Apple's Control Center used to bypass iOS 7 passcode lock [u]
A security hole in iOS 7 has been reported in which Apple's Control Center, along with some quick finger work, can be used to bypass a passcode protected lock screen on an iPhone or iPad running iOS 7, grating access to Mail, Photos and Twitter, and more.
The exploit, discovered by Jose Rodriguez on Thursday, take a bit of finesse to get right, though we have independently verified that it works. It is somewhat reminiscent of a lock screen bug in iOS 6.1 that allowed access to Contacts, Photos and Voicemail by using a complex string of commands including the emergency call feature.
As reported by Fortune, the recently discovered vulnerability involves Control Center, a new feature in iOS 7 that gives users quick access to commonly used apps and commands.
First, a nefarious user must invoke Control Center by swiping up from the bottom of a locked iPhone or iPad's lock screen. From there, the Clock app can be opened even without a passcode. Holding down the power button will bring up the shut-off pane. This next part is tricky, though is manageable with practice. Instead of swiping to power down the device, cancel is selected, followed quickly by one short and one long press of the home button. The device enters the iOS 7 multi-tasking view and from there Mail, Photos and Twitter can be accessed.
The exploit can be defeated by simply disabling Control Center in the lock screen, though this somewhat hampers the new iOS 7 capability. It should also be noted that access is only granted to app open prior to locking the device, and the titles affected by the workaround are limited. For example, Safari cannot be opened from the multi-tasking view.
We tested the bug on both the iPhone 5 and third-generation iPad, and while it took a few tries, the process does work.
Apple will most likely patch the issue in an upcoming software update.
Update: Apple has confirmed to AllThingsD that a fix is in the works and will be included in a future update. No estimated release date was given.
The exploit, discovered by Jose Rodriguez on Thursday, take a bit of finesse to get right, though we have independently verified that it works. It is somewhat reminiscent of a lock screen bug in iOS 6.1 that allowed access to Contacts, Photos and Voicemail by using a complex string of commands including the emergency call feature.
As reported by Fortune, the recently discovered vulnerability involves Control Center, a new feature in iOS 7 that gives users quick access to commonly used apps and commands.
First, a nefarious user must invoke Control Center by swiping up from the bottom of a locked iPhone or iPad's lock screen. From there, the Clock app can be opened even without a passcode. Holding down the power button will bring up the shut-off pane. This next part is tricky, though is manageable with practice. Instead of swiping to power down the device, cancel is selected, followed quickly by one short and one long press of the home button. The device enters the iOS 7 multi-tasking view and from there Mail, Photos and Twitter can be accessed.
The exploit can be defeated by simply disabling Control Center in the lock screen, though this somewhat hampers the new iOS 7 capability. It should also be noted that access is only granted to app open prior to locking the device, and the titles affected by the workaround are limited. For example, Safari cannot be opened from the multi-tasking view.
We tested the bug on both the iPhone 5 and third-generation iPad, and while it took a few tries, the process does work.
Apple will most likely patch the issue in an upcoming software update.
Update: Apple has confirmed to AllThingsD that a fix is in the works and will be included in a future update. No estimated release date was given.
Comments
Yep, right on cue for the next 'scandal' to bring AAPL down.
Glad they found it now...early in the release. On to the next one.
How the heck do people discover these sort of things?!?! o_O
People with alot of free time lol
Yet another gate.
I see a 7.0.2 coming soon.
He probably found it weeks ago on the developer preview and waited for the general release in order to cause the most damage.
doesn't work on my iPhone 5. It displays the multitasking tray, however I cannot access any of apps...
I don't use a passlock. I'm just careful with my stuff, don't need some annoying passcode that I always can read when people unlock their iPhone in public.
Yet another gate.
I'm sure that works fine if you're not prone to losing things. But it wouldn't work so great against theft/robbery.
I don't use a passlock. I'm just careful with my stuff, don't need some annoying passcode that I always can read when people unlock their iPhone in public.
Yet another gate.
+1
Life is too short to type 4 digits to access your phone 55 times a day. Maybe if I was the president, or a secret agent.. It would be a matter of national security if someone were to like, read my emails if they stole my phone.
Honestly....anyone wanting full protection and security should disable the control center from lock screen anyways as a thief could use it to turn on airplane mode and walk off without worry of "find my iPhone"
I've said it before and I'll say it again...apple should make have a feature that adds the ability to require a passcode to enter airplane mode and/shut of device so that we can keep find my iPhone useful.
Sure there is still the SIM card tray but at least they'd need time and the key to get to that.
Anyone who agrees with me should do what I have done and SUBMIT THIS REQUEST TO APPLE AS A FEATURE
Proof of meaninglessness. Nothing to see here.
Except the subject-verb disagreement.