Share

Related Links

Related Stories

  • Smartphone security checker from the FCC
    The FCC has published an online smartphone security checker – a checklist of what users should and should not do to secure their iPhone, Android, Blackberry or Windows phone.
  • Goodbye, 123456: Blackberry bans weak passwords
    Blackberry has always had a reputation for taking particular care when it comes to security. Its enterprise-server-based deployment configuration was one of the reasons the Blackberry soared to such a high penetration rate in North America, pre-iPhone. Now, Blackberry-maker Research in Motion is tackling the consumer side of things, banning 106 passwords from being used with its devices because they are too weak.
  • Apple releases update for iOS addressing iPhone, iPad critical flaws
    Apple has released a new iOS, version 6.0.2, that addresses a handful of vulnerabilities in the system affecting iPhone 3GS and later, the iPod touch fourth generation and later, and the iPad 2 and later devices.
  • Windows 8 brings a brand-new interface – and new threats
    Microsoft is releasing its long-awaited Windows 8 operating system on Friday, Oct. 26, promising an entirely new look and feel tailored for a post-iPhone world. While end-users are eagerly awaiting the next-gen revamp of the platform, which looks to bear more resemblance to a mobile environment than a traditional desktop, security firms warn of new concerns thanks to the brand-new graphical user interface and the launch of an online app store.
  • Hacker claims to have jailbroken the iPhone 5
    There has never been any doubt that the iPhone 5 would be jailbroken – the question has simply been how long will it take. It took less than 24 hours, according to seasoned jailbreaker Grant Paul, aka chpwn.

Top 5 Stories

News

Bug in iPhone 5’s iOS 6.1 bypasses lockscreen

15 February 2013

A bug in iOS 6.1 allows a hacker with physical access to an iPhone 5 to bypass the LockScreen defense to gain access to the phone app and place calls, listen to voice mails and view photos in the contacts section.

A video demonstrating the bug was posted on YouTube at the end of last month, but has only now reached media attention – garnering nearly 250,000 views in the meantime. The video, posted by user videosdebarraquito, shows how a sequence of making and canceling an emergency call, starting a power off but retrying the emergency button can bypass the phone’s passcode protection. If successful, it leaves the hacker in the iPhone’s phone app, but without any access to other apps – any attempt to use other apps simply reboots to the passcode.

Little real harm can come from this bug. Successful exploitation can allow phone calls to be made, and voice mails accessed. Photos in the contacts section can be accessed – but nothing more. It could lead to additional call costs and some embarrassment from voice mails, but doesn’t provide access to more potentially damaging apps – such as Facebook. It is “For prank[ing] your friends, for a magic show. Use it as you want, at your own risk, but...please...do not use this trick to do evil,” says its author.

There is also some question over the ease of its application. “We followed the steps and managed to access the phone app on two UK iPhone 5s running iOS 6.1.” writes the The Verge. “CNET was able to re-create the hack with ease,” reports CNET. But, “I tried for roughly an hour to break into my own iPhone, but I just couldn't make it happen – those button presses have to be expertly timed,” writes Nick Statt in ReadWrite. Statt’s conclusion is, “Unless a would-be iPhone hacker has some serious gaming skills, it likely won't be easy for them to nail this on the first, or even fifth, try.”

Nevertheless, the fact that it can be done at all is an embarrassment for Apple. It is reminiscent of an earlier bug found in iOS 4.1 in 2010, and fixed in iOS 4.2. The same is likely to happen here. “We are aware of this issue,” Apple spokeswoman Trudy Muller told AllThingsD, “and will deliver a fix in a future software update.”

Meanwhile, Apple is working with Microsoft to fix a separate flaw in iOS 6.1 that occurs when used in conjunction with Exchange Server 2010. “When a user syncs a mailbox by using an iOS 6.1-based device,” warns Microsoft, “Microsoft Exchange Server 2010 Client Access server (CAS) and Mailbox (MBX) server resources are consumed, log growth becomes excessive, memory and CPU use may increase significantly, and server performance is affected.” As a temporary workaround, Microsoft says, “do not process Calendar items such as meeting requests on iOS 6.1 devices. Also, immediately restart the iOS 6.1 device.”

This article is featured in:
Wireless and Mobile Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×