Second iOS Lock screen bypass discovered, doesn't really expose filesystem

Second iOS Lock screen bypass discovered, doesn't really expose filesystem

A couple of weeks ago a bug was discovered in the iOS 6 lock screen that allowed a person to access the Phone app, make phone calls, and get at a user’s contacts, without entering a passcode. Now a new, similar bug has been found, but it is being reported that this one will actually allow you to read from and write to the device, with unauthorized access to the filesystem. However, this does not appear to actually be the case.

A video posted to YouTube on the 15th demonstrates two suspected bugs. The first shows how to bypass the lock screen to access the phone using a series of well timed button presses and is similar to the original bypass method reported a day earlier. The second glitch shown is similar, but slightly harder to accomplish and rather than resulting in access to the Phone app, the screen goes completely black with the exception of a normal status bar being present at the top of the screen. With the phone in this buggy state, the user can plug their iPhone into a computer and browse the devices filesystem, never having entered the devices passcode.

At first glance this does seem to be a bug that allows unauthorized access your device’s filesystem, but something isn’t right here. Apple invests a lot in securing their devices, and one of the selling points of the iPhone is its ability to encrypt its contents. As Apple details in their iOS Security paper, depending on the type of file, part of its encryption may include using the device’s passcode. It’s not that it would be completely impossible for there to be a bug in iOS where Apple blundered their security so badly that it completely bypassed a user’s passcode and any encryption, it just doesn’t seem likely.

It makes sense how a bug could occur that lets somebody bypass the passcode to access the Phone app. The Phone app has to be accessible whether a device is locked or not. Users need to be able to make emergency calls, and the iPhone needs to be able to show you who’s calling; it needs access to your contacts with you needing to enter your passcode. This kind of a bug is completely different from one that would allow unauthorized access to all of the data on your device. So how is it that the person in the video is able to access their filesystem without entering the passcode?

The first time you plug a locked device into a computer with a passcode set, iTunes will display an error saying the device has a passcode set. You will be required to unlock the device before iTunes, or any application, can access the contents of the device. With the device plugged in, once you enter your passcode, iTunes will never require you to enter it again. iTunes has some mechanism in place that will now allow your computer to talk to the device, even when the lock screen is present. Had the person in the video plugged their device in to a computer that it had never been plugged in to before, they would have been met with an error message instead.

The lock screen bugs definitely pose a security threat, and one that Apple has already promised to fix. A bug that would allow an average user to bypass the passcode entirely and gain complete access to a user’s data would be on an entirely different level and pose a much greater threat. Such a flaw may be found in iOS one day, but today is not that day.

Have something to say about this story? Share your comments below! Need help with something else? Submit your question!

Nick Arnott

Security editor, breaker of things, and caffeine savant. QA at POSSIBLE Mobile. Writes on neglectedpotential.com about QA & security, and as @noir on Twitter about nothing in particular.

More Posts

 

-
loading...
-
loading...
-
loading...
-
loading...

← Previously

Comparing iPhone podcast apps at a glance

Next up →

HTC targets iPhone users with its new Sync Manager desktop application

Reader comments

Second iOS Lock screen bypass discovered, doesn't really expose filesystem

8 Comments

I have to ask, if this was an Android issue would you still call it a "bug" or "glitch" or an outright security problem. My suspicion is you would call Android out as being less secure and based on what has been found in iOS Apple in fact made errors and it is not as fully secure as it should be.

Now I will also say the fact that Apple controls the iOS updates they can in fact patch their system easily unlike Android which the Carriers delay and block updates on in an effort to ship new phones and ignore older models that are a few months old.

Still call it what it is, a pair of security holes in iOS and don't downplay it.

Can't speak for the author, but I wouldn't. A security issue that requires physical access to the device, and the current password to have been physically typed at least once? I don't care the platform or OS. It is a relatively low risk item. One I would allow any os/device a brief period of time to fix. An issue? Yes. As the author states "The lock screen bugs definitely pose a security threat, and one that Apple has already promised to fix."

I tend to agree. I value computer security generally, but I'm failing to understand what is on my phone that someone would want? My bookmarks? My contacts? My todo list? I'm looking thru my phone right now and there's nothing of any value that I can think of. Most things that are 'sensitive', like a banking app, require you to enter the password.

Don't get me wrong, I get that there are some people with sensitive things on their phone, like nudie pics of themselves (or others) or passwords stored in a cleartext file. A bug is a bug and should be fixed. I just wanted to throw out the devil's advocate of who the hell cares.

I now expect to be thoroughly reprimanded on the obvious stuff I may have missed :-D

"I value computer security generally, but I'm failing to understand what is on my phone that someone would want?"

Your Dropbox documents, your Sugarsync documents, your emails with your credit card details, the photos of various documents you have taken, the information regarding who your colleagues are, for hacking by social engineering, your IM's with specific persons for the same reason, and so forth.

Why do not employers just force a policy requiring a WP device where encryption is done correctly and can be controlled remotely? iPhone is a consumer device and these elementary security flaws evidence that.

Different people have differing amounts of sensitive materials on their phones, but wouldn't access to dropbox and sugarsync (whatever the hell that is) require a password to be entered? I agree its a security risk but not nearly as bad as its being made out to be.

The exposure of sensitive data will vary from implementation to implementation. Exposed would be any data synced to the device since that will reside on the file system. Also, in the past Dropbox had a security issue where they stored a file with an authentication key on the device. This meant if an attacker had access to the file system and were able to copy that file off, they could place that file in their device's Dropbox app to then be synced with the victim's Dropbox account.