Newstelescope : iPhone Just another Newstelescope.com weblog

Have password protection enabled on your iPhone? Turns out there’s an easy way for attackers to skip the password screen and access your contacts, browse the Web, poke through your e-mail, and even make calls. Luckily, there’s an even easier way to patch the hole.

According to Ars Technica, posters on the MacRumors forums discovered the security hole, and it’s a pretty big one.

First, for those of you who don’t password-protect your iPhones (and if you don’t, you should), here’s how it normally works: The moment you wake the iPhone, a numeric pad pops up, prompting you for a four-digit passcode—no password, no joy. There’s also an “Emergency Call” button that lets you call 911 in a pinch. (You can access the password settings under Settings, General, Passlock Code; I typically set my iPhone to require the passcoode after 15 minutes of inactivity.)

Here’s the thing, though—if you double-click the Home key while in the Emergency Call screen, the iPhone will default to your Favorites menu. From there, an attacker could access your e-mail (it’s easy—just click a contact’s email address, click “Cancel” from the new message screen, and you’re in), browse the Web (either through a contact’s URL, or through URLs found via Google Maps), and even make calls (just dial a contact’s number, then add a call—any call).

Reportedly, Apple already knows about the security hole and is working on a software patch. However, Ars Technica already has a simple solution: Just change the double-click preferences for the iPhone Home button (Settings, General, Home Button) to “iPod” (attackers can watch you videos and listen to your tunes, but that’s all), or—even better—to “Home,” which simply brings the iPhone back to the password screen.

Also, note to Apple: Would it have killed you to tell us about the security hole and the simple fix?

Related:
Passcode exploit (and fix) found for locked iPhones [Ars Technica]