Another lockscreen passcode flaw found in Apple's iOS 6.1

Posted:
in iPhone edited January 2014
Another vulnerability has been discovered in iOS 6.1 that could give malicious users access to data on an iPhone with a lockscreen passcode enabled.



The vulnerability, which was highlighted on Monday by Jacqui Cheng of Ars Technica, is similar to one that was recently discovered. But the new exploit can make the iPhone screen go black, and allow an attacker to plug in the device to a computer via USB and potentially access the data stored on the handset.

Like the previous hack, the exploit can be accessed by making and then immediately canceling an emergency call on a passcode-locked device.

Of course, a hacker must have physical access to the device for the exploit to yield any data. But using the method highlighted, data such as contacts and voicemails could be extracted from a stolen iPhone even if a passcode lock were enabled on the device.

The previously highlighted lockscreen bug will be addressed by Apple in a forthcoming software update. A beta version of iOS 6.1.3 that addresses the issue was supplied by Apple to developers for testing last week.

Apple's iOS platform has had a history of lockscreen passcode bugs, as Cheng noted issues have existed in iOS 2.0, iOS 4.1, and now iOS 6.1.
«1

Comments

  • Reply 1 of 24
    moxommoxom Posts: 326member


    Oh boy...

  • Reply 2 of 24
    Those programmers are missing a few things it seems...
  • Reply 3 of 24


    isn't this the same stupid and irrational thing?


     


    I have no respect for this punks. Why not talk with apple first? bunch of morons. Sorry about the rant.

  • Reply 4 of 24
    solipsismxsolipsismx Posts: 19,566member
    Between Lock Screen and Daylight Savings bugs Apple seems to be dropping the ball on what I assume are important things that only need a minor amount of coding effort to get right.
  • Reply 5 of 24
    jd_in_sbjd_in_sb Posts: 1,600member
    Reality dictates that bugs will appear in every version of iOS. It doesn't matter how good your programmers are.
  • Reply 6 of 24
    Apple will fix it for good soon...Apple always learns from it's mistakes. I've got faith!
  • Reply 7 of 24
    richlrichl Posts: 2,213member

    Quote:

    Originally Posted by SolipsismX View Post



    Between Lock Screen and Daylight Savings bugs Apple seems to be dropping the ball on what I assume are important things that only need a minor amount of coding effort to get right.


     


    I'm sure it's one of those things that's more complex a problem than it first looks. :)

  • Reply 8 of 24
    solipsismxsolipsismx Posts: 19,566member
    richl wrote: »
    I'm sure it's one of those things that's more complex a problem than it first looks. :)

    Occam's Razor says you are correct.
  • Reply 9 of 24
    dasanman69dasanman69 Posts: 13,002member
    isn't this the same stupid and irrational thing?

    I have no respect for this punks. Why not talk with apple first? bunch of morons. Sorry about the rant.

    What are you talking about? This article is nothing but about Apple.
  • Reply 10 of 24
    mstonemstone Posts: 11,510member


    I think I accidentally discovered another lock screen bug while playing around with similar sequences found in the video.


     


    I was under the impression that you could only make emergency calls from the lock screen.


     


    When I open my phone and swipe to enter, the passcode pops up as expected, however, if instead of swiping the unlock you just hold the home button, Siri pops up and will actually make calls. I said Siri call Mark and it popped up all of Mark's numbers and she asked which one I want to use and the call goes through just fine. Same thing with email. Although it shows all the email address it apparently does not actually send even though Siri says "Ok I'll send it".


     


    Edit: Correction it does send the email too. Actually after playing around with this it turns out she will schedule events and just about anything else you want without unlocking the screen.


     


    BTW this is a fully patched iOS but not the beta. So someone with the beta should test it out too.


     


    It gets worse, or better, depending on whether you are honest or not. If you find someone's iPhone you can just ask Siri from the lock screen "What is my information?" and she willingly complies by displaying your complete contact info.

  • Reply 11 of 24
    kdarlingkdarling Posts: 1,640member


    Apple has said that they still act like a startup... shifting engineers from one project to another every few months.


     


    While that concept makes for a great managerial fantasy, in practice it's usually more sensible to have groups that permanently "own" pieces of software, that they take full responsibility for.


     


    Another critical item is to make sure you have a test team with fully detailed test scenarios.  The testers should be composed of both seasoned veterans and an occasional rotated-in newbie who does the unexpected.


     


    At the same time, I still defend the developers of the various Apple New Year's date bugs.  I've had a few of those myself.  They're hard to find, until you find them.  THEN they're obvious :)   It's all about having enough time to test, before your manager yanks you over to a different problem.

  • Reply 12 of 24

    Quote:

    Originally Posted by rcoleman1 View Post



    Apple will fix it for good soon...Apple always learns from it's mistakes. I've got faith!




    "Apple's iOS platform has had a history of lockscreen passcode bugs, as Cheng noted issues have existed in iOS 2.0, iOS 4.1, and now iOS 6.1."


     


    Is blind faith a virtue or simply stupidity ?

  • Reply 13 of 24
    rogifanrogifan Posts: 10,669member


    More reasons why Forstall was fired?

  • Reply 14 of 24

    Quote:

    Originally Posted by mstone View Post


    I think I accidentally discovered another lock screen bug while playing around with similar sequences found in the video.


     


    I was under the impression that you could only make emergency calls from the lock screen.


     


    When I open my phone and swipe to enter, the passcode pops up as expected, however, if instead of swiping the unlock you just hold the home button, Siri pops up and will actually make calls. I said Siri call Mark and it popped up all of Mark's numbers and she asked which one I want to use and the call goes through just fine. Same thing with email. Although it shows all the email address it apparently does not actually send even though Siri says "Ok I'll send it".


     


    Edit: Correction it does send the email too. Actually after playing around with this it turns out she will schedule events and just about anything else you want without unlocking the screen.


     


    BTW this is a fully patched iOS but not the beta. So someone with the beta should test it out too.



     


     


    For convenience, Siri (as well as a few other things, like Passbook) is treated separately from the lock screen, and essentially allowed to bypass it. 


     


    If you're concerned about what people can do on your phone with Siri, even while locked, then you can control/turn that off that was well.  Look in:


     



    • Settings > General > Passcode Lock


     


    Furthermore, you can lock it down even further by enabling 'Restrictions' and turning off the camera, and now that will not appear on the lockscreen either.. 


     


    -Rick


     


    P.S.  By the way, I had to figure out this the hard way-- My little nieces just looove to get ahold of my iPhone and mess with me by messing with it.   But they quickly figured out that Siri still worked, and continued to do things like "call me poopie head" and such.  heh, kids.  Anyway, solved that by also turning off Siri from the lock screen above.

  • Reply 15 of 24
    mstonemstone Posts: 11,510member

    Quote:

    Originally Posted by _Rick_V_ View Post




     


    P.S.  By the way, I had to figure out this the hard way-- My little nieces just looove to get ahold of my iPhone and mess with me by messing with it.   But they quickly figured out that Siri still worked, and continued to do things like "call me poopie head" and such.  heh, kids.  Anyway, solved that by also turning off Siri from the lock screen above.



    Thanks good to know. I thought the camera was a good idea in order to catch a shot you would have missed by the time you unlock, but don't you think that Siri should be locked out by default since it is capable of so much access? She can even dial numbers that are not in your address book too.

  • Reply 16 of 24

    Quote:

    Originally Posted by pedromartins View Post


    isn't this the same stupid and irrational thing?


     


    I have no respect for this punks. Why not talk with apple first? bunch of morons. Sorry about the rant.



     


     


    Generally speaking, I tend to be a bit more sanguine about these exposed hacks.  I would rather hackers discover and publicize these exploits, and force the vendors to fix them.  Rather than discovering holes, not disclose them, and the use the exploits later for nefarious purposes (witness: chinese military hacking into our corporations).


     


    Granted it may not be exactly the same because here you at least have to have the device in hand.  But the principle's the same.


     


    -Rick

  • Reply 17 of 24

    Quote:

    Originally Posted by mstone View Post


    I think I accidentally discovered another lock screen bug while playing around with similar sequences found in the video.



     


    What you're talking about here is exactly what Siri is advertised to do.  For most people, it would defeat the purpose of using Siri if you had to take your phone out of your pocket, look at your screen, and type in your passcode.  She can be turned off if you feel threatened.

  • Reply 18 of 24
    Rick beat me in, I was going to post the same thing about passcode lock.
  • Reply 19 of 24
    mstone: If you go to Settings/General/Passcode Lock you are given an option to disable Siri when the phone is locked. What you found is a feature, not a bug.
  • Reply 20 of 24
    mstonemstone Posts: 11,510member

    Quote:

    Originally Posted by shovelheadrider72 View Post



    mstone: If you go to Settings/General/Passcode Lock you are given an option to disable Siri when the phone is locked. What you found is a feature, not a bug.


    Thanks. I just recently put a lock screen on my phone. Previously I had none but it was recommended that I put one in case the phone became lost. Now that I understand the settings I think Siri should be locked by default because I doubt most people are aware that your lock screen is basically useless unless Siri is disabled.

Sign In or Register to comment.