
Secret Button Sequence Bypasses iPhone Security - georgecmu
http://www.wired.com/threatlevel/2010/10/iphone-snoop/
======
Xuzz
(Note: this is a pretty technical post.)

The iPhone's passcode is pretty superficial. Only the UI code actually
enforces it, and this is one of the results of that distinction. In fact, when
you unlock, you are still viewing the same process as you were before it was
unlocked. It just called the "_unlockWithSound" method and set an internal
state to unlocked.

Edit: as pointed out to me on IRC by comex (author of JailbreakMe), there is
lower level protection in the "lockdownd" service, but since the UI controls
that, it doesn't really provide any additional security except it blocks
iTunes syncing and such).

However, with this "hack", you are still locked, so you can't do anything like
opening apps (again, the UI process locks opening apps, as part of their
"security"). But, I did some experimentation, and here's what I found for
impact:

    
    
      - You can read and edit contacts, of course.
      - I am not sure if phone calls work, but they didn't appear to.
      - While clicking an email address does nothing, clicking the "send contact" 
        lets you send an email to whoever you want, custom address and all.
      - You can view all the photos by pressing the "add photo" on a contact you edit. 
        You can also take new ones saved to there.
      - You can send SMS and MMS using the same method as for email, but selecting MMS.
      - You /cannot/ enter Safari or go to the homescreen: unless someone finds another
        similar "hack" to exit the app, as then you could see the icons
        (but, as the "is locked" flag is still "true", it won't let you launch apps).
      - FaceTime doesn't seem possible.
    

This is a serious issue, and with the publicity it already has, I would only
expect Apple to fix it (with a 4.1.1 firmware release, of course, I don't
expect them to care about their iPhone 2G owners back on 3.1.3) within two
weeks. However, if they want to fix this, they need to redesign the workings
of the lock screen. The current way it works is incredibly simple to
circumvent.

Finally, on an unrelated note, the same exploits used in the jailbreak tools
like "greenpois0n" and "PwnageTool" can be used to get around the passcode and
get full filesystem access, or just remove it altogether. But you do need a
computer for that, which you don't with this.

~~~
jacquesm
Does this really qualify as pretty technical ? It's not exactly the guts of
Haskell or Clojure or something like that.

~~~
whimsy
I think it's a fair assertion. It's not especially necessary for the HN crowd
since we're largely technical folks, but not everyone here does software,
right? It does assume a little familiarity with some abstract software
knowledge.

~~~
jacquesm
I've seen some stuff come by here that was essentially Swahili to me that
carried no such warnings :)

~~~
Xuzz
I'm new here, but my reasoning was that it seemed a lot more technical than
what else was being posted in that comment thread. Most of that seemed to be
"is this a big deal?", not "why does this work?". I'm still learning, so is
that kind of "disclaimer" something to avoid?

~~~
whimsy
I don't think anyone's going to honestly yell at you for disclaimers if you
feel you need them, but I think it's safe to assume that the folks here know
how to use Google and Wikipedia and are fairly smart.

So long as you're not talking about something extremely esoteric relative to
the sort of stuff that shows up here on a regular basis. I would feel
comfortable referring to the Sieve of Eratosthenes in an offhand manner.
Anyone on HN can probably look at the Wikipedia page and figure out what's
going on.

If I refer to Negishi coupling, on the other hand, I should probably try to
explain what they are and it might be prudent to provide a disclaimer that I'm
going into esoteric O-chem stuff.

Cool?

~~~
Xuzz
Thanks!

------
kvs
Reminded me of Epic Windows 98 Logon: <http://i.imgur.com/JPxql.gif>

------
tptacek
It's actually worse than the article suggests; from the phone app, you can get
to Mail and SMS (Share Contact); from SMS, you can get to the phone's camera
roll; I'd be surprised if URL expansion didn't get you to Safari via Mail or
SMS.

On the other hand, it's not like the keypad lock was Fort Knox. I don't even
bother with it normally.

~~~
chrisbolt
Just tried it, tapping URLs, email addresses, and physical addresses in the
contact list doesn't do anything for me.

~~~
Xuzz
You can, however, use the "share contact" button to evade that.

------
archangel_one
This reminds me a little of jwz's comments on xscreensaver + toolkits:
<http://www.jwz.org/xscreensaver/toolkits.html>

Although, while I don't really mind xscreensaver's unlock screen, I don't
think Steve Jobs would give it the thumbs up :)

------
ssclafani
It's been fixed in the 4.2 beta.

~~~
jayphelps
True, but nonetheless hilariously bad mistake.

Really, this is only a security threat to your tech savvy gf/bf/friend/thief
since it requires physical access. And you know what they say anyway:

Law #3: If a bad guy has unrestricted physical access to your computer, it's
not your computer anymore

~~~
icegreentea
It'll make corporate iPhone users (well, more the IT departments really) think
twice (again??) about their iPhones on their network. For all the crap that
RIM gets, they do get the whole corporate environment and security lock down
thing right.

~~~
sprout
I think iOS was already on every sysadmin's shitlist for quite a while. I
remember some of my friends on the networking side complaining a good deal
about the iPad's DHCP lease shenanigans.

------
IgorPartola
I don't know about others, but I feel that the iPhone is a terrible phone to
use in an emergency. I currently have a 3G which contributes to this, but it
takes me at least 30 seconds to go from holding the locked phone (I have no
pass code on it) to actually hearing the ring tone. I've had to dial 911 twice
on it and it was not a quick experience and since the second time it was for
someone who crashed their car head first into a tree right outside of my back
yard it was kind of critical that I dial quickly.

------
a2tech
After maybe 30 seconds it automatically returns to the lock screen-in fact I
was barely able to get to a contact before it locked again

~~~
extension
Really? I'm seeing something very different. Not only is it not timing out,
but I can't even lock it again manually. Neither the home button nor lock
button do anything (except take a photo if I press them both, which I just now
discovered).

EDIT: I can re-lock it by holding Home to get to voice control, then
cancelling that and pressing Home or Lock.

EDIT2: It takes a screenshot, not a photo. Damn, photo would be way more
useful.

------
bradfordw
up-up, down-down, left-right, left-right, b, a...

------
sliverstorm
Am I the only one who thought "wait, the iPhone only has _one_ button..."

------
eyeareque
I can't seem to replicate it, but one time I was able to get to the home
screen by double clicking the home button, switching to a different app, and
then pressing home a single time to return to the home screen.

------
bsk
If you need a secure phone get a Blackberry ;)

------
davej
By the way you can dial anything, it doesn't have to be three pound signs.

------
wazoox
Doesn't work on the 3 jail-broken 3G/GS iPhone I tried (3.2 firmware).

------
tyrelb
works for me! i wonder how many accidental 911 calls will be made from trying
this...

~~~
cmelbye
None, unless you enter "911" for some reason. If you type "###" it just says
"Emergency calls only."

------
iAmSpartacus
Works on my 3G!

------
vidar
Locks only keep honest people out.

------
MrFlibble
Sure it's a neat backdoor, but does it play Global Thermonuclear War?

------
staunch
This is one of those rare kinds of mistakes where I really believe someone's
head should roll. They gave away the privacy of potentially millions of
people. It will have real world consequences for some of them.

~~~
jayphelps
If you know someone who would do malicious things with your contact list, I
think you've got bigger problems.

And playing devil's advocate, sure a thief could steal your phone and use this
exploit (if he even knew about it), but what's he going to do with the contact
list? If someone steals your iPhone, they did it to wipe it and resell it.
There are much, much easier and less risky ways of getting large lists of
people's contact info if that's what they're after.

Programmers make mistakes. Saying they should get fired over this is a bit
silly, IMO.

EDIT: I'm not trying to downplay the seriousness. It's definitely serious.
I've known some people who would use this against their "cheating" girlfriend
in a heartbeat to see who they've been calling. But I seriously doubt anywhere
close to millions will be affected.

~~~
uptown
Okay, how about this scenario. Someone with access to someone's office steals
their phone and sells it or its information to the highest bidder. I used to
work in the same building as FOX News. One day Rita Cosby's Blackberry showed
up in our office space ... totally separate elevator banks, different floor,
different everything. Our best guess was that someone from the cleaning crew
grabbed it, got scared, and ditched it, but someone with other motives could
do some serious damage in a day where smartphones provide portable access to a
massive amount of personal and private information.

~~~
pavel_lishin
Alright, say this glitch didn't exist.

Are you telling me that a sufficiently motivated entity couldn't get to the
data stored on the phone? Once you have physical access to a device, things
like this kind of become moot anyway, don't they?

~~~
uptown
Sufficiently motivated? Absolutely. But I contend there's a huge difference
between something that takes technical skill to obtain versus something
demonstrated on YouTube and is simple enough that my mom could make it happen.

~~~
pavel_lishin
Well, hang on, that's not fair. Your first example cited selling a device to
someone vastly interested in obtaining extremely valuable data - imagine this
happening to President Obama's iPhone. But now you're saying that the concern
is coming from someone who can figure this out by watching a YouTube video.

~~~
uptown
They're not mutually exclusive. Now there's just an easy hack that both can
use to get past the security mechanism.

