Passcode Vulnerability Returns in iPhone Updates (NewsFactor)
Jennifer LeClaire, newsfactor.com 10 minutes ago
Apple's publicity nightmare keeps growing worse. The latest twist is more serious than dropped calls or lost e-mail -- it's a security flaw in the iPhone that could dial up trouble for users.
The flaw isn't a new issue. Apple first addressed what is known as the passcode flaw last January. The fix prevented unauthorized users from circumventing the password-protected locking feature in an early version of the software. But the problem has reemerged in new versions of the iPhone software.
The flaw apparently allows attackers to bypass the passcode locking feature by touching "Emergency Call" on the password-entry screen and then double-tapping the Home button. An attacker would then have access to the iPhone users' frequently called contacts list, which includes both addresses and phone numbers.
An attacker could also use the breach to access the iPhone's e-mail application and gain access to e-mail addresses or Web sites, as well as the user's Safari browser. The flaw is reportedly present in iPhone software versions 2.0 and 2.0.2. The issue also affects the iPod touch.
Are There Other Security Flaws?
It appears that the security update Apple issued for iPhone 1.1.3 in January didn't make it into later versions of the handset's software. That January update offered three security patches for several vulnerabilities.
Besides the passcode, other issues included a memory-corruption issue in Safari's handling of URLs and a WebKit that allowed a page to navigate the subframes of any other page. There is no evidence that the latest versions of the iPhone's software continue to have these two issues. Apple could not immediately be reached for comment, but offered this explanation of the passcode flaw in January:
"The Passcode Lock feature is designed to prevent applications from being launched unless the correct passcode is entered. An implementation issue in the handling of emergency calls allows users with physical access to an iPhone to launch an application without the passcode. This update addresses the issue through an improved check on the state of the Passcode Lock."
An Opportunity To Make Mischief
"The guys at Apple must be feeling like the skies are really raining on their parade at the moment," said Graham Cluley, senior technology consultant at Sophos. "After all the complaints about the new iPhone's 3G performance not being as good as the TV adverts suggested, they now have to contend with an embarrassing flaw in security that really should have been picked up by their quality assurance department."
Although this security hole doesn't give unauthorized users complete access to all the data on an iPhone, it could still mean there's an opportunity for mischief-making and for thieves to access private information, he said.
"Lovers of the iPhone will be waiting with bated breath for Apple to announce when they will roll out a fix for this security loophole," Cluley said, "but in the meantime there is a manual fix which the Internet community has discovered: changing the settings of the iPhone so the 'home' button actually takes you to the phone's Home screen will mean users have to enter the passcode before accessing features."