2008-08-30

iPhone security problem.

My colleague Matt pointed out that the iPhone has a security problem related to the feature that allows you to make emergency calls. This allows a user to bypass the PIN and gain access to the whole phone by way of the contact list. I don't remember the exact details and I don't have an iPhone myself, but Matt demonstrated the security hole and it was trivial to use. You do not need any special software or to hook up the iPhone in order to bypass the security.

I am assuming that this problem is present in 2.0.2 since the iPhone was purchased about a week ago.

The conclusion is that Apple really need to rethink the way they protect the iPhone and the iPod touch and they need to come up with a solution quickly. Given that it would provide access to your email accounts and other potentially sensitive systems, this makes the iPhone a definite risk factor.

If you lose your iPhone all your email is available to anyone who finds the iPhone.

If you can provide some details on this problem, feel free to leave a comment and if need be I'll update this blog posting to summarize.

2 comments:

  1. When presented with the "Enter Passcode" screen, there is a button labeled "Emergency Call" on the numeric keypad. I guess you are required by law (or something) to have a way to make such calls from locked phones. The problem is when you push "Emergency Call" you go to the phone interface, here you can double-tap the home button, which by default gives you your phone favourites. And from each of these you can go to their addressbook entry. Now, if they have a URL, you can click it and Safari opens. Or, you can click their mail address to launch Mail, and cancel sending a new mail, which takes you to the mail accounts view...
    The "official" workaround is to reconfigure the double-home-tap. But I guess the fix should be to only present you with the numerals "1", "1", and "2", in that order, when wanting to dial an emergency call.

    ReplyDelete
  2. vlarsen:

    thanks for the details! actually, I think that the emergency call feature should allow for a set of pre-defined telephone numbers to be defined -- or is there now just one emergency number for all emergency services in Norway?

    in any case, I think this could be improved. I know that the police has a separate number for non-emergency situations here in Norway, for instance. although not mandated, it should be accessible without unlocking the phone.

    a great solution would be to have an "emergency app" which will present the user with a UI that helps the user contact the appropriate emergency service based on which country the phone is in. possibly with some basic instructions for when it would be appropriate to use them.

    (TomTom have an interesting "I need help" application which offers a range of options -- including calling the police/an ambulance/etc as well as providing the user with directions to the nearest police station / hospital / doctor etc. it also provides an easy to use description of where you are)

    (while we are on the subject: there should also be a "notify the owner I have his/her phone" app to make it easier to return a lost phone to its rightful owner)

    ReplyDelete