Apple’s iPhone offers users an optional “Passcode Lock,” which allows users to enter a four-digit passcode to limit access to the device.
However, it can currently be bypassed in certain situations if an intruder has physical access to your iPhone:
Here’s how to induce the issue:
1. Enter a 4-digit passcode via Settings > General > Passcode Lock
2. Make sure you have some contacts entered in Contacts, including email addresses, phone numbers, and website URLs.
3. Lock iPhone and then hit “Home” button to activate slider to get to “Enter Passcode” screen.
4. Tap “Emergency Call” button (buttom left).
5. Double tap “Home” button.
6. On certain iPhone setups, this can access up all contacts in the Favorites list.
7. Tap on the blue arrow next to contact name to get full access to email, Safari, SMS, etc.
This vulnerability was already once corrected by Apple with iPhone / iPod touch v1.1.3:
Passcode Lock
CVE-ID: CVE-2008-0034
Available for: iPhone v1.0 through v1.1.2
Impact: An unauthorized user may bypass the Passcode Lock and launch iPhone applications
Description: The Passcode Lock feature is designed to prevent applications from being launched unless the correct passcode is entered. An implementation issue in the handling of emergency calls allows users with physical access to an iPhone to launch an application without the passcode. This update addresses the issue through an improved check on the state of the Passcode Lock.
MacDailyNews Note: Obviously, this is one that has slipped through and not been included in later updates. Somebody at Apple failed to incorporate the most-recent codebase. Simple as that. Not an excuse. Apple blew it. Hopefully, it’s the only thing they missed. So, until Apple gets around to re-fixing this issue in the next update, you can secure your iPhone by setting your iPhone’s “Home” button’s double-click action to “Home” or “iPod” (Settings > General > Home Button and check “Home” or “iPod”).
