Latest iPhone update fails to fix lock-screen bypass flaw

When iOS 6.1.3 came out about a month ago, it fixed a lock-screen bypass bug that would let unauthorized third parties with physical access to the phone get around the device’s password protection in order to access an iPhone’s apps and information. 

Of course, that update also unfortunately introduced an entirely different lock-screen bug.

YouTube user VideosdeBarraquito, who discovered the last vulnerability, has repeated the trick with a new video (above) showing how to bypass the iPhone passcode lock. This time an age-old tech-tool is required – a paperclip. Its purpose is to eject the SIM card at precisely the right moment.

The process is to make a call using Voice Control, but to eject the SIM card as soon as the device starts dialing. Once the SIM is ejected, the phone abandons the call – but crucially leaves the iPhone app open. As with the last bug, this provides access to any data available to the app – not a huge amount, but enough to be damaging: voice mail, contacts, photos and video; and of course outgoing phone calls.

It was expected that Apple’s next OS update would fix the issue, but the Cupertino giant has not addressed it. In fact, it hasn't addressed anything, infosecurity-wise.

“There don't seem to be any security fixes,” said Paul Ducklin, a researcher at Sophos Security.

The lack of any sort of security nod is a rarity for Apple's operating system updates, which Ducklin said “usually have quite a lot going for them.”

For instance, “When OS X 10.8.2 was superseded by 10.8.3, Apple patched 21 security vulnerabilities,” he said. “Eleven of these vulnerabilities offered the possibility of remote code execution (RCE) exploits. RCE holes are what make drive-by downloads possible, where you may end up getting infected merely by looking at a website, reading an email or viewing a document.”

What’s Hot on Infosecurity Magazine?