The password protection of an iPad 2 running iOS 5 can be circumvented in less than five seconds with just three simple steps. Bypassing the unlock screen on iPad 2 can be accomplished by first pressing the power button until the power-off screen is displayed. Users then need only to close and reopen the fondleslab's 'smart …
Proof positive that Apple care about your security.
They'll likely patch it...about as quickly, and accurately as they did with the Daylight Savings Time shifts....
"Proof positive that Apple care about your security."
But Apple products do not have security problems. Security problems are for Pee Cee's! If only Steve Jobs were here to answer a few questions about this.
So Apple go to great lengths to secure the iPad so that we can't (legitimately) run customised software on it then make a total screwup of proper security for our data.
@Tim Brown 1
What did you expect?! "Security focus" in Applespeak means securing Apple's business and profits. And yes, this holds true not just for Apple.
What you are missing.......
Is that the guy in the Video wasnt using the device in an apple aproved manner, obviously any deviation from the deivce operating instructions renders the warranty null and void and will get a stern letter of warning from Apples iLawyers (or a letter telling him that the "gestures" he used to acehive this have now been patented)
4 finger swipe?
I've not watched the video, (flash issues) so don't know if it is only the home button that will relock the screen. However on iOS5 a four finger swipe up will bring up all background apps, so you could access those that way, and since once used everything stays available in the background you should get access to everything of use.
Just tested this
4 finger swipes don't work, so you're limited to whatever the active app was when you locked it.
I'd expect an OTA patch for this fairly promptly.
Four finger swipe?
Really? At some point there are going to be too many gestures for people to remember, or they'll just be too complicated to perform.
Won't work, Apple have a patent on that kind of thing so nobody's can do that without a licence.
I'd expect an OTA patch for this fairly promptly.
Ha ha ha ha ha haaaa haaaaaa.
This is Apple we are talking about. 2nd only to Oracle when it comes to shit timescales for security issues.
Would that be the functionality similar to that offered in Android? Hmmmm.....if only they could patent it?!
only a minor issue, really.
1) you can only access the app that was open when the cover was closed.
Obviously, I can't speak for anyone else, but i always go back to the home screen before locking mine anyway. (force of habit, OCD, what ever...)
2) only effects those who use a 'smart cover'. The smart function of which can easily be disabled in the settings. Seriously, is it that hard to press a button when you open the cover? The 3rd party cover i have _is_ 'smart' but after 5 mins of finding it wasn't very effective, i turned off the feature.
Re: only a minor issue, really.
> only effects those who use a 'smart cover'
The attacker can bring their own cover, or use a magnet.
The functionality of a smart cover can be replicated with a magnet, so not having a smart cover doesn't protect you - turning off the smart cover function in the preferences is the bit that's key. (But this is old news, anyway - broken last week by other sites. That said, you'd expect perhaps a fix by now...)
Only a minor issue, really
O hai guise, I heard about the feature on my front door whereby anyone can get in, regardless of using the security features built in to the door (i.e. the yale lock). Here's why the vendor is still great:
1) you can only access the hall of my house. If I've left some stuff in there, then yeah, you can get to it, but since I tidy my hall up quite a bit (doesn't everyone?) this isn't an issue.
2) only AFFECTS those who use a magnet-based sensor, and not many people have those.
Stop trolling, guise - it's not that big a deal, you're just holding it wrong!
You have just won first prize in the sycophant of the year competition
Re: only a minor issue, really.
> 1) you can only access the app that was open when the cover was closed.
That is still one app too many.
I'm missing item 3:
3) I went into great efforts to board up all the other doors in my hallway so no one can come in or out ;-)
I seem to have misunderstood your post. Are you saying that you accidentally superglued the key into your front-door Yale lock, so anyone can open it?
@D@v3 why is it that fanbois will always play down every Apple security issue. Just because your return to the home screen does not mean that everybody else does, more importantly it does not mean that everybody else *should*. However as a fanboi presumably you feel that Apple are infallible and users should work round security issues. Oh sorry, my bad. It's not a security issue is it? It's a feature and users who are at risk are actually doing it wrong. Or at least that's what the Big Jobs would tell us were he still around.
If Apple had coded this right you wouldn't need to work around it would you. It's crap coding and crap testing plain and simple.
"As enterprise IT blog BringYourOwnIT.com notes, one obvious workaround would be to instruct users to close any foreground application before locking their iPad."
Trust users with security? Surely some mistake?
- Don't leave your laptop in the boot of your car
- Don't copy customer/patient/employee data to that memory stick
- Don't read sensitive documents on the train
- Don't expose national security documents as you walk into No10
- etc ad nauseum
Get Apple to fix the bloody bug PDQ and ban iPad's for anything remotely sensitive until they do.
Don't send your readers/users email addresses to man+dog.
Sorry El Reg :-p
PS not a lot of point in posting anonymously.
It just works....
All they are going to get...
...is my last session of Angry birds.
Which tells us that you think that's all your fondleslab is good for.
I mean seriously..
Did anyone actually think the iPad2 was secure? it's hardly a business tool, it doesn't even support filesystem encryption.
My Asus Transformer supported that since the outset, and it's a standard feature in Android 4.0.
But I find it astonishing and terrifying just how often and how increasingly they are being used as proper business tools and are used to tote around really quite sensitive data more and more. Shudder ... I wouldn't even use one of these things to carry around my email or address book.
I can see a really big data infringement case soon. Of course no one will care and will carry on regardless.
First iOS patch over the air incoming soon i guess
If you have it locked on the 'home screen'. A left swipe to the search allows you to see contacts with their primary phone number. And the normal search able context.
Expect this will get patched soon enough, seems like a good test for their over the magical etherweb incremental icloud software updates.
Just press the home button before closing or turn 'iPad Cover Lock / Unlock' off for now in Settings > General.
At least Apple *will* fix it - unlike a certain Android phone I have that is locked to the network and cannot now (or will ever) be updated unless I want to root it and frig around with trying to get a newer version on.
At least you CAN unlock the phone, and it's probably fairly easily rooted, and the phone vendor won't come back and try to deliberately unroot or even brick your phone if you've rooted it.
But yeah, I guess if you're used to and really need hand holding all the time, it might be hard to understand why others might want to be allowed to cross the street on their own.
Just tried it and it works. There goes our mobile data compliance.
Those saying 'it's not a big issue' - it may not be for you, or for private users, but for corporate data protection the issue is more that the hole is there at all, rather than whether the hole is used or not.
I know the iPad2 isn't an encrypted device, but it at least enforces basic Exchange rules like password protection - or, it's MEANT to.
the fact that is cant do filesystem encryption should be enough for it to fail mobile data compliance :-|
http://www.theregister.co.uk/Design/graphics/icons/comment/wtf_32.png 5 secs to unlock it but 1min 22secs to listen to some arse talk about it.
iOS, MacOS X, and Android
The problem is that the lockout app launches when the device is awakened, not when the device becomes idle. That creates an opportunity for things to go wrong. I've had my Macbook Pro and Galaxy SII run for several seconds unprotected because the lockout application's launch was delayed by heavy filesystem I/O.
That means that the Blackberry is still the only one actually caring about security. The app launches at idle time, always.
Storm in a teacup - probably fixed in a matter of days and trivial compared to many of the bugs and poor security practices many companies and users have.
What on Earth is more trivial than being able to wake up a locked device without knowing the password?
Whats more trivial? Oh I don't know...
possibly the numerous amount of malware infested freebee apps that haunt the -quite frankly dangerous- Android Marketplace.
You know, the ones that nick your bank account details, passwords and credit card numbers. Thats possibly more trivial.
It's not a big issue
Honestly, it's a consumer device with ease of use first and security some way behind. It's a single user environment so security is never going to be that hot.
You might think it's a consumer device. Unfortunately I doubt many senior managers will agree with you. Senior management like their toys and want to use them for corporate tasks and the IT department never have the power to tell them no.
I know, I know
I'm one of the people telling them No (or at least what they can and can't do).
Where is iSecure?
Apple really are embarrassing when it comes to security, especially when you consider that they're built on a BSD heritage.
The changes are obviously all fluff and no substance, like the girl that looks great but struggles to add 2+2.
"Those saying 'it's not a big issue' - it may not be for you, or for private users, but for corporate data protection the issue is more that the hole is there at all, rather than whether the hole is used or not."
Didn't you see this previous post:
"Just press the home button before closing or turn 'iPad Cover Lock / Unlock' off for now in Settings > General."
Frankly with most users setting the password to 5555 or 0000 or 1234 it's unlikely to be a big issue (when of course that would give them access to the whole device and not just your Angry Birds / home screen etc.).
People make out as if this is a mega issue when not educating users about proper security - i.e. not allowing unauthorised access in the first place or setting a decent password.
Plus it will be fixed and probably pretty quickly.
How many people do not use password protected / encrypted USB drives?
It just wo.. Wait, what? You're shitting me? You're not? Scratch that...
Settings -> General -> iPad Cover Lock/Unlock
Set to Off, wait for patch.
Tricky one that.
I bet Apple have a patent on this and will sue the ass off anyone who dares consider implementing a security flaw. Or.. maybe they missed the opportunity and there is an opening (prior art being completely missing from the US patent system) for Samsung to patent security flaws then force Apple to drop their suits on the Galaxys. They only need to wait 5 weeks for Apple to fail yet again on the security front.
Sure, there are many ways to prevent this issue; but at the end of the day it is still an issue. Systems security is paid to prevent problems (forecast them, if you will).
In hindsight there is ALWAYS a way to get into any system/product. If your job is to PROTECT something & your measures have been found failing then it's on the Sec.
People poke holes in any/everything and at the end of the day someone has to pay for those decisions. Don't blame Micosoft or Apple. The persons that decided easy vs secure & thought they were taking the easy route are to blame.
Look to the Admins and their greasy, "keep my job because I deserve it" attitude. Truly secure products do exist, but they don't dominate the "fandom" entry level staff. Real security means people telling their bosses, staff, etc NO. That's where most IT folks fall down. They're not interested in security, or even their jobs, they just don't have the stones to say no.