New iPhone Exploit Exposes User Data… Sort of

| Analysis

There's another iPhone passcode security hack. Yep. Two, now.A second iOS 6.1 lock screen bypass vulnerability for the iPhone has surfaced, this time claiming to give unauthorized users access to the files on your smartphone. Unlike the earlier lock screen exploit, this one also has users connecting their iPhone to a computer via USB to gain access to user data, but not everything about this hack adds up.

The new exploit has the potential to give attackers access to your iPhone's content, assuming they have your device in hand, according to Christopher Brook from the security software company Kapersky. He said,

The first half of the exploit borrows heavily from last week's vulnerability – and the Lab notes this in the caption of the video that documents its proof of concept ("already release by other researcher"). It's the second bypass – which can be achieved by holding down the power button, the screenshot button and the emergency button – that's interesting; as it makes the phone's screen, minus the top bar, go black. From there it can be plugged into a computer and the information can be harvested via iTunes from the phone's hard drive with read/write access.

In theory, someone could take your passcode locked iPhone, perform a series of tabs and button pushes, connect the device to a computer, and then access all of your personal data.

The problem with this hack is that the data on a passcode-locked iPhone is encrypted, and unless the built-in security features in iOS allow for the hack to unlock the encrypted data, it shouldn't be accessible. iMore's Nick Arnott summed it up nicely when he stated, "It's not that it would be completely impossible for there to be a bug in iOS where Apple blundered their security so badly that it completely bypassed a user's passcode and any encryption, it just doesn't seem likely."

Connecting a passcode protected iPhone to a computer via USB causes iTunes to show a dialog asking you to unlock the device so that it can access its contents, and once that's done, iTunes should always be able to read the device's contents without unlocking again.

What seems more likely with this new exploit is that it exposes the Phone app and Contacts -- necessary for incoming calls to match to your address book entries -- just as the earlier exploit does. Seeing the rest of the phone's data was probably possible simply by connecting to a computer that had previously been granted access to the device.

While any security weakness that gives someone access to your contacts and the Phone app without permission is a serious issue, it doesn't look like this new exploit poses much more of a threat than the earlier threat.

Apple has promised that an iOS 6.1 update will patch the lock screen access flaw, although there isn't any word yet on exactly when it will be available. We're hoping Apple gets the update out in the next few days instead of weeks.



While Apple fixes this, I wish they would redesign iOS security to allow more options:

1. Not having a whole device passcode (or only invoke its use if another passcode is mis-entered)
2. Passcode protecting just Contacts
3. Passcode protecting just Mail
3. Passcode protecting other individual apps, even apps from 3rd parties.

I use no passcode because it’s such a huge hassle to input it every time I turn the device on, since I turn it on so frequently. I’d rather just protect some data. Having more options would allow that.

Bart B

I think you misunderstand whole disk encryption somewhat Jeff. When the OS is booted the key is in memory, and the OS can read and write the entire disk as normal. The decryption happens in very low-level IO libraries, so it’s transparent to the rest of the OS. This is why you don’t notice anything different on your Mac with full disk encryption.

When an OS is not booted it is powerless to protect itself, which is why you need full disk encryption, once the OS is booted and the key loaded the OS is in charge, and the encryption is transparent to the various high-level APIs users and apps will interact with the OS by. The USB drivers will be reading and writing via the standard file system drivers, to which the encryption is transparent.

As I understand it, the passcode lock is a separate security mechanism managed by the OS, getting past it would give the attacker access to the stanard USB APIs that it is protecting, and these APIs are above the encryption, and hence can read and write as if the disk was not encrypted.

A good analogy would be that hacking SAMBA on OS X would get the attacker access to all your data, regardless of whether or not you had full disk encryption, because the SAMBA stuff sits above the low-lever drivers that do the encryption and decryption as they read and write the data on behalf of the OS.

Log in to comment (TMO, Twitter or Facebook) or Register for a TMO account