Apple reintroduces iPhone ‘Passcode Lock’ flaw (with workaround)

Apple’s iPhone offers users an optional “Passcode Lock,” which allows users to enter a four-digit passcode to limit access to the device.

However, it can currently be bypassed in certain situations if an intruder has physical access to your iPhone:

Here’s how to induce the issue:

1. Enter a 4-digit passcode via Settings > General > Passcode Lock
2. Make sure you have some contacts entered in Contacts, including email addresses, phone numbers, and website URLs.
3. Lock iPhone and then hit “Home” button to activate slider to get to “Enter Passcode” screen.
4. Tap “Emergency Call” button (buttom left).
5. Double tap “Home” button.
6. On certain iPhone setups, this can access up all contacts in the Favorites list.
7. Tap on the blue arrow next to contact name to get full access to email, Safari, SMS, etc.

This vulnerability was already once corrected by Apple with iPhone / iPod touch v1.1.3:

Passcode Lock

CVE-ID: CVE-2008-0034

Available for: iPhone v1.0 through v1.1.2

Impact: An unauthorized user may bypass the Passcode Lock and launch iPhone applications

Description: The Passcode Lock feature is designed to prevent applications from being launched unless the correct passcode is entered. An implementation issue in the handling of emergency calls allows users with physical access to an iPhone to launch an application without the passcode. This update addresses the issue through an improved check on the state of the Passcode Lock.

MacDailyNews Note: Obviously, this is one that has slipped through and not been included in later updates. Somebody at Apple failed to incorporate the most-recent codebase. Simple as that. Not an excuse. Apple blew it. Hopefully, it’s the only thing they missed. So, until Apple gets around to re-fixing this issue in the next update, you can secure your iPhone by setting your iPhone’s “Home” button’s double-click action to “Home” or “iPod” (Settings > General > Home Button and check “Home” or “iPod”).


  1. a workaround to fix the flaw reintroduced by the patch that broke the original patch that fixed the flaw. hmmmmm, sounds familiar…
    couldn’t help myself, sorry ” width=”19″ height=”19″ alt=”wink” style=”border:0;” />

  2. @ Captain Obvious

    “Inexcusable” is a bit of hyperbole don’t you think?

    Phones have a (rather unusual and atypical) hardware requirement to always be able to be used for an emergency call irrespective of the security state of the system that makes the call. That’s like having a “secure” computer that somehow also lets you log on and do your email without giving you access to the system itself. This is not a trivial thing to design.

    I think it’s more than understandable that Apple has made this minor mistake in that regard. It is a mistake, and I am not defending it, but it’s hardly “inexcusable,” not is it malicious or really that surprising.

  3. Perfection, damn it! I DEMAND PERFECTION FROM EVERYONE AND EVERYTHING! (Thank Gawd I’m not on the International Space Station right now with my trusty, but infected, PC laptop. huh?)

  4. I’m very happy about the flaw. It allows me the best of both worlds. Once again Apple design triumphs. I can set my security code that will stop most people, but leave my phone set up so that I can quickly get back in without being forced to recall and enter that stupid pass code.

    This works quite well for me.

    No one does it better than Apple!

  5. I’ve got the double-tap set to open my iPod and sure enough that’s what opens when I follow the instructions.

    Speaking of the passcode, I don’t see why we can’t use alphanumeric passwords. It’s like Apple was still in iPod-mode and forgot about the touch keyboard that can appear whenever we need it.

  6. @ Jeremy,

    No, this was inexcusable.

    Apple has exactly TWO devices to test.

    This was a KNOWN security flaw that had earlier been corrected, and all it takes to verify they broke it, was to double tap the home key.

    Sorry, but there’s only ONE button on the front of the iPhone, and QA is falling on its face.

  7. I honestly like this “flaw” and wish it would show an emergency contacts list.

    All it does is show your address book – or your iPod app (depending on what you programmed the double-click home button to).

    I like using the password lock, but am always worried that if I ever have an accident and am unconscious (I ride motorcycles so that’s always on my mind) – I would want someone to be able to access my contacts list and get a hold of someone who knows me.

    But then again the chances of the iPhone surviving such a crash is very small. ” width=”19″ height=”19″ alt=”hmmm” style=”border:0;” />

  8. You can solve this problem by setting a list of such phone numbers as your background. Just go into Word (or another word processor, if you like), type up the numbers, and take a screenshot. Obviously, you can even have another image within Word as a background and put your numbers in a text box.

    This way, if you lose your phone and somebody finds it, they won’t be able to steal it, but they’ll know whom to call.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.