Another lockscreen passcode flaw found in Apple's iOS 6.1
Another vulnerability has been discovered in iOS 6.1 that could give malicious users access to data on an iPhone with a lockscreen passcode enabled.
The vulnerability, which was highlighted on Monday by Jacqui Cheng of Ars Technica, is similar to one that was recently discovered. But the new exploit can make the iPhone screen go black, and allow an attacker to plug in the device to a computer via USB and potentially access the data stored on the handset.
Like the previous hack, the exploit can be accessed by making and then immediately canceling an emergency call on a passcode-locked device.
Of course, a hacker must have physical access to the device for the exploit to yield any data. But using the method highlighted, data such as contacts and voicemails could be extracted from a stolen iPhone even if a passcode lock were enabled on the device.
The previously highlighted lockscreen bug will be addressed by Apple in a forthcoming software update. A beta version of iOS 6.1.3 that addresses the issue was supplied by Apple to developers for testing last week.
Apple's iOS platform has had a history of lockscreen passcode bugs, as Cheng noted issues have existed in iOS 2.0, iOS 4.1, and now iOS 6.1.
The vulnerability, which was highlighted on Monday by Jacqui Cheng of Ars Technica, is similar to one that was recently discovered. But the new exploit can make the iPhone screen go black, and allow an attacker to plug in the device to a computer via USB and potentially access the data stored on the handset.
Like the previous hack, the exploit can be accessed by making and then immediately canceling an emergency call on a passcode-locked device.
Of course, a hacker must have physical access to the device for the exploit to yield any data. But using the method highlighted, data such as contacts and voicemails could be extracted from a stolen iPhone even if a passcode lock were enabled on the device.
The previously highlighted lockscreen bug will be addressed by Apple in a forthcoming software update. A beta version of iOS 6.1.3 that addresses the issue was supplied by Apple to developers for testing last week.
Apple's iOS platform has had a history of lockscreen passcode bugs, as Cheng noted issues have existed in iOS 2.0, iOS 4.1, and now iOS 6.1.
Comments
Oh boy...
isn't this the same stupid and irrational thing?
I have no respect for this punks. Why not talk with apple first? bunch of morons. Sorry about the rant.
Quote:
Originally Posted by SolipsismX
Between Lock Screen and Daylight Savings bugs Apple seems to be dropping the ball on what I assume are important things that only need a minor amount of coding effort to get right.
I'm sure it's one of those things that's more complex a problem than it first looks.
Occam's Razor says you are correct.
What are you talking about? This article is nothing but about Apple.
I think I accidentally discovered another lock screen bug while playing around with similar sequences found in the video.
I was under the impression that you could only make emergency calls from the lock screen.
When I open my phone and swipe to enter, the passcode pops up as expected, however, if instead of swiping the unlock you just hold the home button, Siri pops up and will actually make calls. I said Siri call Mark and it popped up all of Mark's numbers and she asked which one I want to use and the call goes through just fine. Same thing with email. Although it shows all the email address it apparently does not actually send even though Siri says "Ok I'll send it".
Edit: Correction it does send the email too. Actually after playing around with this it turns out she will schedule events and just about anything else you want without unlocking the screen.
BTW this is a fully patched iOS but not the beta. So someone with the beta should test it out too.
It gets worse, or better, depending on whether you are honest or not. If you find someone's iPhone you can just ask Siri from the lock screen "What is my information?" and she willingly complies by displaying your complete contact info.
Apple has said that they still act like a startup... shifting engineers from one project to another every few months.
While that concept makes for a great managerial fantasy, in practice it's usually more sensible to have groups that permanently "own" pieces of software, that they take full responsibility for.
Another critical item is to make sure you have a test team with fully detailed test scenarios. The testers should be composed of both seasoned veterans and an occasional rotated-in newbie who does the unexpected.
At the same time, I still defend the developers of the various Apple New Year's date bugs. I've had a few of those myself. They're hard to find, until you find them. THEN they're obvious
Quote:
Originally Posted by rcoleman1
Apple will fix it for good soon...Apple always learns from it's mistakes. I've got faith!
"Apple's iOS platform has had a history of lockscreen passcode bugs, as Cheng noted issues have existed in iOS 2.0, iOS 4.1, and now iOS 6.1."
Is blind faith a virtue or simply stupidity ?
More reasons why Forstall was fired?
Quote:
Originally Posted by mstone
I think I accidentally discovered another lock screen bug while playing around with similar sequences found in the video.
I was under the impression that you could only make emergency calls from the lock screen.
When I open my phone and swipe to enter, the passcode pops up as expected, however, if instead of swiping the unlock you just hold the home button, Siri pops up and will actually make calls. I said Siri call Mark and it popped up all of Mark's numbers and she asked which one I want to use and the call goes through just fine. Same thing with email. Although it shows all the email address it apparently does not actually send even though Siri says "Ok I'll send it".
Edit: Correction it does send the email too. Actually after playing around with this it turns out she will schedule events and just about anything else you want without unlocking the screen.
BTW this is a fully patched iOS but not the beta. So someone with the beta should test it out too.
For convenience, Siri (as well as a few other things, like Passbook) is treated separately from the lock screen, and essentially allowed to bypass it.
If you're concerned about what people can do on your phone with Siri, even while locked, then you can control/turn that off that was well. Look in:
Settings > General > Passcode Lock
Furthermore, you can lock it down even further by enabling 'Restrictions' and turning off the camera, and now that will not appear on the lockscreen either..
-Rick
P.S. By the way, I had to figure out this the hard way-- My little nieces just looove to get ahold of my iPhone and mess with me by messing with it. But they quickly figured out that Siri still worked, and continued to do things like "call me poopie head" and such. heh, kids. Anyway, solved that by also turning off Siri from the lock screen above.
Quote:
Originally Posted by _Rick_V_
P.S. By the way, I had to figure out this the hard way-- My little nieces just looove to get ahold of my iPhone and mess with me by messing with it. But they quickly figured out that Siri still worked, and continued to do things like "call me poopie head" and such. heh, kids. Anyway, solved that by also turning off Siri from the lock screen above.
Thanks good to know. I thought the camera was a good idea in order to catch a shot you would have missed by the time you unlock, but don't you think that Siri should be locked out by default since it is capable of so much access? She can even dial numbers that are not in your address book too.
Quote:
Originally Posted by pedromartins
isn't this the same stupid and irrational thing?
I have no respect for this punks. Why not talk with apple first? bunch of morons. Sorry about the rant.
Generally speaking, I tend to be a bit more sanguine about these exposed hacks. I would rather hackers discover and publicize these exploits, and force the vendors to fix them. Rather than discovering holes, not disclose them, and the use the exploits later for nefarious purposes (witness: chinese military hacking into our corporations).
Granted it may not be exactly the same because here you at least have to have the device in hand. But the principle's the same.
-Rick
Quote:
Originally Posted by mstone
I think I accidentally discovered another lock screen bug while playing around with similar sequences found in the video.
What you're talking about here is exactly what Siri is advertised to do. For most people, it would defeat the purpose of using Siri if you had to take your phone out of your pocket, look at your screen, and type in your passcode. She can be turned off if you feel threatened.
Quote:
Originally Posted by shovelheadrider72
mstone: If you go to Settings/General/Passcode Lock you are given an option to disable Siri when the phone is locked. What you found is a feature, not a bug.
Thanks. I just recently put a lock screen on my phone. Previously I had none but it was recommended that I put one in case the phone became lost. Now that I understand the settings I think Siri should be locked by default because I doubt most people are aware that your lock screen is basically useless unless Siri is disabled.