or Connect
AppleInsider › Forums › Mobile › iPhone › Another lockscreen passcode flaw found in Apple's iOS 6.1
New Posts  All Forums:Forum Nav:

Another lockscreen passcode flaw found in Apple's iOS 6.1

post #1 of 25
Thread Starter 
Another vulnerability has been discovered in iOS 6.1 that could give malicious users access to data on an iPhone with a lockscreen passcode enabled.



The vulnerability, which was highlighted on Monday by Jacqui Cheng of Ars Technica, is similar to one that was recently discovered. But the new exploit can make the iPhone screen go black, and allow an attacker to plug in the device to a computer via USB and potentially access the data stored on the handset.

Like the previous hack, the exploit can be accessed by making and then immediately canceling an emergency call on a passcode-locked device.

Of course, a hacker must have physical access to the device for the exploit to yield any data. But using the method highlighted, data such as contacts and voicemails could be extracted from a stolen iPhone even if a passcode lock were enabled on the device.

The previously highlighted lockscreen bug will be addressed by Apple in a forthcoming software update. A beta version of iOS 6.1.3 that addresses the issue was supplied by Apple to developers for testing last week.

Apple's iOS platform has had a history of lockscreen passcode bugs, as Cheng noted issues have existed in iOS 2.0, iOS 4.1, and now iOS 6.1.
post #2 of 25

Oh boy...

post #3 of 25
Those programmers are missing a few things it seems...
post #4 of 25

isn't this the same stupid and irrational thing?

 

I have no respect for this punks. Why not talk with apple first? bunch of morons. Sorry about the rant.

post #5 of 25
Between Lock Screen and Daylight Savings bugs Apple seems to be dropping the ball on what I assume are important things that only need a minor amount of coding effort to get right.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #6 of 25
Reality dictates that bugs will appear in every version of iOS. It doesn't matter how good your programmers are.

Please update the AppleInsider app to function in landscape mode.

Reply

Please update the AppleInsider app to function in landscape mode.

Reply
post #7 of 25
Apple will fix it for good soon...Apple always learns from it's mistakes. I've got faith!
post #8 of 25
Quote:
Originally Posted by SolipsismX View Post

Between Lock Screen and Daylight Savings bugs Apple seems to be dropping the ball on what I assume are important things that only need a minor amount of coding effort to get right.

 

I'm sure it's one of those things that's more complex a problem than it first looks. :)

post #9 of 25
Quote:
Originally Posted by RichL View Post

I'm sure it's one of those things that's more complex a problem than it first looks. 1smile.gif

Occam's Razor says you are correct.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #10 of 25
Quote:
Originally Posted by pedromartins View Post

isn't this the same stupid and irrational thing?

I have no respect for this punks. Why not talk with apple first? bunch of morons. Sorry about the rant.

What are you talking about? This article is nothing but about Apple.
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
post #11 of 25

I think I accidentally discovered another lock screen bug while playing around with similar sequences found in the video.

 

I was under the impression that you could only make emergency calls from the lock screen.

 

When I open my phone and swipe to enter, the passcode pops up as expected, however, if instead of swiping the unlock you just hold the home button, Siri pops up and will actually make calls. I said Siri call Mark and it popped up all of Mark's numbers and she asked which one I want to use and the call goes through just fine. Same thing with email. Although it shows all the email address it apparently does not actually send even though Siri says "Ok I'll send it".

 

Edit: Correction it does send the email too. Actually after playing around with this it turns out she will schedule events and just about anything else you want without unlocking the screen.

 

BTW this is a fully patched iOS but not the beta. So someone with the beta should test it out too.

 

It gets worse, or better, depending on whether you are honest or not. If you find someone's iPhone you can just ask Siri from the lock screen "What is my information?" and she willingly complies by displaying your complete contact info.


Edited by mstone - 2/25/13 at 1:15pm

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #12 of 25

Apple has said that they still act like a startup... shifting engineers from one project to another every few months.

 

While that concept makes for a great managerial fantasy, in practice it's usually more sensible to have groups that permanently "own" pieces of software, that they take full responsibility for.

 

Another critical item is to make sure you have a test team with fully detailed test scenarios.  The testers should be composed of both seasoned veterans and an occasional rotated-in newbie who does the unexpected.

 

At the same time, I still defend the developers of the various Apple New Year's date bugs.  I've had a few of those myself.  They're hard to find, until you find them.  THEN they're obvious :)   It's all about having enough time to test, before your manager yanks you over to a different problem.

post #13 of 25
Quote:
Originally Posted by rcoleman1 View Post

Apple will fix it for good soon...Apple always learns from it's mistakes. I've got faith!


"Apple's iOS platform has had a history of lockscreen passcode bugs, as Cheng noted issues have existed in iOS 2.0, iOS 4.1, and now iOS 6.1."

 

Is blind faith a virtue or simply stupidity ?

post #14 of 25

More reasons why Forstall was fired?

post #15 of 25
Quote:
Originally Posted by mstone View Post

I think I accidentally discovered another lock screen bug while playing around with similar sequences found in the video.

 

I was under the impression that you could only make emergency calls from the lock screen.

 

When I open my phone and swipe to enter, the passcode pops up as expected, however, if instead of swiping the unlock you just hold the home button, Siri pops up and will actually make calls. I said Siri call Mark and it popped up all of Mark's numbers and she asked which one I want to use and the call goes through just fine. Same thing with email. Although it shows all the email address it apparently does not actually send even though Siri says "Ok I'll send it".

 

Edit: Correction it does send the email too. Actually after playing around with this it turns out she will schedule events and just about anything else you want without unlocking the screen.

 

BTW this is a fully patched iOS but not the beta. So someone with the beta should test it out too.

 

 

For convenience, Siri (as well as a few other things, like Passbook) is treated separately from the lock screen, and essentially allowed to bypass it. 

 

If you're concerned about what people can do on your phone with Siri, even while locked, then you can control/turn that off that was well.  Look in:

 

  • Settings > General > Passcode Lock

 

Furthermore, you can lock it down even further by enabling 'Restrictions' and turning off the camera, and now that will not appear on the lockscreen either.. 

 

-Rick

 

P.S.  By the way, I had to figure out this the hard way-- My little nieces just looove to get ahold of my iPhone and mess with me by messing with it.   But they quickly figured out that Siri still worked, and continued to do things like "call me poopie head" and such.  heh, kids.  Anyway, solved that by also turning off Siri from the lock screen above.

post #16 of 25
Quote:
Originally Posted by _Rick_V_ View Post

 

P.S.  By the way, I had to figure out this the hard way-- My little nieces just looove to get ahold of my iPhone and mess with me by messing with it.   But they quickly figured out that Siri still worked, and continued to do things like "call me poopie head" and such.  heh, kids.  Anyway, solved that by also turning off Siri from the lock screen above.

Thanks good to know. I thought the camera was a good idea in order to catch a shot you would have missed by the time you unlock, but don't you think that Siri should be locked out by default since it is capable of so much access? She can even dial numbers that are not in your address book too.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #17 of 25
Quote:
Originally Posted by pedromartins View Post

isn't this the same stupid and irrational thing?

 

I have no respect for this punks. Why not talk with apple first? bunch of morons. Sorry about the rant.

 

 

Generally speaking, I tend to be a bit more sanguine about these exposed hacks.  I would rather hackers discover and publicize these exploits, and force the vendors to fix them.  Rather than discovering holes, not disclose them, and the use the exploits later for nefarious purposes (witness: chinese military hacking into our corporations).

 

Granted it may not be exactly the same because here you at least have to have the device in hand.  But the principle's the same.

 

-Rick

post #18 of 25
Quote:
Originally Posted by mstone View Post

I think I accidentally discovered another lock screen bug while playing around with similar sequences found in the video.

 

What you're talking about here is exactly what Siri is advertised to do.  For most people, it would defeat the purpose of using Siri if you had to take your phone out of your pocket, look at your screen, and type in your passcode.  She can be turned off if you feel threatened.

post #19 of 25
Rick beat me in, I was going to post the same thing about passcode lock.
post #20 of 25
mstone: If you go to Settings/General/Passcode Lock you are given an option to disable Siri when the phone is locked. What you found is a feature, not a bug.
post #21 of 25
Quote:
Originally Posted by shovelheadrider72 View Post

mstone: If you go to Settings/General/Passcode Lock you are given an option to disable Siri when the phone is locked. What you found is a feature, not a bug.

Thanks. I just recently put a lock screen on my phone. Previously I had none but it was recommended that I put one in case the phone became lost. Now that I understand the settings I think Siri should be locked by default because I doubt most people are aware that your lock screen is basically useless unless Siri is disabled.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #22 of 25

I do not believe for one second that these 'flaws" are accidents. I think they were put there on purpose for law enforcement purposes.

post #23 of 25
Quote:
Originally Posted by sc_markt View Post

I do not believe for one second that these 'flaws" are accidents. I think they were put there on purpose for law enforcement purposes.

 

How conspiratorial of you.  1smile.gif

 

If that were true, they would've done it with an real proper backdoor, and secured the rest.  If designed as such (which it is not), it would be trivial for law enforcement to get a warrant, read off the IMEI number off the back, and the manufacturer would be able to remotely unlock it.  But they don't.  And Apple continues to fix these bugs as soon as they're discovered.

 

I think these flaws merely show how hard it is to really lock down any device that's connected to the internet, much less one that you have in hand.

 

As the old IT expression goes: 

  • "The only secure computer is one that's unplugged, locked in a safe,

  • and buried 20 feet under the ground in a secret location... and I'm

  • not even too sure about that one"

post #24 of 25
Originally Posted by sc_markt View Post
I do not believe for one second that these 'flaws" are accidents. I think they were put there on purpose for law enforcement purposes.

 

Nonsense. That would just be "Dial [code] on the emergency call screen". This random swiping and flicking crap is just that; fools with too much time on their hands overloading the OS with inputs.

Originally Posted by Slurpy

There's just a TINY chance that Apple will also be able to figure out payments. Oh wait, they did already… …and you’re already f*ed.

 

Reply

Originally Posted by Slurpy

There's just a TINY chance that Apple will also be able to figure out payments. Oh wait, they did already… …and you’re already f*ed.

 

Reply
post #25 of 25
I just came across this: http://pedantical.com/newest/2013/3/6/samsung-galaxy-s-iii-bug-allows-full-access-to-the-phones-features

I have to agree that few will care enough to make a big deal out of it.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
AppleInsider › Forums › Mobile › iPhone › Another lockscreen passcode flaw found in Apple's iOS 6.1