Major Security Flaw in 2.0.2


sparkyms

macrumors 65816
Feb 22, 2007
1,304
3
Southampton UK
Wasn't this a way to get into the phone to "Hacktivate" it a long time ago?

Either way, this is been known for a while I'm sure. But saying that, if anyone steals your iPhone, they can get anything off it by jailbreaking, and like someone said, a passcode screen isn't going to deter a thief, or anyone that wants to take your personal info.
 

kdarling

macrumors P6
Wow, sounds like someone at Apple is about to be yelled at or get fired...
Probaby not. It's well known that a million beta testers will find stuff that a software QC department never will. And as long as no one has sued because they lost critical info because of this flaw, it's just something to fix in the next rev.

But it does point out once again, that the reason IT departments are willing to go with Blackberries and WinMo, is that those systems have had a decade of users finding security bugs. The iPhone is still a big unknown, and has to earn its bones over time like everyone else. Ditto for Android.
 

mcdj

macrumors G3
Jul 10, 2007
8,859
3,722
NYC
Wasn't this a way to get into the phone to "Hacktivate" it a long time ago?

Either way, this is been known for a while I'm sure. But saying that, if anyone steals your iPhone, they can get anything off it by jailbreaking, and like someone said, a passcode screen isn't going to deter a thief, or anyone that wants to take your personal info.
Difference is, this is something that enables casual spying by someone who doesn't intend to steal the phone, but is otherwise a snoop. It's one thing to nab the phone, hook it up to another computer and jailbreak...it's another to pick up the phone off a desk and quickly scan someone's SMSs/email/safari history. This is something that could be done repeatedly without raising suspicion.
 

nando2323

macrumors 6502a
Aug 15, 2007
662
0
You can also make phone calls to anyone!!!

Also you can make outgoing calls to anyone not just 911 on the emergency dialer.
 

bytethese

macrumors 68030
Jun 20, 2007
2,692
99
2.0.2 gives almost full access to the iPhone even while under password protection...

Steps to Reproduce

Set iPhone to use passcode lock, have contacts marked as Favorites with links, phone numbers, addresses, etc in address book entry.

Tap "Emergency Call" keypad from passcode entry screen.

Double-tap home button.

Tap blue arrow next to contact's name. You now have full access to applications such as Safari, complete Contacts list, SMS, Maps, "full" Phone access, and Mail by accessing various entries on the Favorite's page, i.e. tapping their home page brings up a full, unrestricted Safari.

This is not a bug in 2.0.2, I have a 2.0.1 and viewed similar behavior. But I guess this only works if you set your double tap to be your favorites (default). I've set mine to iPod. If someone wants to listen to my tunes or watch my videos if I lose my phone, so be it. :)

But if people do leave the default setting, I can see how this would be a problem!

I tried this and all my iPhone did is say:

"Would you like to play a game?"
Weird, I have a new game on my screen after logging in. Global Thermonuclear War. Looks better than that other tic tac toe game I had...
 

greenmymac

macrumors 6502a
Original poster
Oct 25, 2007
730
0
Tulsa, Ok
This is not a bug in 2.0.2, I have a 2.0.1 and viewed similar behavior. But I guess this only works if you set your double tap to be your favorites (default). I've set mine to iPod. If someone wants to listen to my tunes or watch my videos if I lose my phone, so be it. :)

But if people do leave the default setting, I can see how this would be a problem!
1.0 or 2.0.1 or 2.0.2 its still a bad bug :(
 

bytethese

macrumors 68030
Jun 20, 2007
2,692
99
Holy crap, I don't give a crap because I don't lock my iPhone since I usually keep it on my person.

It's the same thing with you laptop, as soon as someone has physical access to it, you are screwed anyway.
Yes, but should you loose your iPhone (a lot easier to do since it's smaller than a laptop), at least having the passcode will deter most curious parties from tinkering should they find your phone. Will it deter the most determined hacker? heck no but at least it's something. :)

1.0 or 2.0.1 or 2.0.2 its still a bad bug :(
Yeah, I think it started with 1.1.4? Whenever they enabled the double tap option on the Home Button.

I just showed my coworker who has a phone too and he was surprised. Yikes, this is bad since a lot of folks keep their lives on their phones. I start my masters in Forensic Computing today, this may make for a great discussion! :)
 

greenmymac

macrumors 6502a
Original poster
Oct 25, 2007
730
0
Tulsa, Ok
Yeah, I think it started with 1.1.4? Whenever they enabled the double tap option on the Home Button.

I just showed my coworker who has a phone too and he was surprised. Yikes, this is bad since a lot of folks keep their lives on their phones. I start my masters in Forensic Computing today, this may make for a great discussion! :)
Glad I could help now if your class would solve the problem and then send it to Apple we would all be happy! LOL
 

Niiro13

macrumors 68000
Feb 12, 2008
1,717
0
Illinois
Holy crap, I don't give a crap because I don't lock my iPhone since I usually keep it on my person.

It's the same thing with you laptop, as soon as someone has physical access to it, you are screwed anyway.
I don't lock my iPhone either.

The point is that Apple shouldn't have overlooked this major flaw. It's not whether this slip-through will cause any harm...it's the fact that there's a slip-through!
 

JPIndustrie

macrumors 6502a
Mar 12, 2008
858
155
Queens, NY
You know what, this may have been a largely unknown issue, even since the 1.1.1 firmware, when double-tap home and double-space for period was introduced.

Anyone have a 1.1.x iPhone to test?
 

crees!

macrumors 68000
Jun 14, 2003
1,921
26
MD/VA/DC
While we're on the subject of security, has anyone tried accessing the phone data as follows:

- connect phone (while locked) to a new computer and iTunes
- backup iPhone

If iTunes allows to sync the iPhone with the computer without requiring the passcode to unlock the phone, then ALL the data on the phone is backed up to the computer and can easily be accessed by anyone using the computer.

Not in a position to try this out myself, but I think it just might work... iPhone never asks me for the passcode when I connect it to the computer.
iTunes always goes into Not Responding mode when I plug in my iPhone while the passlock is enabled. So I then unplug it, iTunes then stops hanging, unlock the phone, plug back in and we're all good.
 

John-S

macrumors member
Jun 11, 2007
33
0
Well, here is my problem with apple.

We had our first child last year and were in the hospital for 2 weeks due to issues with the baby. We took all our pictures on our iphone. Then I came home and accidentally dropped it in the bathtub. I let it dry for days and then tried turning it on. The entire screen would show but only the touch censors on the top half worked. Having my phone password protected, I couldn't access anything because I couldn't type in the bottom keys. So all my pictures were sitting on the phone but I could not sync them to my computer or view them.

I called apple to find out if they have a way of bypassing the password. Negative! They claimed they had no way to help me whatsoever. There should be a way to type in the password via your keyboard on your computer I said... they agreed but it wasn't possible.

After that I demanded to speak with an apples supervisors, supervisors, supervisor where he came up with this great idea to try iphonedrive software. It allowed me to access everything that was on my iphone and without my password. Scary, but due to my circumstances and apples stupidity on this issue... it saved me!

So, apple needs to prevent leaks but it also needs to be sure there is a backup plan should a problem like mine arise.
 

JML42691

macrumors 68020
Oct 24, 2007
2,082
2
Well, here is my problem with apple.

We had our first child last year and were in the hospital for 2 weeks due to issues with the baby. We took all our pictures on our iphone. Then I came home and accidentally dropped it in the bathtub. I let it dry for days and then tried turning it on. The entire screen would show but only the touch censors on the top half worked. Having my phone password protected, I couldn't access anything because I couldn't type in the bottom keys. So all my pictures were sitting on the phone but I could not sync them to my computer or view them.

I called apple to find out if they have a way of bypassing the password. Negative! They claimed they had no way to help me whatsoever. There should be a way to type in the password via your keyboard on your computer I said... they agreed but it wasn't possible.

After that I demanded to speak with an apples supervisors, supervisors, supervisor where he came up with this great idea to try iphonedrive software. It allowed me to access everything that was on my iphone and without my password. Scary, but due to my circumstances and apples stupidity on this issue... it saved me!

So, apple needs to prevent leaks but it also needs to be sure there is a backup plan should a problem like mine arise.
Except in your situation, it was your fault of the damage, not Apple's. Apple cannot safeguard every possible user-caused problem, and they should not be expected to, you just got lucky that there was a way for them to help you.
Let it be known that I said: Apple's popularity is going up, customer satisfaction is plummeting
How exactly is this something that is going to make customer satisfaction plummet? All things in technology have their bugs, granted, this is a big bug, but not the easiest to figure out. Look at Vista, that was something that all around had major problems and that was what made Microsoft's customer satisfaction plummet. The iPhone 3G and the 2.0 software both have their fair share of problems, but the device still works. I do not think that this is going to make customer satisfaction plummet in any major way, after all, I bet that 90% of iPhone users won't even hear about this, it will just be listed in the software update details as a security patch.
 

mcdj

macrumors G3
Jul 10, 2007
8,859
3,722
NYC
Well, here is my problem with apple.

We had our first child last year and were in the hospital for 2 weeks due to issues with the baby. We took all our pictures on our iphone. Then I came home and accidentally dropped it in the bathtub. I let it dry for days and then tried turning it on. The entire screen would show but only the touch censors on the top half worked. Having my phone password protected, I couldn't access anything because I couldn't type in the bottom keys. So all my pictures were sitting on the phone but I could not sync them to my computer or view them.

I called apple to find out if they have a way of bypassing the password. Negative! They claimed they had no way to help me whatsoever. There should be a way to type in the password via your keyboard on your computer I said... they agreed but it wasn't possible.

After that I demanded to speak with an apples supervisors, supervisors, supervisor where he came up with this great idea to try iphonedrive software. It allowed me to access everything that was on my iphone and without my password. Scary, but due to my circumstances and apples stupidity on this issue... it saved me!

So, apple needs to prevent leaks but it also needs to be sure there is a backup plan should a problem like mine arise.
LOL.


You took all your baby pics with a crappy phone camera instead of a real camera. Mistake 1.

You dropped it in a bathtub. Mistake 2.

You broke the phone and your password can't be entered, so you ask Apple to help you crack it.

They do help you get past the password and you get your photos, but that makes them stupid.

Apple needs to keep the phone secure, unless someone *really* needs to get inside it.


Waaay too funny. Do you have any idea how preposterously priceless your entire post is? The customer service rep who fielded your call deserves a raise.
 

Peace

macrumors Core
Apr 1, 2005
19,464
3,829
Space--The ONLY Frontier
This is a flaw. But.

If a person loses his/her iPhone all they have to do is call AT&T or whatever carrier they are using and have it remotely wiped.

Until Apple fixes this keep your phone close and don't let others use it if you have it pass code locked.
 

fozarn

macrumors newbie
Oct 24, 2007
9
0
bangkok
not a surprise for me

I thought this was found since last year
i use this method to hack into my iPhone first time in February 2008
that was even 1.13
this hack was widely available on the internet until ZiPhone came out in Feb
i googled through " iPhone unlock" to get this hack