iOS 4.1 security bug: bypass passcode entry and access Phone, Photos apps
If you've got a passcode entry set on your iPhone, you might think it could block nefarious or mischievous people from accessing any part of your iPhone. Not so. We've been made aware of a security flaw in iOS 4.1 that allows users to bypass the passcode entry screen and gain direct access to the iPhone's Phone app. It's not just hype either: this is easier to pull off than the Konami code.
How it works: when the passcode entry screen comes up, tap "Emergency Call." Input any number you like, then tap "Call" and click the iPhone's sleep switch in quick succession (to get this to work, I had to perform the two actions almost simultaneously). If you've done the "trick" properly, you should now have full access to the iPhone's Phone app, including contacts, keypad, and calling history. What's more: tapping "Share Contact" and the camera icon will give you access to the Photos app. That's the extent of your access -- hitting the home button doesn't do anything at all -- but it's bad enough.
According to Daring Fireball's John Gruber, this bug isn't reproducible on the latest iOS 4.2 beta, so it's possible Apple was already aware of the security bug and has fixed it in 4.2. Until 4.2 is released, the best thing you can do is take our own Dave Caolo's advice: physical access is total access, so the first and most vital step to making sure people can't access your sensitive information is making sure they can't access your iPhone at all.
Share
Categories
If you've got a passcode entry set on your iPhone, you might think it could block nefarious or mischievous people from accessing any part...
Add a Comment
i did that.. it's work on my iPhone 4 iOS 4.1
Let's see if iOS 4.2 will fix the security hole..
You can get full access to any iPhone using this hack. Once in the Telephone screen, click around until you find one with a URL in the address book, click that to open it in Safari, click + to add it to the home screen, voila full access. If you don't find a URL, find one with an e-mail address, click that, cancel sending email, browse through e-mails until you find a URL, click that and continue as above.
As for chastising TUAW for publishing this vulnerability - DUH.
I can't repeat that on a 3GS with 4.1 - tapping email or url fields in the phone app does nothing. Sharing contact works to send mail, editing contact works to browse photos, but urls are a no-go. I believe in both cases the phone app itself performs those tasks.
October 26 2010 at 10:02 PM Report abuse Permalink rate up rate down ReplyThis isn't really surprising.The situation has always been that if somebody gets physical access to any piece of hardware, whether phone or computer, it's theirs.
Want to show me a real security flaw? Access the contents of my iPhone, iPad, or Mac Pro at a distance (without my participation, of course).
Damn! it work. I can reproduce it each time. That's f**n' bad.
October 26 2010 at 8:14 AM Report abuse Permalink rate up rate down ReplyForgot to say: iPhone 4 under iOS 4.1
October 26 2010 at 8:15 AM Report abuse Permalink rate up rate down ReplyTo those who want to get off the screen and go back to your lockscreen, simply make a call and before it dials just quickly end the call, and it returns to the lockscreen.
October 26 2010 at 4:02 AM Report abuse Permalink rate up rate down ReplyI think the more important question here is why is the bug pooping?
October 26 2010 at 3:22 AM Report abuse Permalink rate up rate down ReplyBug is active on my 3GS. You can also access the e-mail app when sharing a contact.
October 26 2010 at 3:18 AM Report abuse Permalink rate up rate down ReplyI was able to bypass the lock screen. However after a few seconds of having access to the data the phone went back to the lock screen.
Others?
—Steve
And yet another site tells the world how to do the security bypass.
Et tu, Engadget?
Hah I'm so dumb I don't even know what site I'm looking at.
October 26 2010 at 2:29 AM Report abuse Permalink rate up rate down ReplyDeals of the Day
more deals- Cases for New iPad at HandHeldItems: Extra 20% off, $2 credit, from $3 + $3 s&h
- $15 Apple iTunes Gift Card for $8 for new Saveology customers
- Philips Fidelio Docking Speaker Station for iPhone / iPod for $38 + $6 s&h
- Retro 80's Case for iPhone for $11 + $2 s&h
- HHI 360 Dual-View Stand Case for new iPad w/ $2 credit for $12 + $3 s&h
- HHI ReElegant Smart Cover Companion Case for new iPad from $5 + $3 s&h
Software Updates
more updatesFeatured Stories
more stories
Popular Stories
TUAW (or The Unofficial Apple Weblog) is a website devoted to tips, reviews, news, analysis and opinion on everything Apple.
13 Comments