A video demonstrating the bug was posted on YouTube at the end of last month, but has only now reached media attention – garnering nearly 250,000 views in the meantime. The video, posted by user videosdebarraquito, shows how a sequence of making and canceling an emergency call, starting a power off but retrying the emergency button can bypass the phone’s passcode protection. If successful, it leaves the hacker in the iPhone’s phone app, but without any access to other apps – any attempt to use other apps simply reboots to the passcode.
Little real harm can come from this bug. Successful exploitation can allow phone calls to be made, and voice mails accessed. Photos in the contacts section can be accessed – but nothing more. It could lead to additional call costs and some embarrassment from voice mails, but doesn’t provide access to more potentially damaging apps – such as Facebook. It is “For prank[ing] your friends, for a magic show. Use it as you want, at your own risk, but...please...do not use this trick to do evil,” says its author.
There is also some question over the ease of its application. “We followed the steps and managed to access the phone app on two UK iPhone 5s running iOS 6.1.” writes the The Verge. “CNET was able to re-create the hack with ease,” reports CNET. But, “I tried for roughly an hour to break into my own iPhone, but I just couldn't make it happen – those button presses have to be expertly timed,” writes Nick Statt in ReadWrite. Statt’s conclusion is, “Unless a would-be iPhone hacker has some serious gaming skills, it likely won't be easy for them to nail this on the first, or even fifth, try.”
Nevertheless, the fact that it can be done at all is an embarrassment for Apple. It is reminiscent of an earlier bug found in iOS 4.1 in 2010, and fixed in iOS 4.2. The same is likely to happen here. “We are aware of this issue,” Apple spokeswoman Trudy Muller told AllThingsD, “and will deliver a fix in a future software update.”
Meanwhile, Apple is working with Microsoft to fix a separate flaw in iOS 6.1 that occurs when used in conjunction with Exchange Server 2010. “When a user syncs a mailbox by using an iOS 6.1-based device,” warns Microsoft, “Microsoft Exchange Server 2010 Client Access server (CAS) and Mailbox (MBX) server resources are consumed, log growth becomes excessive, memory and CPU use may increase significantly, and server performance is affected.” As a temporary workaround, Microsoft says, “do not process Calendar items such as meeting requests on iOS 6.1 devices. Also, immediately restart the iOS 6.1 device.”