back to article iPhone passwords not worth the paper they're written on

iPhones protected by a password aren't actually protected at all, as just by pressing a few keys a miscreant can access all the phone's functions without needing the password at all. The trick, reported by MacRumours, is simply a press of the "Emergency Call" key from the passcode entry screen, followed by a double-tap on the …

COMMENTS

This topic is closed for new posts.
  1. This post has been deleted by its author

  2. Thomas Davie
    Thumb Down

    The same bug existed in OS X for a while

    Almost exactly the same trick could be used in OS X for a while (until I reported it and it got fixed). In various versions of panther, one could unplug your mouse at the login screen, resulting in a bluetooth mouse pairing screen coming up. Clicking the help button on it got you into the help viewer. Searching for "iPod" got you a URL link to apple's website which launched safari, and finally, typing in a file:// URL got you a finder window. All while logged in as root.

    You would have thought they'd learned

  3. Andy Barber
    Jobs Horns

    Use ActivCard...

    ...key-fob for an additional level of security, for going on the Interweb. But the Apple security on the iPhone definitely needs patching.

  4. James
    Stop

    A(nother) workaround

    This doesn't work on my iPhone - the reason being I've set mine to bring up the iPod when double-tapping home. All you get by following these instructions on my iPhone is my list of songs, which you can listen to if you so choose. Pressing Home again returns you to the Emergency Call screen.

    Agreed the particular bug highlighted above should be fixed though.

  5. Mick F
    Thumb Down

    A toy and nothing else

    This phone really is turning into a joke.

  6. PsyWulf
    Paris Hilton

    Surprised

    Okay not really...but who honestly didn't see another security hole incoming?

    Paris because she knows how it feels to have her phone invaded ^.^

  7. Stephen Kapp

    Not New... Have Physical Access = 0wned..

    This is not new, back when the 1st Gen phones where released you used these features to allow the installation and download of the early Jailbreak software. You could even use then on an phone that wasn't activated yet.

    Either way you have access to the device you can remove the pass code and dump everything off the iPhone using Mac or PC with the appropriate tools... There is a nice book in the works on iPhone Forensics from ORA that covers most of this..

  8. Bastiaan van Zwieten
    Paris Hilton

    They're not the only ones ...

    ... because my SE K800i has a similar bug.

    I don't have to unlock it to get to my Phonebook.

    Just press * and then unlock ...

    "Hey, not asking me for my code?"

    Easy Unlock = Lack of Security!

    But since no one would want to type in their unlockcode to answer a call ...

    This should be fixed though, on any phone!

    Paris?

    - Because she knows all about mobilephone security ...

  9. Mongoloid
    Jobs Horns

    doesn't work on mine

    Try as I might, I can't get this "hack" to work on my jailbroken 1st gen iphone running 1.1.4.

    Regardless of what I set my home button to be, I can't get round the code screen/emergency call screen.

    I have noticed, however, that on the emergency screen you're quite free to dial whatever number you wish, and place a call successfully.

  10. Taomyn
    Jobs Horns

    Agreed...

    ...Apple should get back to what they're good at - creating joke products and suing the ass off anyone that even hints at copying them.

  11. Jim Coleman
    Stop

    Testing, testing

    Do Apple test their products at all? Hmmm?

  12. Matt Smart
    Happy

    Wow

    I'm quite surprised... as of the time of writing (9 posts), an Apple fanboi hasn't yet appeared to describe this as a convenient feature which all phones should have. However, give it a few hours and I'm sure the page will be full of such comments ;)

  13. James
    Gates Horns

    Jailbreaking

    The funny side-story to this is that it is, in fact, almost exactly how the early jailbreak/hacktivation trick worked! Before 'activating' the phone with iTunes, you can only make emergency calls - which means you can also access Favourites, which let you open Safari, which in turn could be used to jailbreak the iPhone through a buffer overflow. Hey presto, jailbroken iPhone, without even plugging it into a computer!

    Sadly, Apple fixed that buffer overflow early on, making jailbreaks slightly more difficult. As others have pointed out, though, once you have physical access, almost any computer's security is null and void; apart from anything else, with most systems - including the iPhone - you can simply boot from external media and use your own OS in place of the currently installed one. A trick I often have to use when users forget their Windows passwords...

  14. Anonymous Coward
    Paris Hilton

    one flaw after another

    lets just all agree this phone really is a pile of turd and stop reporting this stuff!

  15. Henry Williams

    Awesome...

    You can make an emergency phone call to anyone :) So basically, this passcode protects someone from maliciously listening to my iPod. Thanks Apple, glad you helped me dodge that one!

  16. Paul
    Joke

    RE: Henry Williams

    Meens that any embarising music is safe then :-) Noone will ever know your secret love of the spice girls.

  17. Anonymous Coward
    Anonymous Coward

    So what we are saying is

    that if some hoodie steals your iPhone they can then phone your contacts. Apple are such bastards. I demand Steve Jobs personally code a fix for this so that if I stupidly leave my exceptionally hoodie desirable iPhone lying around and it is inevitably stolen, then the hoodie cannot phone my women and arrange dates with them.

    You hear me Jobs you BASTARD!!!!!!!!!!!!!!!!

    Or we could just accept that (1) locking any phone is only to prevent children and / or accidental dialings and (2) once you physically have access to any hardware you own it if you want it which will lead to (3) stop being a bunch of twats.

    Thank you

  18. Anonymous Coward
    Flame

    OSX

    Reminds me of the OSX issue I discovered where if you inserted a blank optical media into the drive it would end up named as the screensaver password after someone typed it in due to it grabbing focus behind the SS password box.

    Not tried that for ages - am wondering if it still works...

  19. Edwin
    Happy

    @Lee, Bastiaan

    I think you're confusing 'keypad lock' and 'security lock'

    Keypad lock is to stop you dialling accidentally (all phones have that)

    Security lock is to keep unauthorised people away from your data (e.g. requires a code to access the device, except to answer calls)

    I got a comment from a fanbois friend complaining that people only look at the jPhone nowadays. Considering the marketing brou-ha-ha, I'd say it serves Steve right...

  20. Colin Millar
    Thumb Up

    In other news

    Government introduces mandatory BIOS passwords as new 'silver bullet' security strategy.

    Non-physical device level security is crap? Now whooda thunk it.

    And PS this MacFanboi vs PCBrigade is older hat than you might think

    From a recent report on Neanderthal/Homo Sapiens

    " scientists believe early modern humans adopted new technology more for cultural or symbolic than practical reasons"

    Neanderthals: Not stupid, just different

    http://www.guardian.co.uk/science/2008/aug/26/evolution

    Fanbois: Not different, just stupid

  21. Eric Dennis
    Jobs Horns

    Secure? NOT!!!!

    This is why the IT Department laughs at anyone who asks if they will support their iPhone. Even my Blackjack is more secure than the iPhone. It's pathetic.

  22. Anonymous Coward
    Anonymous Coward

    Bunk. Not on 2.0.2

    This does not work on my iPhone 3G running 2.0.2. My "home" button is set to go 'home' on double tap. My phone keeps me locked out.

  23. Webster Phreaky
    Jobs Horns

    Same Can Be Said About The iPhone Itself ... Worthless

    not worth the paper you paid for it.

    Exposed again .... more Apple made bugs, and the AppleTards have the tiny balls to point at Microsoft and laugh.

  24. Richard
    Unhappy

    This does work - you can read SMSs (for example).

    On 2.0.2 with double click set to "phone favs + ipod "

    Try the following :

    Lock screen -> click emergency -> double click home (takes me to phone faves).

    click on the > icon (to view contact details) -> scroll down to text message (choose any number) -> click on "messages" on top left.... Now all of my SMSs are visible... That is pretty bad all things considered :-(

    However, I still believe the iphone is a preverbial game changer - flame ON!

  25. sleepy

    So iPhone's a joke then?

    Funny how iPhone is already selling 6 times as fast worldwide as all Windows Mobile devices put together. Resistance is futile. Prepare to be be assimilated.

    This soon to be fixed "security issue" only works if you reconfigure your iPhone for home button double click to go to favorite callers, and a favorite has an email/web address in their address book entry. Cure: don't change the default behaviour of home button double-click. Any computer/smartphone is vulnerable when the attacker gets physical access. his is far less threatening than removable flash cards.

  26. Lee T.
    Stop

    fuck off webster...

    nobody cares. Any devce's security is useless once you have physical access. Yes Mac/Apple products suck, infact all software sucks and all hardware sucks. Apple's, in some cases though, sucks a bit less than others.

  27. Robert Hill

    Gotta love the flamebois...

    OH NOOOOO...my hardware has a specific software failure that can be fixed in 20 seconds (set double-tap to iPod player rather than home!) so therefore the entire hardware device must be WORTHLESS!!!!! And the company that made it so CRAPOLA!!!

    OH the humanities!!!

    But, just as a question, did all of the MS Windows XP fixes (4 at least were severe security fixes if I remember right) that I downloaded onto my PC last Tuesday mean that my PC is not safe for any business to use either??? Didn't MS TEST that shite before releasing it? Isn't the PC just a shite platform that is nothing but a money-press for MS and Intel???

    Or, rather, do we call it SOFTware for a reason.....?

  28. Jessica Werkz

    Webster phreaky - losing his touch

    Jeez Webster is that the best you can do.

    I wonder how many people have switched from a Nokia to the iPhone in the last 6 months and vice versa

  29. Michael C

    bypass trick workaround

    By simply redirecting the home button double tap to iPod instead of contacts (or turning off double tap ion settings) this trick becomes useless.

    Of course, I'm sure this will be fixed quick and easy enough. Also, I don't see there being a big business in stealing iPhones as an identity theft supplement. There's not a lot you can get out of my phone by having access to my e-mail account, and I can quickly and easily enough change the e-mail password rendering that useless, and ask AT&T to unregister the sim. Without being unlocked (and erased) my data won't be accessible at all.

  30. This post has been deleted by its author

  31. Anonymous Coward
    Thumb Up

    useful...

    for all the Apple haters as 'proof' that they were right all along and that the iPhone is crap.

    Hmm, except Apple will fix it and then they'll have to find something else.

  32. Anon Koward
    Alert

    Digressing?

    I believe most of the posts wrt iPhone vs Windows mobile are slightly off track here. The iPhone like all major smartphone products are trying to break the stranglehold that Blackberry's have on corp usage.

    The iPhone as a product may very well dominate the personal use market, (I don't know if it has or if it will etc), but you won't see any major tech-heavy spending company invest in an iPhone until it tightens it's security.

    The Blackberry whilst not as pretty as all the smartphones out there is the workhorse of big companies and Apple wants a cut but looks like it has a long way to go..

  33. Zmodem

    one for barry down the pub

    probaly somewhere to set your own combination, most phones you find something new a year later

  34. Michael

    Well, yes

    While it's true that if you have physical access to a machine, you can break into it, there's an important clause missing: "given enough time". It takes time to break into a password protected motorola Q, or palm treo. And/or specific equipment to hack it quickly. The problem with the iPhone is it does not take any specialized knowledge or equipment, and doesn't take much time. Less than two seconds with a device and you're in? Try that with other smartphones.

    Saying that "physical access of course means the device will be compromised" does jack diddly squat to mitigate the fact that this is a painfully easy iPhone hack. I venture to say if this were a windows problem, the mac fanboys would be all over it like white on rice... Let's not be hypocritical now...

  35. Lantz

    Feature Rich

    This is a convenient feature which all phones should have.

  36. c

    this one is huge

    Many people are missing the point here. This trick works when you have a policy based pasword enforced from an exchange server when you connect to a corporate e-mail system. This is quite simply huge. No corporate in their right mind would allow these things on their network now. Words cant describe how huge a hole this is. Stunning incompetence!

  37. heystoopid
    Paris Hilton

    So

    So goes the ad PC to Mac "Your Phoney or my Phone to call Paris tonight ?" !

  38. Andy Worth

    @Fanboi....

    "Any devce's security is useless once you have physical access."

    While it "might" be possible to break into more or less any device and retrieve data from it, at least sometimes it actually takes a bit of effort or equipment/software. This "back door" can be achieved in the time it takes you to go to the toilet, without even removing your phone from the table you left it on.

    I am sure they will fix it soon(ish) but it IS a pretty big oversight, and if it were an MS product then there'd be about a million Apple fanboi's saying exactly the same things.

  39. Anonymous Coward
    Paris Hilton

    It's a feature.

    It has to be, it's a design feature for all those fanbois out there, after all, they were all deemed too stoopid to cope with more than one button on their mouse.

    Imagine how busy Apple's helpdesk would be if the acolytes had to cope with a *secure* platform and password protection that worked.

    Proud to have persuaded my directors that the jPhone is a worthless toy that has no place on a corporate network.

    Paris, because I bet she has a Mac and a jPhone.

  40. Walking Turtle
    Coat

    So Why Must Fashion Outpace a Development Cycle?

    Hm... So might we consider, dear Apple, simply refusing to release any other hardware product model of any kind in its class until the little beast's SOFTWARE is (at last) properly sorted? It seems that the interruptions imposed on the product's natural lifespan by dint of "Marketplace Competition" and "needing" to show something new every year at Comdex just might be contributing to the multiple incompetent intermediate results, y'see. Not the first time I've seen this sort of thing.

    Believe me, it is irksome to ones' soul to consistently find that some bit of perfectly good hardware kit's been sent off to the Big Knacker in the Clouds (too often by way of dustbin) on the "inexorable" whim of fashion. Year after dreary year, perfectly good kit's rendered as utterly obsolete as last year's Little Black Dress, now replaced by This Year's NEW Little Black Dress (Soooo much moooore sleek! Soooo much more deSIREable!) arm-in-arm with a whole NEW array of "Fashion Malfunctions", as is inevitable when the New Little Sexy Toy is every year just engineered in such a manner as to need a whole new from-the-ground-up set of soft, alluring little slooshy-bits to make its pretty little brain go at all.

    Divergent but related: There's an old-school child's-warning that seems to have fallen overboard these fast-living big-money days: "You are taking your life into your own hands (with that thing)!" With one of these little all-in-one woop-dee-doo handy-dandies, I need no longer confine my life's risk-taking to the occasional weekend.

    Now I can pay a fat retail fee to be at risk at all times! And I only need stop paying when the Fashionable Personal Risk Module of Choice is no longer in my possession, and I awaken having been all hollowed out and eaten alive overnight by some soddy chav with a couiple o' tricks up their grubby sleeve at last!

    How cool is that???

    At base, thinking about it while regarding my ancient (at three years, ancient!) Nokia non-folding phone-only pocket cellie with some affection, it makes no sense to me to place the vast bulk of ones' own life and livelihood into something so small and readily cracked/mined/resold that any lapse at the restaurant or pub of choice puts the whole portable easily-palmed thing on the "Free Market" to be profitably abused at another's criminally Puckish will. Then to pay hundreds (plus monthly) for the privilege of placing ones' own life, fortune and sacred honor (now written in silicon) in the way of such harm in such a fashionable manner?

    At least "Cloud Computing" Web apps seem to offer similar risk-levels from time to time for no fee. Now I can run my whole business this way! (Not.)

    In the final appraisal: I'd have to be a sleek, shiny-painted, metal-arsed flawless quad-core purple-black wall-insensitive robodroid myself (and running on Linux Kernel 4.8.32.1(a) at that; nothing less mature and robust is so very likely to succeed imho) before I'd be ever able to *100%* reliably deny *all* others the "pleasure" of the plunder. But it's latish, and I do ramble a bit. Should be off now. Decent ale, eh?

    Um, there's no phone in that coat of mine, Mate. It's in its' holster, like my keys in my pocket, which are likewise a well-tethered part of MY BODY. Now from the OTHER holster, I do insist that you slowly put that nice warm well-worn coat of mine straight back where you found it... You are already wearing what I presume is your own... Now be off and begone.

    Hardware. Sometimes one can bluff it with a bit of gas pipe, a bar of soap, some shoe-polish and just enuf /chutzpah./ Just don't go out with it, then come back without it. (Arr-rrr-rr-r.)

  41. Jessica Werkz

    @it's a feature

    Well done for persuading your directors that the jPhone has no place on a corporate network. I bet the directors use the jPhone themselves though.

    Corporate phones do need a lot of locking down to protect the network from their own users who, let’s face it, do require a lot hand holding, just to save their hapless selves from busting their own phones or the company network. How the endlessly updateable jPhone would ever fit into that situation beats the heck out of me. The admin guys would want to push apps to the jPhone and have total control of what’s on it and they aren’t gonna like the idea of any user downloading apps from the Apple store directly to the phone let alone the user updating their jPhone with music, podcasts and TV programmes and films from iTunes, never mind ripped own movies and own setup personal email. Just can’t see that happening. Best leave the poor workers with their locked down and tedious Blackberry’s.

    And all this just to get office email when I’m at home or on holiday! Am I missing something here?

  42. Anonymous Coward
    Anonymous Coward

    @Walking Turtle

    Are you on drugs?

  43. Anonymous Coward
    Paris Hilton

    @Jessica Werkz

    No, my directors don't have jPhones (at work anyway) but they're a utilitarian bunch who realise that function is almost always more important than form.

    Their philosophy is that you don't buy a gold plated turd when a perfectly decent spanner will do the job more easily and efficiently.

    Blackberry may be tedious but it's functional, reliable and easy to use for all but the dumbest user.

    BTW,if you need to get your email on holiday then yes, you're missing a life ;-)

    Paris, because the 'feature' is for people like her.

  44. alan

    @Walking Turtle

    Are you Steve Jobs?

  45. Jessica Werkz

    @Walking Turtle

    I think he plays World Of Warcraft and takes it very seriously

This topic is closed for new posts.

Other stories you might like