Apple’s Internet security has come under attack in recent days, with an outbreak of compromised Mac computers for business professionals within the last week or two. Now, to add to the Macbook hacker incident as well as a first passcode bug, Apple can now throw in a second passcode bug for iOS6.1.
The bug is similar to the first in that you can access user information without a passcode; however, where it differs from the first is that, whereas the first passcode bug allows access to user contacts and phone information through a combination of numbers pressed, the new passcode bug allows access to all of your iPhone’s info without entering a passcode of any sort. All you need to do for the new vulnerability is plug your device into the computer’s USB port.
I encourage you to watch the YouTube video posted on this passcode bypass. The video is titled “Apple iOS v6.1 (iPhone 5) – 2 Mobile Pass Code (Auth) Bypass Vulnerabilities #2013.” I have watched the video and have some insight to offer on this vulnerability. First, keep in mind that the vulnerability involves what is known as the “emergency call” button on your passcode lock screen as well as your power/standby button at the top right of your iPhone (this is the case regardless of your iPhone model). You do have to press the emergency call number, dial it, then hang up, and then dial it on the passcode lock screen page while holding down the power/standby button. When you press emergency call the second time, it allows access to your contacts, voicemails, and all — all of the things you see on your normal screen when you open your phone application. All of this is made possible by the fact that the smartphone is “smart” enough to think that you’re in an emergency (since you pressed the call button); what will it do in an emergency? It will bypass the passcode (since you need immediate access and may not be able to remember it) and grant you access. The problem with this neat idea is that, just as you can press it and gain access, so can a hacker. If a hacker wants to get into your phone, all he or she needs to do is perform the same steps to get access to all of your contact information.
One tech writer argues that this supposed iOS vulnerability is no vulnerability at all, but rather, a ploy designed to scare iOS users. Nick Arnott of IMore writes:
“It makes sense how a bug could occur that let’s [sic] somebody bypass the passcode to access the Phone app. The Phone app has to be accessible whether a device is locked or not” (Arnott, “Second iOS Lock Screen bypass discovered, doesn’t really expose filesystem”).
As for the iTunes issue, however, Arnott says that the hack does not expose the iTunes system, since iTunes requires a passcode combination when it accesses a new smartphone it has never accessed before. For Arnott, the individual in the video could access iTunes because, regardless of the phone passcode, iTunes had already accessed his information before and did not need to do so again:
“With the device plugged in, once you enter your passcode, iTunes will never require you to enter it again. iTunes has some mechanism in place that will now allow your computer to talk to the device, even when the lock screen is present” (Arnott, “Second iOS Lock Screen bypass discovered”).
Arnott is right to say that some measure is in place by which this works. I have an unlocked iPhone 4S running iOS6.1.2 and had never placed a passcode on the phone. I placed one on it recently, then connected it to iTunes, and was able to access my information without entering the passcode in iTunes itself. True enough. But the problem lies in the fact that iTunes can be accessed without a passcode after the first time. If Arnott is right, and the first time requires a passcode entered, what about the second time, and the third, and the fourth, and so on? Is it necessarily a good thing to allow ease of access after the passcode has been entered once? If someone steals your MacBook Pro and your iPhone 5, and attempts to access your information, can they still enter iTunes and gain access to all your photos and personal info? They can. This is still a problem, since hackers or thieves can also steal your computer and use it to gain access to your iTunes information, photos, address book, contact list, and so on.
Last but not least, what about the fact that, should a hacker get pass your lock screen passcode, he or she can then access all of your information in iTunes (after the passcode has been bypassed)? If the passcode is set and the lock screen is locked, he or she may not be able to gain access the first time. However, if the passcode has been bypassed, and there is no lock on the screen (no auto lock, passcode has been bypassed and access to the phone app granted), is it not the case that a hacker can connect to iTunes and download everything? At this point, iTunes believes that the user is the legitimate phone owner, since the passcode has been bypassed. What will prevent a hacker from pretending to be the legitimate owner and hacking into photos, contact lists, and personal info?
I think the video was made to educate people about how easy it is for their devices to be hacked into. At the same time, it helps you see that iOS is no more secure in its user protection than Android or Windows. It has security bugs and problems of its own, and these should be acknowledged. Apple is improving its Internet security (as seen with the recent iOS upgrades and the frustrations they create for jailbreakers), but it still has a long road ahead. All it takes is for a thief to watch a few YouTube videos; the moment he or she does, your assumption of personal protection will vanish.