Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
iPhone Passcode Flaw Already Addressed for Future Firmware Update?
- Thread starter MacRumors
- Start date
- Sort by reaction score
I can't encrypt my wallet and even strong encryption gets broken - remember when 40 bit crypto was considered "strong?"
It was never really considered strong. And so far strong encryption has apparently remained unbroken for at least a decade.
and if you LOSE you iPhone? The passcode is supposed to be there to PREVENT access by unauthorized individuals.
But if you have your home-button double click set to your favorites, anyone who finds your phone could just [Slide] > [Emergency Call] > [Double Click] to prank, harass your favorites. Let alone impersonate you (ID theft) via caller ID.
You give too much credit to thieves...
I use the passcode on my phone simply to restrict a thief or someone who finds it from using it. Most thieves are NOT hackers and will not know how to defeat this. Sure, they could look it up, but if they wanted to actually do that much work, they would likely have a job...
I don't mind if my co-workers and friends know my code, because its not to prevent their use, only someone who finds my lost phone or steals it.
I wish the passcode screen had a message about "if you find this phone, please return it to..."
I use the passcode on my phone simply to restrict a thief or someone who finds it from using it. Most thieves are NOT hackers and will not know how to defeat this. Sure, they could look it up, but if they wanted to actually do that much work, they would likely have a job...
I don't mind if my co-workers and friends know my code, because its not to prevent their use, only someone who finds my lost phone or steals it.
I wish the passcode screen had a message about "if you find this phone, please return it to..."
you all will love this!
i'll keep it short.
had appointment at the crapple store due to many issues with the iphone.
their so called genius was an ass.
i handed him the phone so he could check it out and he asked for my password.
i said to him, "what's the point of a password if i tell you? give it to me and i'll type it in"
to this he said, "well it doesn't matter anyway I CAN GET IN WITHOUT IT."
this floored me. i was so pissed. after he told me it is normal for my battery to last 2 hours and my phone to freeze and crash i took the phone back and left the store.
after further calls to crapple they replaced my phone last week. we'll see what happens with this one.
i'll keep it short.
had appointment at the crapple store due to many issues with the iphone.
their so called genius was an ass.
i handed him the phone so he could check it out and he asked for my password.
i said to him, "what's the point of a password if i tell you? give it to me and i'll type it in"
to this he said, "well it doesn't matter anyway I CAN GET IN WITHOUT IT."
this floored me. i was so pissed. after he told me it is normal for my battery to last 2 hours and my phone to freeze and crash i took the phone back and left the store.
after further calls to crapple they replaced my phone last week. we'll see what happens with this one.
That's it? I only have a few contacts in my favorites, the people I call a lot. They know me really well. If a prankster calls them, they'll be understanding when I explain what happened. And how would the average prankster know enough to double-click the button anyway? Double-clicking does nothing once inside the favorites list. Single-clicking just goes back to the password screen. I don't see the big deal, unless the contacts in the favorites list were important business contacts with important notes written in for contact information. But even then, the prankster wouldn't know your name and so couldn't really impersonate you. This seems a bit blown out of proportion. The impression I got from the introductory paragraph was that the whole iPhone was accessible.
One thing that might pose a problem is that from the favorites you can send text messages to the contacts. A prankster could run up a sizable bill if the iPhone owner doesn't have a text messaging plan.
As for a malicious hacker, I agree with others that if someone wants to hack your iPhone a simple 4-digit password isn't going to prevent anything.
I just tried it and was very easily able to get from the favourites list into SMS, Mail, Safari & Maps
Doesnt bother me as I dont use a passcode anyway - but I can see why it wold bother those that do
Basically, the person reading all of your mail is the only thing I can think of that could contain lots of personal information (and SMS' likewise).
This might not be a big deal to some people, but it's a bug that is going to be fixed. Apple isn't screaming about it, we shouldn't either. It'll be fixed. It's not a big deal.
You are wrong about this. At least as of 2.0.1, which I tested thouroughly, if you change the plist, once you press the power button the phone locks itself again because the o.s. detects that theres a password saved in a database where the passwords are kept. This database is an sqlite database. The second step that I previously mentioned before is to delete the password from the database to remove all passcode restrictions. Only then will the passcode lock be remove repeatedly. My instructions (which I will post later tonight) details all of this.
As an Amazon Associate, MacRumors earns a commission from qualifying purchases made through links in this post.
I'm also appalled that getting past the passcode is this easy. I usually only use the passcode if I'm gonna be out somewhere for while, i.e. sporting events or school (starting college in the fall).
So, you all might want to set your home button double-click to "Home", because I just tried the method with "iPod" set as the double-click and it allows access to the iPod app. They can't get to anything else, as far as I know, but setting your home button to "Home" and double-clicking on the emergency call screen just brings you right back to the "Enter Passcode" screen.
So, you all might want to set your home button double-click to "Home", because I just tried the method with "iPod" set as the double-click and it allows access to the iPod app. They can't get to anything else, as far as I know, but setting your home button to "Home" and double-clicking on the emergency call screen just brings you right back to the "Enter Passcode" screen.
I said the same thing. Major sensationalism! Simple PIN-code phone locks have always been nearly worthless. If someone is physically in possession of your phone, there is a pretty good chance they are going to find a way into the system. For real security, iPhones (and other phones) need to use a symmetric-key encryption application. With all the free open-source encryption code out there, why hasn't Apple already made an implementation available on the iPhone? Just priorities or what?
Apple don't have testers.
I have often noticed that.
It's the only explanation for why their software is well-designed but has obvious flaws nonetheless.
A single tester would have noticed immediately that pressing the home button twice in the emergency call screen (which btw can be used to make any call you want and is NOT limited to emergency calls) bypasses the password.
But Apple don't have testers.
That also explains why iWeb's right-to-left script support is broken. A single tester typing Hebrew, Arabic, or Persian would have noticed.
Same here.
I made this point in this thread:
https://forums.macrumors.com/threads/509617/
I said:
"I was wondering about losing my iPhone. And at some point I realised that I don't really mind so much buying a new one if I lose mine. More difficult is the fact that my iPhone contains my emails and address book, personal data comparable to what's on my computer rather than a traditional mobile phone."
"Why didn't Apple just encrypt everything???"
End said.
And here are some replies:
"anyway, can you not use, and change often, a 4 digit code?"
"Or you could just do a remote wipe if you lose it. A lot more convenient"
[Note: I don't know how to do that.]
"What difference would the encryption make? Presumably when you enter the code correctly the encryption would be bypassed and the data would be accessible or it'd be difficult to use the phone? In that case, your only real protection is the code (just like it is now) because if someone gets the code they get the data."
[Note: bypassing the code wouldn't allow access to encrypted data which needs the code for decrypting.]
"But your information is already protected by a 4-digit code (if you have that on). If you're actually worried about someone physically taking your iPhone apart, ripping out the flash chips and putting them into some sort of reader to access your data, I hope you've got your underground lair swept for bugs and all your phone lines monitored for wiretaps. Oh, and watch out for the CIA assassins."
[Note: Actually, I do have my underground lair swept for bugs.]
End replies.
And here's the solution I proposed:
1. Encrypt the data with a 10-letter password.
2. Whenever the phone is switched on (from power-off), ask for the 10-letter password.
3. Store the password in memory while the phone is on (or sleeping) and use it to decrypt the data on the fly when the phone is in use.
4. If the phone is switched off (to power-off), lose the password from memory (naturally). If the phone hasn't been used for a (configurable) number of hours, lose the password from memory.
I agree the device should be encrypted.
The thing I wonder about is how everyone throws out remote wipe, as if everyone that has sensitive information is running Exchange. Somehow I doubt very seriously Apple is using exchange for email. And in that case, how would they ensure sensitive data has been purged from a lost iPhone?
They're not allowed to post representing Apple. I don't think Apple can legally stop their employees from posting if they don't claim to represent Apple. I've seen Apple employees post on other forums before, so I don't think that's a rule.
Yes. And isn't my idea the obvious solution?
I was wondering about that. I contacted o2, my phone company, and they didn't know anything about the feature and told me to contact Apple.
Well great - it went mainstream...
http://news.yahoo.com/s/nm/20080828/tc_nm/apple_security_dc
How about this - don't leave you phone sitting around when you go somewhere. Ya know what they say - the best defense is a good offense
http://news.yahoo.com/s/nm/20080828/tc_nm/apple_security_dc
How about this - don't leave you phone sitting around when you go somewhere. Ya know what they say - the best defense is a good offense
AFAIK, remote wipe is a feature of both BES and Exchange ActiveSync. All it does is remove all the Exchange data (well what is synced) off the phone. It doesn't actually brick the device (I think the BES version does but I am not positive).
Why are many people in here so quick to dismiss this flaw and try to pass the buck on to "lazy" iPhone users?
If this had been any other company, people on here would be having a BBQ and passing around fruity wine coolers.
That being said, I'm glad that Apple is working on a fix, although I think they should be getting on this pronto.
If this had been any other company, people on here would be having a BBQ and passing around fruity wine coolers.
That being said, I'm glad that Apple is working on a fix, although I think they should be getting on this pronto.
I didn't see anyone else mention this, but the passcode work around bug has been fixed with the update.
When I double tap the Home button from the Emergency Call screen, the iPhone returns to the Passcode screen and not my favorites.
When I double tap the Home button from the Emergency Call screen, the iPhone returns to the Passcode screen and not my favorites.