Ah dear.
What is it with Apple? Can’t they make their devices actually work properly from a security standpoint? Given the fact that millions of businesses are moving to standardise on them, you’d think they’d have thought a little bit more carefully about getting the basic security correct.
What’s the problem? Well, it’s simple: Even if your iPhone is ‘protected’ with a security passcode, you can bypass that with a few clicks to access the device address book. And Global Address Book, if available. You can also make phone calls.
You what?
Yes, you read that right.
You can pick up any ‘locked’ iPhone and tip-tap-tip, you can make phone calls and mess around with the address book. I’ve ‘hacked’ my iPhone 4 with the technique.
Robert McMillan from PC World published this helpful post on the subject referencing the MacRumours forum and a rather helpful video demonstration:
A bug in Apple’s iPhone OS gives thieves a way to unlock stolen iPhones and make telephone calls.
The flaw was first reported late Friday on the MacRumors discussion forum and is very much like other, similar bugs discovered in iOS over the past few years. In an Internet video, one user shows how it works on a phone that requires a security passcode before it will work. By hitting the Emergency Call button and then tapping ###, Call, and then quickly hitting Lock, he is able to open up the iPhone’s Phone program, look up the owner’s contacts and make telephone calls to any phone number.
No other iPhone applications are accessible, however, so the bug can’t be exploited to, say, send or read e-mail messages.
Every security chief at every Fortune 250 company that has recently deployed iPhones will be having kittens right now.
It’s not a *MASSIVE* gaping hole — it’s only the address book — but that’s enough to give most security people palpitations.
Is this why, if you’re doing anything on iPhone, you should be using Good Mobile Messaging? Or simply, sticking with RIM?
Hmmm…I have an i3GS, with iOS4.1 (8B117) – firstly, dialing ### immediately kicks you back to ’emergency calls only’ – the ONLY number you can place an emergency call on is 999.
And then hanging up real quick or pressing lock kicks you back to the pin screen.
I don’t know what’s more disconcerting – the demo video of it happening on an iP4 or the inconsistency across hardware running the same OS. Maybe it’s a country-specific build issue? Not sure if being an O2 customer I have a custom build that as a UK resident only allows 999 calls.
Try a random number rather than ###
Also, by “sharing this contact” you can get into the photo album and apparently even emails…