Date: Thursday, March 21st, 2013, 07:32
Category: iOS, iPhone, News, security
Well, this is sort of awkward…
Remember how you JUST installed iOS 6.1.3 to get rid of a passcode bypass bug that would allow an unauthorized person to access the Phone app on a locked iPhone? Per iMore and The Next Web, a new bypass bug has been discovered.
The passcode bypass in the previous versions of iOS 6 required a series of well-timed taps and button presses. The result was full access to the Phone app on a locked device without entering the passcode. This new bug (not quite new, it seems to have existed prior to iOS 6.1.3) requires a sequence that’s a little easier to execute as can be seen in this video. For some reason, this bypass seems to to be more difficult to accomplish on newer, Siri-capable devices.
The bypass can be achieved using the iPhone’s Voice Dial feature. By holding the Home button on a device for a few seconds, the Voice Dial feature will come up. Issue a dial command such as “Dial 303-555-1212”, then as the call is being initiated, eject the SIM card. The iPhone detects the SIM has been removed, cancels the call, and displays an alert saying there is no SIM. Behind the alert you will see the Phone app and after dismissing the alert, you will have full access to the Phone app. As before this means you can access contact information as well as all photos on the device.
Initially thought to only be possible on non-Siri phones, reports are now coming in of this bypass being performed on the iPhone 4S and 5 as well, though it doesn’t seem to be as easily reproducible on these devices. Performing the bypass on these devices devices would also require Siri to be disabled and Voice Dial to be enabled.
Unlike the previous bug, this bypass can also easily be prevented by disabling Voice Dial. This can be done in the iPhone’s Settings app, under General > Passcode Lock, by turning the Voice Dial switch to off. With the way Apple has been handling these so far, it would not be surprising to see this fixed in a 6.1.4 update.
Stay tuned for additional details as they become available.