet uses, I get punished for it with glitchy behavior. If you have to ask for examples, I'm not going to bother because you clearly don't use Windows from top to bottom. I've watched the difference between average and even power users and myself. I'm dohbg nothing strange but I am using things not everyone regularly. Surprisingly, a lot of junk exists for users that are heavy drag and drop and context menu users. I figured that stuff was common.

While we're at it, why don't these Mac news sites care to talk about broken features in Mac OS? Have an IMAP mail server that requires a prefix? Use Notes app on Mountain Lion to sync notes on your own IMAP server?

No one gives a damn.
post #77 of 82
Originally Posted by Dontuwish View Post
A poster on MacRumors for the same story states that if you turn off Simple Passcode, and require more than the 4 numbers, this "exploit" no longer works.

 

Off-topic, but I've always wanted to allow international keyboards on the non-simple passcode screen.

 

I know enough of a non-Latin character language that I'd like to make a phrase from it for my passcode, but the OS won't let me use the keyboard I have enabled elsewhere within it. 

Originally posted by Relic

...those little naked weirdos are going to get me investigated.
Reply

Originally posted by Relic

...those little naked weirdos are going to get me investigated.
Reply
post #78 of 82
Quote:
Originally Posted by Gazoobee View Post

 

IMO it's just shameless the way this has been put forward by the tech press as some kind of giant serious security flaw when it isn't even close to that. 

 

Okay, I'll bite.

 

So say that I'm the head of IT security for Home Depot and we have just switch all of our phones for  middle management and such over to the iPhone because we experienced some downtime on Rim/Blackberry's network (Plus seemed to be asleep at the wheel).   I would be disappointed by this news because I was promised an enterprise level security system that was at least on par with Rim's phones.  Instead now I have the potential for my phones to be stolen (even by other employees) and they can read my email.

 

Now let's change the company and put a major financial company who are using iPhones and some finance guys misplaces his phone that contains lot of sensitive information.

 

So yes I would see this as a major security flaw and it should be pointed out because Apple has always claimed how they are ready for Enterprise and how their OS is perfect.  If you have the balls to say your are perfect, you better damn well be because if you are not and people find out about it, I will have a hard time feeling that you don't deserve it a little bit.

post #79 of 82
Originally Posted by zippy2shoes View Post
…Apple has always claimed how… …their OS is perfect.

 

Nah. Try again. This time without trying to counter what you perceive as "fanboyism" with antifanboyism.


If you have the balls to say your are perfect…

 

If you have the balls to claim someone says that, you better back it up.

Originally posted by Relic

...those little naked weirdos are going to get me investigated.
Reply

Originally posted by Relic

...those little naked weirdos are going to get me investigated.
Reply
post #80 of 82
Quote:
Originally Posted by SolipsismX View Post

Wow!

 

It's a joke.  I can almost guarantee that the person who created the video is not the same person who figured this trick out.

 

More likely, he (or someone he knows) hangs out on iPhone hacking IRC channels (like the ones used by the iPhone dev team members) and somehow overheard (or purchased) this information from someone close to one of the people who does the real hacking.  Those guys are rarely online, let alone spending time making videos of themselves, because they're busy working at figuring hacks like this out (for the purpose of developing them into jailbreaks).

 

The click money/ad revenue earned from being the first person to post a video of such hacks is worth a lot.  As is the reputation of your site as being "the place to go" to get this information first.  Wouldn't surprise me at all if a fair bit of money changed hands over this.

 
Reply
 
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
  • New security hole in Apple's iOS 6.1 lets anyone bypass an iPhone's lockscreen
AppleInsider › Forums › Mobile › iPhone › New security hole in Apple's iOS 6.1 lets anyone bypass an iPhone's lockscreen