Second iOS Lock screen bypass discovered, doesn't really expose filesystem
A couple of weeks ago a bug was discovered in the iOS 6 lock screen that allowed a person to access the Phone app, make phone calls, and get at a user’s contacts, without entering a passcode. Now a new, similar bug has been found, but it is being reported that this one will actually allow you to read from and write to the device, with unauthorized access to the filesystem. However, this does not appear to actually be the case.
A video posted to YouTube on the 15th demonstrates two suspected bugs. The first shows how to bypass the lock screen to access the phone using a series of well timed button presses and is similar to the original bypass method reported a day earlier. The second glitch shown is similar, but slightly harder to accomplish and rather than resulting in access to the Phone app, the screen goes completely black with the exception of a normal status bar being present at the top of the screen. With the phone in this buggy state, the user can plug their iPhone into a computer and browse the devices filesystem, never having entered the devices passcode.
At first glance this does seem to be a bug that allows unauthorized access your device’s filesystem, but something isn’t right here. Apple invests a lot in securing their devices, and one of the selling points of the iPhone is its ability to encrypt its contents. As Apple details in their iOS Security paper, depending on the type of file, part of its encryption may include using the device’s passcode. It’s not that it would be completely impossible for there to be a bug in iOS where Apple blundered their security so badly that it completely bypassed a user’s passcode and any encryption, it just doesn’t seem likely.
It makes sense how a bug could occur that lets somebody bypass the passcode to access the Phone app. The Phone app has to be accessible whether a device is locked or not. Users need to be able to make emergency calls, and the iPhone needs to be able to show you who’s calling; it needs access to your contacts with you needing to enter your passcode. This kind of a bug is completely different from one that would allow unauthorized access to all of the data on your device. So how is it that the person in the video is able to access their filesystem without entering the passcode?
The first time you plug a locked device into a computer with a passcode set, iTunes will display an error saying the device has a passcode set. You will be required to unlock the device before iTunes, or any application, can access the contents of the device. With the device plugged in, once you enter your passcode, iTunes will never require you to enter it again. iTunes has some mechanism in place that will now allow your computer to talk to the device, even when the lock screen is present. Had the person in the video plugged their device in to a computer that it had never been plugged in to before, they would have been met with an error message instead.
The lock screen bugs definitely pose a security threat, and one that Apple has already promised to fix. A bug that would allow an average user to bypass the passcode entirely and gain complete access to a user’s data would be on an entirely different level and pose a much greater threat. Such a flaw may be found in iOS one day, but today is not that day.