Unlock an iPhone without the passcode - harmless trick or computer crime?

Filed Under: Apple, iOS

A YouTube video showing you how to unlock an iPhone 5 without the passcode has racked up nearly 300,000 hits over the past two weeks.

There are some caveats, though:

  • You need physical access to the device.
  • You need manual dexterity or a fair bit of practice.
  • You only get access to some of the data.
  • You have to make a phoney emergency call as part of the process.

I'm not going to repeat the instructions here.

I'll just say that they're reasonably arcane: you almost turn the phone off twice during the process, as well as actually placing an emergency call but cutting it off before it goes through.

For the last reason alone, I invite you never to pull this trick, even on your own phone "to see if it works".

Deliberately dialling the emergency services when you don't need to, or, indeed, when you know your intention is not to complete the call at all, is a pretty poor show.

I'm not sure what the regulations are in your country, but there's every possibility you could get in trouble with the authorities for that part of the trick alone.

In fact, it's not really a trick. It's a crime, even without the bogus emergency call.

Not, perhaps, a terribly serious crime. But mucking around with other people's computers is behaviour we ought to stamp out of our lives.

Interestingly, the last time we wrote about this sort thing was when an MP in the New South Wales parliament live-tweeted joke comments from a colleague's iPad while the latter was giving a speech.

I suggested a zero-tolerance policy, especially from members of a legislative assembly, who ought to be setting standards, not flouting them, but not everyone was so sure.

Commenters Josh and foo suggested otherwise:

→ For the record, I would vigorously oppose any attempt to regulate whoopee cushions. Like Dr Sheldon Cooper of the Big Bang Theory, "I still maintain the whoopee cushion has comic validity."

The good news is that this unlock crime trick doesn't give full access to the phone, but apparently only to your contact list, voicemails and photos.

That's still a lot of important stuff, though.

Macworld reports that Apple told the magazine that it was "aware of this issue, and will deliver a fix in a future software update."

That beats Apple's usual tight-lipped (and still apparently official) policy.

For the protection of our customers, Apple does not disclose, discuss or confirm security issues
until a full investigation has occurred and any necessary patches or releases are available.

So, watch out for the update, watch out for your phone, and don't let this bug make you complacent about phone lock codes overall.

It's still worth having a decent password on your iPhone, to protect all the data this bug doesn't give a miscreant access to.

To help you choose wisely, here are the Top Ten iPhone passcodes not to use:

5683, by the way, spells out L-O-V-E.

In conclusion, let the arcane nature of this trick remind you that hackers, in both the good and bad sense of the word, aren't deterred by secrecy, obscurity or complexity.

Indeed, this trick is surely making you wonder, "How did they think of that?"

Bear that in mind if you are ever called upon to design, implement or enforce security software, policies or procedures.

Image of mobile phone courtesy of Shutterstock.

, , , , ,

You might like

8 Responses to Unlock an iPhone without the passcode - harmless trick or computer crime?

  1. jeidan · 564 days ago

    Is this not the exact same 'flaw' that existed in iPhone 4. Didn't apple 'fix' this? (in iOS 4.2)

    Previously, you didn't need to type an actual emergency number in, any number would do.

    • Paul Ducklin · 564 days ago

      It's certainly a similar-sounding flaw. (I'm not sure you need the 'quote' marks - it's definitely a real flaw when a security code doesn't protect what it's supposed to.)

      As to whether it's brand new code with a new bug that simply behaves similarly, or whether it's old code that wasn't patched properly in 4.2 causing the problem to resurface, we can't say.

      We'll have to wait for Apple, because, "for the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available."

      • ccforthewin · 495 days ago

        I know this article is not about unlocking the carrier and shit, but I tried to unlock my 4s by using att-iphone-unlockcom, and it took them 5 weeks to do it, and after I restart my phone, it's unlocked again. Just so you folks know, be careful while picking unlocking sites.

  2. Wolf_Star · 564 days ago

    "...it's a crime..." Oooooooo! Boogah boogah boogah!

    Since when has THAT really stopped anyone from doing what they wanted?

  3. Jack Wilborn · 564 days ago

    As a retired Law Enforcement in Arizona USA it is a criminal act to call an emergency number unless you have an emergency. If you hang up is not a defense as far as the law is concerned.

    Anyway I agree that some things need a strict policy. I wonder what the two the complained about it would say when some idiot gets their phone and gets some incriminating photos? Don't think they would like it.

    Most of those people don't see the tree for the forest. Hopefully these will, in time be taken care of via social pressure not to interfere with some forms of communications. You rarely see anyone stealing mail. Hopefully our legislators will get the hint, even if the media does not. Too bad it will probably have to be legislated.

  4. guest · 564 days ago

    "Deliberately dialling the emergency services when you don't need to, or, indeed, when you know your intention is not to complete the call at all, is a pretty poor show."

    Indeed. I think you're one of few reporting on this hack actually discouraging people from trying this out. I'm seeing other stories where the author has tested it, even admitting that it took several tries to "get it right", which strikes me as highly irresponsible.

  5. Mick · 564 days ago

    Sophos posting detailed analysis of malware.

    Harmless trick or computer crime?

    • Paul Ducklin · 564 days ago

      In the malware-related articles we publish here (at least, in the ones that have been edited by me), we make an effort to ensure that any detail we provide stops short of being simply a recipe.

      In particular, we don't provide source code you can cut and paste, and even when we provide screen shots that show chunks of malware in decompiled or hexdump format, we avoid giving you data that could be turned into anything more than a minor and incomplete fragment, even if you laboriously re-typed it.

      Likewise, we grey out details such as URLs, passwords and IP numbers unless we think they are both useful and important to know for protective or preventative purposes (e.g. searching through logs or adding to blocklists).

      I did something much the same in this article, which probably gives you a good idea of how this trick works, and what sorts of key sequences you need, without actually giving you the procedure, or even enough to deduce the procedure.

      Where malware analysis is concerned, we don't have a button that says "send this malware to your friends." We don't have a link that says "download this malware but we ask you not to send it to anyone". We don't have source code you can cut and paste and turn into malware, with or without fiddling. And even our detailed analyses stop well short of giving you enough information to create replica malware from scratch.

      In short, I hold the opinion that our detailed analyses are neither "harmless trick" nor "computer crime."

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog