iOS 5 Security Issue: Making Calls Without Entering Passcode [Update: Siri Bypasses Passcode For almost Any Purpose]
(Original Story) There’s a security issue in iOS 5 on the iPhone. All you need is an iPhone 3GS, 4, or 4S running at iOS 5 and a Passcode enabled. This Passcode should prevent an unauthorized person from doing anything which could harm data or cost money. However, answering calls is enabled without entering this code, but because of a security flaw, you’re able to call back, without the Passcode.
iOS 5 introduces the new notification system which tells you right on the lock screen what you’ve missed. Here’s right where the problem is: Apple implemented a “slide to call” feature which allows you to call back any missed call on your lock screen.
If you want to reproduce the problem, you need to set a Passcode. Go from the home screen to Settings, General, Passcode. Put your iPhone to sleep and wake it up if you want to check if there’s nothing else. However, this works even if there are other notifications (like a calendar event).
Now take a second phone and call your iPhone. Let it ring once and hang up. You’ll see a new notification on your iPhone about a missed call. The possibility to call back just comes in handy, just slide the icon to the right side and you’re good to go. Your iPhone will NOT ask you for the Passcode.
Well, that’s not really intented as the following features show:
- You cannot use other functions like Messages without entering the Passcode
- Not even the new quick-camera let’s you review older images. Just taking new photos is allowed
Even Apple itself shows off that this behavoir isn’t intended. Press the Home button while your iPhone dials the number and you’re at the “standard” lock screen. The only difference is the name of your contact (or the number) where date and time usually are. If your recepient denies the call, you’ll receive the message “User Busy”. The “slide to unlock” control will turn into a “slide to call back” control. Doing so WILL ask you for your Passcode.
Your best case is that the call will simply cost your money. A little worse is when you can pretend you’re the owner of the phone. But it’s also possible to turn your iPhone into a bug this way: It will send everything the original owner says to another phone until the owner gets notice of that, the battery runs low, or the call will be dropped for another reason. However, it’s even possible that the attacker spoofs his number for a premium-rate phone number (1-900-xxx) – and the Passcode will not prevent to call back.
In fact, without a set Passcode at all, it’s even easier to do the same and even more, but it’s not the common sense of the Passcode to enable people to cause costs to the owner without knowing the Passcode.
Credits go to our German reader David who informed us about this situation.
Update: Even worse is the fact, that Siri does almost never ask for a passcode. You can have contact information read, write e-mails and even call any number just by dictating. The only time Siri asked for the passcode was when we tried to have the last e-mail displayed. At least you’re able to disable Siri at all as long as the Passcode is active.